dynamic binary instrumentation based framework for
play

Dynamic Binary Instrumentation-based Framework for Malware Defense - PowerPoint PPT Presentation

Aug 17, 2023 •152 likes •410 views

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

  1. Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj † , Anand Raghunathan ‡ , and Niraj K. Jha † † Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA ‡ NEC Labs America, Princeton, NJ 08540, USA

  2. Outline  Motivation  Proposed framework  Framework details  Testing environment  Real environment  Experimental evaluation  Related work Princeton University DIMVA 08 presentation

  3. Motivation  Malware defense is a primary concern in information security  Steady increase in the prevalence and diversity of malware  Escalating financial, time, and productivity losses  Minor enhancements to current approaches are unlikely to succeed  Increasing sophistication in techniques used by virus writers  Emergence of zero-day and zero-hour attacks  Recent advances in virtualization allows the implementation of isolated environments Princeton University DIMVA 08 presentation

  4. Motivation (Contd.)  Advances in analysis techniques such as dynamic binary instrumentation (DBI)  DBI injects instrumentation code that executes as part of a normal instruction stream  Instrumentation code allows the observation of an application’s behavior  “Rather than considering what may occur, DBI has the benefit of operating on what actually does occur” Ability to test untrusted code in an isolated environment without corrupting a “live” environment, under DBI Princeton University DIMVA 08 presentation

  5. Outline  Motivation  Proposed framework  Framework details  Testing environment  Real environment  Experimental evaluation  Related work Princeton University DIMVA 08 presentation

  6. Proposed Framework  Execute an untrusted program in a Testing environment  Use DBI to collect specific information  Build execution traces in the form of a hybrid model: dynamic control and data flow in terms of regular expressions, R k ’s, and data invariants  R k ’s alphabet: ∑ = { BB 1 , …, BB n }, where BB j captures data relevant to detecting malicious behavior  Subject R U , a recursive union of generated R k ’s, to post - execution security policies  Based on policy application results, data invariants, and program properties, derive monitoring model M  Move M into a Real (real-user) environment, and use it as a monitoring model, along with a continuous learning process Princeton University DIMVA 08 presentation

  7. Princeton University DIMVA 08 presentation

  8. Outline  Motivation  Proposed framework  Framework details  Testing environment  Real environment  Experimental evaluation  Related work Princeton University DIMVA 08 presentation

  9. Execution Traces and Regular Expressions  Execution trace generation  Step built on top of DBI tool Pin  Control and data information generated to check against security policies  Regular expression generation  Each execution trace transformed into regular expression, R k  R k ’s alphabet: ∑ = { BB 1 , …, BB n }  BB j is a one-to-one mapping to a basic block in the execution trace  BB j contains data components, d i ’s, if instruction I i in basic block executes action A i  d i ’s can reveal malicious behavior when they assume specific values Princeton University DIMVA 08 presentation

  10. Execution Trace Union  Completeness of testing procedure depends on number of exposed paths  Each application tested under multiple automatically- and manually-generated user inputs  Recursive union of R k ’s performed in order to generate R U Princeton University DIMVA 08 presentation

  11. Generation of Data Invariants  Data invariants  Refer to properties assumed by the d i ’s in each BB j  Invariant categories:  Acceptable or unacceptable constant values  Acceptable or unacceptable range limits  Acceptable or unacceptable value sets  Acceptable or unacceptable functional invariants  Data fields, d i ’s, over which invariants are defined:  Arguments of system calls that involve the modification of a system file or directory  Arguments of the “ exec ” function or any variant thereof  Arguments of symbolic and hard links  Size and address range of memory access Princeton University DIMVA 08 presentation

  12. Generation of Data Invariants (Contd.)  Updating data invariants:  Single or multiple invariant types for all d i ’s in each BB j  Observe value of all d i ’s in each execution trace  Start with strictest invariant form (invariant of constant type)  Progressively relax stored invariants for each d i Princeton University DIMVA 08 presentation

  13. Security Policies and Malicious Behavior Detection  Security policy, P i :  P i specifies fundamental traits of malicious behaviors  Each P i is a translation of a high-level language specification of a series of events  If events are executed in a specific sequence, they outline a security violation  Malicious behaviors detected by performing R U ∑( P i )  Example of P i A malicious modification of an executable, detected post- execution, implies a security violation Princeton University DIMVA 08 presentation

  14. Security Policies and Malicious Behavior Detection (Contd.)  Malicious modifications include: 1. File appending, pre-pending, overwriting with virus content 2. Overwriting executable cavity blocks ( e.g., CC-00-99 blocks) 3. Code regeneration and integration of virus within executable 4. Executable modifications to incorrect header sizes 5. Executable modifications to multiple headers 6. Executable modifications to headers incompatible with their respective sections 7. Modifications of control transfer to point to malicious code 8. Modifications of function entry points to point to malicious code (API hooking) 9. Executable entry point obfuscations 10. Modifications of Thread Local Storage (TLS) table 11. Modifications to /proc/pid/exe Princeton University DIMVA 08 presentation

  15. Behavioral Model Generation  Generation of behavioral model, M  M is composed of a reduced set of BB i blocks  M embeds permissible or non-permissible real-time behavior  Program execution run-time monitored against M  Blocks included in M  Anomaly-initiating ( AI ) blocks  Anomaly-dependent ( AD ) blocks  Anomaly-concluding ( AC ) blocks  Conditional blocks  Data invariants and flags are added to each block in M to instruct an inline monitor what to do at run-time Princeton University DIMVA 08 presentation

  16. Example: Deriving M R k P i M AI block Matching blocks BB 1 b 1 BB 1 1. Block address 2. Data invariants BB i Conditional block Conditional block 1. Block address BB i 2. Condition exit point b 2 Matching blocks 3. Successor blocks BB k BB AD block BB 1. Block address BB k’ BB ’ 2. Data invariants AC block BB l b 3 BB l Matching blocks 1. Block address 2. Data invariants Princeton University DIMVA 08 presentation

  17. Outline  Motivation  Proposed framework  Framework details  Testing environment  Real environment  Experimental evaluation  Related work Princeton University DIMVA 08 presentation

  18. Framework Details: Real Environment  Run-time monitoring and on-line prevention of malicious code  Composed of two parts:  Check instrumented basic blocks against blocks in behavioral model M  Check observed data flow against invariants and flags embedded in M ’s blocks  Apply conservative security policies on executed paths not observed in the Testing environment Princeton University DIMVA 08 presentation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects instrumentation code into a binary to

773 views • 46 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable using Fast and Scalable Dynamic Binary Translation Dynamic Binary Translation Emilio G. Cota Columbia University Luca P. Carloni VEE'19 April 14,

1.05k views • 45 slides
State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is dynamic instrumentation? Applications of dynamic instrumentation How does it work? Simulating different states and transitions

1.25k views • 21 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse Arjan Seesing and Alessandro Orso Georgia Institute of Technology This work was supported in part by an IBM Eclipse Innovation Grant.

859 views • 24 slides
VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation infrastructure? instrumentation infrastructure? Julian Seward, jseward@acm.org 4 February 2017. FOSDEM. Brussels. Overview How it works (roughly)

581 views • 17 slides
Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella Azzopardi Kevin Vella Adrian Muscat University of Malta Outline Introduction 1. CSP-Library 2. Configuration Language 3. CSP-based

354 views • 20 slides
Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric Tessier Introduction to Instrumentation 34c3 - Implementing an LLVM based DBI framework 2 What is Instrumentation? Transformation of a program

769 views • 65 slides
Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1 OUTLINE INTRODUCTION to dynamic instrumentation Trap instruction INstruction punning technique Proposed compiler-assisted technique

662 views • 31 slides
An Evolutionary based Dynamic A E l ti b d D i Energy Management Framework for Energy

An Evolutionary based Dynamic A E l ti b d D i Energy Management Framework for Energy

An Evolutionary based Dynamic A E l ti b d D i Energy Management Framework for Energy Management Framework for IP-over-DWDM Core Networks Xin Chen, Chris Phillips School of Electronic Engineering & C Computer Science t S i O tli

717 views • 34 slides
Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to collect runtime information Instrumentation approaches: Source instrumentation: Instrument source programs Binary instrumentation :

626 views • 40 slides
Configurable and Efficient Memory Access Tracing via Selective Expression-based x86 Binary

Configurable and Efficient Memory Access Tracing via Selective Expression-based x86 Binary

Simone Economo, Davide Cingolani, Alessandro Pellegrini and Francesco Quaglia DIAG - Sapienza University of Rome Configurable and Efficient Memory Access Tracing via Selective Expression-based x86 Binary Instrumentation

729 views • 46 slides
Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri

Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri

Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri Jeanine Cook Jonathan Cook New Mexico State University SECSE 2013 @ ICSE 2013 May 18, 2013 SSCA2 (GraphAnalysis.org) double findSubGraphs(graph*

531 views • 19 slides
A Dynamic Programming-based MCMC Framework for Solving DCOPs with GPUs Ferdinando Fioretto 1(2)

A Dynamic Programming-based MCMC Framework for Solving DCOPs with GPUs Ferdinando Fioretto 1(2)

A Dynamic Programming-based MCMC Framework for Solving DCOPs with GPUs Ferdinando Fioretto 1(2) (joint work with) William Yeoh 2 and Enrico Pontelli 2 1 University of Michigan 2 New Mexico State University CP 2016, Toulouse Introduction GPUs

796 views • 27 slides
An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in

An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in

1 An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in Distributed Applications By Emre Ates 1 , Lily Sturmann 2 , Mert Toslali 1 , Orran Krieger 1 , Richard Megginson 2 , Ayse K. Coskun 1 , and Raja

404 views • 38 slides
simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG

simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG

simplify. the. dream. AND. execute. a panel & workshop discussion on how to simplify BIG dreams into actionable steps and executable goals that win! SCOPE Four dynamic women in the digital and content creation space come together to share

387 views • 15 slides
CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/

CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/

CALCULIX LAUNCHER VERSION 0.32 http://calculix.de/ http://calculixforwin.blogspot.com/ http://www.calculixforwin.com/ Table of Contents Installation

391 views • 19 slides
and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims

and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims

Collaborative Events and Shared Artefacts Agile Interaction Designers and Developers Working Toward Common Aims Judith Brown Gitte Lindgaard, Robert Biddle Department of Psychology and School of Computer Science, Carleton University, Canada

541 views • 35 slides
Clinical Decision Support Consortium: Technical Expert Panel Meeting July 11, 2008 8:00 am to

Clinical Decision Support Consortium: Technical Expert Panel Meeting July 11, 2008 8:00 am to

Clinical Decision Support Consortium: Technical Expert Panel Meeting July 11, 2008 8:00 am to 3:00 pm AHRQ Office, Rockville, Maryland Background and Goals Background : Clinical decision support has been applied to increase quality

505 views • 22 slides
Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits & Malware University of Amsterdam Alexandros Stavroulakis MSc System & Network Engineering Research Project II What is this about? Automatic generation of malicious

248 views • 22 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect

CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect

CYBER SECURITY PART 1 Keeping you safe in an electronic age David Gibb, Cyber Protect Officer, Essex Police Barry Linton, Thorpe Bay U3A Thorpe Bay U3A Criminal insight - why commit cybercrime? Scale Nationally 1.6 million cyber

429 views • 25 slides
st t t

st t t

st tts trt Prtt strt tt tt ts ts

1.47k views • 125 slides

More recommend