caret analysis of multithreaded programs
play

CARET analysis of multithreaded programs Huu-Vu Nguyen 1 , Tayssir - PowerPoint PPT Presentation

Mar 15, 2024 •174 likes •978 views

CARET analysis of multithreaded programs Huu-Vu Nguyen 1 , Tayssir Touili 2 1 University Paris Diderot and LIPN 2 LIPN, CNRS and University Paris 13 Motivation Malware detection is a big challenge. Existing Techniques (not robust)

  1. CARET analysis of multithreaded programs Huu-Vu Nguyen 1 , Tayssir Touili 2 1 University Paris Diderot and LIPN 2 LIPN, CNRS and University Paris 13

  2. Motivation Malware detection is a big challenge. Existing Techniques (not robust) Signature-matching based technique: can easily be overcome by obfuscation techniques Code emulation based techniques: limitation in execution time CARET analysis of multithreaded programs 2 / 42

  3. Motivation Malware detection is a big challenge. Existing Techniques (not robust) Signature-matching based technique: can easily be overcome by obfuscation techniques Code emulation based techniques: limitation in execution time Solution to have a robust technique Model-checking for malware detection allow us to analyse the behaviors (not the syntax) of the program without executing it CARET analysis of multithreaded programs 2 / 42

  4. Model-checking for Malware Detection CARET analysis of multithreaded programs 3 / 42

  5. Model-checking for Malware Detection CARET analysis of multithreaded programs 4 / 42

  6. Model-checking for Malware Detection CARET analysis of multithreaded programs 5 / 42

  7. Model-checking for Malware Detection CARET analysis of multithreaded programs 6 / 42

  8. Model-checking for Malware Detection CARET analysis of multithreaded programs 7 / 42

  9. Model-checking for Malware Detection CARET analysis of multithreaded programs 8 / 42

  10. Model-checking for Malware Detection CARET analysis of multithreaded programs 9 / 42

  11. Model-checking for Malware Detection CARET analysis of multithreaded programs 10 / 42

  12. Model-checking for Malware Detection CARET analysis of multithreaded programs 11 / 42

  13. Model-checking for Malware Detection CARET analysis of multithreaded programs 12 / 42

  14. Why Pushdown Systems? Stack of binary codes important for malware detection [Song and Touili 2012, 2013] Pushdown Systems (PDSs) natural model of sequential programs allow taking into account the procedure contexts and stack content in the model CARET analysis of multithreaded programs 13 / 42

  15. Why Pushdown Systems? Stack of binary codes important for malware detection [Song and Touili 2012, 2013] Pushdown Systems (PDSs) natural model of sequential programs allow taking into account the procedure contexts and stack content in the model PDSs for Binary Codes Control locations of PDSs correspond to program points Stack of PDSs correspond to stack of binary programs CARET analysis of multithreaded programs 13 / 42

  16. Model-checking for Malware Detection = ⇒ Problem: This can be applied only for sequential programs. However, several malware is concurrent. CARET analysis of multithreaded programs 14 / 42

  17. Concurrent Malware Example The email worm Bagle is a multithreaded malware: Main thread: register itself into the registry listing: to be started at the boot time Thread 2: listen on port 6777 to receive different commands; allow the attackers to upload new file, ... Thread 3: contacts a list of websites every 10 minutes: to announce the infection of the current machine Thread 4: is spawn to search on local drives to look for valid email addresses, ...then send itself to these found emails. CARET analysis of multithreaded programs 15 / 42

  18. Concurrent Malware Example The email worm Bagle is a multithreaded malware: Main thread: register itself into the registry listing: to be started at the boot time Thread 2: listen on port 6777 to receive different commands; allow the attackers to upload new file, ... Thread 3: contacts a list of websites every 10 minutes: to announce the infection of the current machine Thread 4: is spawn to search on local drives to look for valid email addresses, ...then send itself to these found emails. How instances of threads are spawn? Thread 1 dynamically spawn instances of Thread 2,3,4 depending on the needs The number of instances is not fixed, depending on specific executions Instances of threads can be spawn dynamically during executions CARET analysis of multithreaded programs 15 / 42

  19. Concurrent Malware Example The email worm Bagle is a multithreaded malware: Main thread: register itself into the registry listing: to be started at the boot time Thread 2: listen on port 6777 to receive different commands; allow the attackers to upload new file, ... Thread 3: contacts a list of websites every 10 minutes: to announce the infection of the current machine Thread 4: is spawn to search on local drives to look for valid email addresses, ...then send itself to these found emails. How instances of threads are spawn? Thread 1 dynamically spawn instances of Thread 2,3,4 depending on the needs The number of instances is not fixed, depending on specific executions Instances of threads can be spawn dynamically during executions = ⇒ Bagle is a multithreaded malware, with dynamic thread creation during its execution. How to model such a concurrent malware? CARET analysis of multithreaded programs 15 / 42

  20. How to model such concurrent malware? Ideas 1 PDS is a natural model for sequential malware. 2 = ⇒ networks of PDSs can model concurrent malware. 3 = ⇒ networks of PDSs with dynamic creation can model concurrent malware with dynamic creations. 4 = ⇒ Dynamic Pushdown Networks [Bouajjani, M¨ uller-Olm and Touili 2005] match our needs. CARET analysis of multithreaded programs 16 / 42

  21. How to model such concurrent malware? Ideas 1 PDS is a natural model for sequential malware. 2 = ⇒ networks of PDSs can model concurrent malware. 3 = ⇒ networks of PDSs with dynamic creation can model concurrent malware with dynamic creations. 4 = ⇒ Dynamic Pushdown Networks [Bouajjani, M¨ uller-Olm and Touili 2005] match our needs. Dynamic Pushdown Networks (DPNs) A DPN: a networks of Dynamic PDSs a Dynamic PDS: is a PDS with the ability to spawn new instances of PDSs during its runs CARET analysis of multithreaded programs 16 / 42

  22. Definition of PDSs A Pushdown System (PDS) P is a tuple ( P , Γ , ∆), where P is a finite set of control locations Γ is a finite set of stack alphabet ∆ is the set of transition rules of the following form: call ( r 1 ): p γ − − → p 1 γ 1 γ 2 ret ( r 2 ): p γ − → p 1 ǫ int ( r 3 ): p γ − → p 1 ω where p , p 1 ∈ P , γ, γ 1 , γ 2 ∈ Γ, ω ∈ Γ ∗ CARET analysis of multithreaded programs 17 / 42

  23. Definition of PDSs A Pushdown System (PDS) P is a tuple ( P , Γ , ∆), where P is a finite set of control locations Γ is a finite set of stack alphabet ∆ is the set of transition rules of the following form: call ( r 1 ): p γ − − → p 1 γ 1 γ 2 ret ( r 2 ): p γ − → p 1 ǫ int ( r 3 ): p γ − → p 1 ω where p , p 1 ∈ P , γ, γ 1 , γ 2 ∈ Γ, ω ∈ Γ ∗ call A rule of the form p γ − − → p 1 γ 1 γ 2 corresponds to a call statement call proc usually models a statement of the form γ − − − − − → γ 2 γ is the control point of the program where the function call is made, γ 1 is the entry point of the called procedure and γ 2 is the return point of the call. CARET analysis of multithreaded programs 17 / 42

  24. Definition of PDSs A Pushdown System (PDS) P is a tuple ( P , Γ , ∆), where P is a finite set of control locations Γ is a finite set of stack alphabet ∆ is the set of transition rules of the following form: call ( r 1 ): p γ − − → p 1 γ 1 γ 2 ret ( r 2 ): p γ − → p 1 ǫ int ( r 3 ): p γ − → p 1 ω where p , p 1 ∈ P , γ, γ 1 , γ 2 ∈ Γ, ω ∈ Γ ∗ call A rule of the form p γ − − → p 1 γ 1 γ 2 corresponds to a call statement call proc usually models a statement of the form γ − − − − − → γ 2 γ is the control point of the program where the function call is made, γ 1 is the entry point of the called procedure and γ 2 is the return point of the call. A configuration: p ω where p ∈ P is the current control location, ω ∈ Γ ∗ is the current stack content. CARET analysis of multithreaded programs 17 / 42

  25. Definition of DPNs A Dynamic Pushdown Network (DPN) M is a set {P 1 , ..., P n } s.t. for every 1 ≤ i ≤ n , P i = ( P i , Γ i , ∆ i ) is a Dynamic Pushdown System (DPDS) ( NonSpawn )( r 1 ) p γ call − − → i p 1 γ 1 γ 2 ( NonSpawn )( r 2 ) p γ ret − → i p 1 ǫ ( NonSpawn )( r 3 ) p γ int − → i p 1 ω 1 CARET analysis of multithreaded programs 18 / 42

  26. Definition of DPNs A Dynamic Pushdown Network (DPN) M is a set {P 1 , ..., P n } s.t. for every 1 ≤ i ≤ n , P i = ( P i , Γ i , ∆ i ) is a Dynamic Pushdown System 1 ≤ j ≤ n P j × Γ ∗ (DPDS) where p s ω s ∈ � j ( NonSpawn )( r 1 ) p γ call − − → i p 1 γ 1 γ 2 ( NonSpawn )( r 2 ) p γ ret − → i p 1 ǫ ( NonSpawn )( r 3 ) p γ int − → i p 1 ω 1 ( Spawn ) ( r 4 ) p γ call − − → i p 1 γ 1 γ 2 ⊲ p s ω s ( Spawn ) ( r 5 ) p γ ret − → i p 1 ǫ ⊲ p s ω s ( Spawn ) ( r 6 ) p γ int − → i p 1 ω 1 ⊲ p s ω s CARET analysis of multithreaded programs 18 / 42

  27. Model-checking for Malware Detection CARET analysis of multithreaded programs 19 / 42

  28. Specification Formalisms for Malware Behaviors Recent works: extensions of LTL, CTL were used as specifications CTPL [Kinder, Katzenbeisser,Schallhart and Veith 2005] SLTPL, SCTPL [Song and Touili 2012, 2013] However, these are not expressive enough for malicious behaviors CARET analysis of multithreaded programs 20 / 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPA: Error Propagation Analysis of Multithreaded Programs Using Likely Invariants Abraham Chan*,

IPA: Error Propagation Analysis of Multithreaded Programs Using Likely Invariants Abraham Chan*,

IPA: Error Propagation Analysis of Multithreaded Programs Using Likely Invariants Abraham Chan*, Stefan Winter , Habib Saissi , Karthik Pattabiraman*, Neeraj Suri * The University of British Columbia Technische Universitt

944 views • 22 slides
Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem

Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem How to automatically test the local state reachability in multithreaded programs E.g., find assertion violations,

484 views • 23 slides
Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded

Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded

Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded embedded critical C programs Antoine Min e CNRS & Ecole normale sup erieure Paris, France MOVEP CIRM, Marseille 4 December 2012

1.26k views • 90 slides
PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . Pnar Su

PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . Pnar Su

PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . Pnar Su Highlights 2nd brand that comes to 363 PC, 168 PET dealers HACCP Food Security mind in PET and PC Management System Call Center

793 views • 20 slides
PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . 2011 H1

PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . 2011 H1

PINAR SU SANAY VE T CARET A. . PINAR SU SANAY VE T CARET A. . 2011 H1 Investor Presentation Pnar Su Highlights 2nd brand that comes to 366 PC, 167 PET dealers HACCP Food Security mind in PET and PC

688 views • 24 slides
SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded programs Kernel vs. user-mode threads Concurrencys problems Recall: Why Processes & Threads? Go Goals ls: Mu Multiprogramming

549 views • 39 slides
An Introduction to caret Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Nonclinical

An Introduction to caret Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Nonclinical

An Introduction to caret Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Nonclinical Statistics Groton, CT April 8, 2008 The caret Package The caret package, short for Classification And REgression Training, contains numerous tools for

1.1k views • 24 slides
Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic Cl ement Hurlin INRIA Sophia Antipolis M editerran ee, France Universiteit Twente, The Netherlands Soutenance de th` ese Th` ese

1.68k views • 130 slides
PINAR SU SANAY VE T CARET A. PINAR SU SANAY VE T CARET A. History 2002 1997

PINAR SU SANAY VE T CARET A. PINAR SU SANAY VE T CARET A. History 2002 1997

PINAR SU SANAY VE T CARET A. PINAR SU SANAY VE T CARET A. History 2002 1997 1985-86 2003 1984 P nar Madran water The first Madran water in plastic P nar a al in Marmara Water Inc. packed in demijohns Potable

379 views • 20 slides
Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko (firstname.lastname@aalto.fi) Department of Computer Science and Engineering, Aalto University & Helsinki Institute for

522 views • 41 slides
Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to help eliminate data races Threads must use mutex locks Finds bugs during dynamic executions Checks shared variables on heap or global vars

275 views • 6 slides
Analysis of Multithreaded Algorithms Marc Moreno Maza University of Western Ontario, London,

Analysis of Multithreaded Algorithms Marc Moreno Maza University of Western Ontario, London,

Analysis of Multithreaded Algorithms Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS4402-9535 (Moreno Maza) Analysis of Multithreaded Algorithms CS4402-9535 1 / 47 Plan Review of Complexity Notions 1

794 views • 47 slides
CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded Software Pavel Andrianov, andrianov@ispras.ru Motivation Linux module drivers/net/irda/w83977af_ir.ko: 10 000 LOC static void

598 views • 25 slides
About the caret Package Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Research Statistics

About the caret Package Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Research Statistics

About the caret Package Max Kuhn max.kuhn@pfizer.com Pfizer Global R & D Research Statistics Groton, CT The Package caret is short for c lassification a nd re gression t raining It is not on CRAN yet, but it will be this year It is a

254 views • 8 slides
Does Cache Sharing on Modern CMP Matter to the Performance of Contemporary Multithreaded

Does Cache Sharing on Modern CMP Matter to the Performance of Contemporary Multithreaded

Does Cache Sharing on Modern CMP Matter to the Performance of Contemporary Multithreaded Programs? Eddy Zheng Zhang Yunlian Jiang Xipeng Shen (presenter) Computer Science Department The College of William and Mary, VA, USA Cache Sharing

909 views • 44 slides
Multithreaded Algorithms Architecture Evolution Weve come a long way since we blamed Von

Multithreaded Algorithms Architecture Evolution Weve come a long way since we blamed Von

Multithreaded Algorithms Architecture Evolution Weve come a long way since we blamed Von Neumann for putting that bottleneck in our computers Memory contains data and programs Computer fetches the instructions sequentially from memory and

500 views • 17 slides
On some fixed point statements in KP Silvia Steila joint work with Gerhard J ager Universit

On some fixed point statements in KP Silvia Steila joint work with Gerhard J ager Universit

On some fixed point statements in KP Silvia Steila joint work with Gerhard J ager Universit at Bern Applied Proof Theory and the Computational Content of Mathematics OMG - DMV 2017, Salzburg September 14, 2017 Tarski Knasters

546 views • 20 slides
Systems Programming & Beyond using C++ and D C++ Andrei Alexandrescu andrei@erdani.com

Systems Programming & Beyond using C++ and D C++ Andrei Alexandrescu andrei@erdani.com

Systems Programming & Beyond using C++ and D C++ Andrei Alexandrescu andrei@erdani.com Prepared for LASER Summer School 2012 1 / 59 2012 Andrei Alexandrescu. c Prolegomena Assumption: You are intelligent and talented

945 views • 63 slides
1 What is a Theorem Prover? What is a Theorem? Theorem: A formalizable statement which is

1 What is a Theorem Prover? What is a Theorem? Theorem: A formalizable statement which is

Prerequisites Course 2D1453, 2006-07 Undergraduate logic and discrete maths CS literacy Advanced Formal Methods Some functional programming experience useful The theorem prover Isabelle is programming in SML Some SML

644 views • 4 slides
HOL Ligh t: A T utorial In tro duction 1 HOL Ligh t: A T utorial In tro duction

HOL Ligh t: A T utorial In tro duction 1 HOL Ligh t: A T utorial In tro duction

HOL Ligh t: A T utorial In tro duction 1 HOL Ligh t: A T utorial In tro duction John Harrison Univ ersit y of Cam bridge ( Ab o Ak ademi Univ ersit y) History and ev olution Quic k rundo wn

499 views • 20 slides
A Business Process Metric Based on the Alpha Algorithm Relations Fabio Aiolli, Andrea Burattin,

A Business Process Metric Based on the Alpha Algorithm Relations Fabio Aiolli, Andrea Burattin,

A Business Process Metric Based on the Alpha Algorithm Relations Fabio Aiolli, Andrea Burattin, and Alessandro Sperduti Department of Pure and Applied Mathematics University of Padua, Italy August 29th, 2011 Introduction Typical situation

695 views • 33 slides
Some Families of Directed Strongly Regular Graphs Obtained from Certain Finite Incidence

Some Families of Directed Strongly Regular Graphs Obtained from Certain Finite Incidence

Directed strongly regular graphs(DSRG) Combinatorial Designs Construction of Directed Strongly Regular Graphs References Some Families of Directed Strongly Regular Graphs Obtained from Certain Finite Incidence Structures Oktay Olmez

645 views • 37 slides
INTEGRATING ECO-LABELS & ENVIRONMENTAL PRODUCT STANDARDS INTO PUBLIC PROCUREMENT

INTEGRATING ECO-LABELS & ENVIRONMENTAL PRODUCT STANDARDS INTO PUBLIC PROCUREMENT

1 INTEGRATING ECO-LABELS & ENVIRONMENTAL PRODUCT STANDARDS INTO PUBLIC PROCUREMENT SOLICITATIONS Experiences from the City of Portland, Oregon May 20, 2014 Stacey Foreman, LEED AP O+M , Sustainable Procurement Coordinator, Procurement

514 views • 13 slides
projet prioritizing applying Visual PROMETHEE Case study from Nepal Rana Pratap Singh BOKU,

projet prioritizing applying Visual PROMETHEE Case study from Nepal Rana Pratap Singh BOKU,

Developing hydro power decision aid on projet prioritizing applying Visual PROMETHEE Case study from Nepal Rana Pratap Singh BOKU, Vienna Organization of the Presentation: Introduction Country context Objective of the research

598 views • 21 slides

More recommend