embracing the new threat towards automatically self
play

Embracing the new threat: towards automatically, self-diversifying - PowerPoint PPT Presentation

May 12, 2023 •271 likes •555 views

Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley and (soon) Purdue University Image (c) http://ucrtoday.ucr.edu/9768/assassin-bugs Malware landscape is

  1. Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley and (soon) Purdue University Image (c) http://ucrtoday.ucr.edu/9768/assassin-bugs

  2. Malware landscape is changing Image (c) Wikimedia

  3. The ongoing malware arms race Generate new malware instance Signatures Attack a bunch updated of targets Malware AV vendor analysis gets first sample

  4. Defense limitations ● Newly diversified samples are not detected – Basically a “new” attack ● New malware spreads fast – Time lag between analysis and updated signatures ● Can we automate this process?

  5. Fully automatic diversity ? *.cpp Compiler Malware Malware Malware

  6. Outline State of the art: Malware detection A new threat: Malware diversification Possible mitigation: Better security practices

  7. State of the art: Malware detection Image (c) Wikimedia

  8. Malware detection is limited ● Performance – Don't slow down a user's machine (too much) ● Precision – Behavioral, generic matching ● Latency – Time lag between spread and protection

  9. Detection mechanisms Image (c) Wikimedia

  10. Signature-based detection ● Compare against database of known-bad – Extract pattern – Match sequence of bytes or regular expression ● Advantages – Fast – Low false positive rate ● Disadvantages – Precision limited to known-bad samples

  11. Static analysis-based detection ● Search potentially bad patterns – API calls – System calls ● Advantages – Low overhead ● Disadvantages – False positives – Based on well-known heuristics

  12. Behavioral-based detection ● Execute “file” in a virtual machine – Detect modifications ● Advantages – Most precise ● Disadvantages – High overhead – Precision limited due to emulation detection

  13. Summary: Malware protection ● Arms race due to manual diversification – Signature-based techniques loose effectiveness ● Cope with limited resources – On the target machine, for the analysis, and to push new signatures/heuristics ● No perfect solution – Either false positives and/or negatives or huge performance impact

  14. New threat: Malware diversification Image (c) Wikimedia

  15. Software diversification ? *.cpp Compiler Program Program Program

  16. C/C++ liberties ● Data layout changes – Data structure layout on stack – Layout for heap objects (limited for structs) ● Code changes – Register allocation (shuffle or starve) – Instruction selection – Basic block splitting, merging, shuffling

  17. Malware diversification ● Generate unique binaries – Minimize common substrings (code or data) – Performance overhead not an issue ● Diversify code and data layout ● Diversify static data as well

  18. Implementation ● Prototype built on LLVM 3.4 – Small changes in code generator, code layouter, register allocator, stack frame layouter, some data obfuscation passes ● Input: LLVM bitcode ● Output: diversified binary ● Source: http://github.com/gannimo/MalDiv

  19. Similarity limitations Common subsequences in diversified binaries 1000000 400.perlbench 401.bzip2 429.mcf 100000 433.milc Number of subsequences (log scale) 444.namd 445.gobmk 10000 450.soplex 453.povray 456.hmmer 1000 458.sjeng 462.libquantum 464.h264ref 100 470.lbm 471.omnetpp 473.astar 10 482.sphinx perlbench vs. bzip2 perlbench vs. gobmk 1 soplex vs. omnetpp 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 nmap 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 simple port scanner Lenght of subsequence

  20. Demo ● Simple hello world – Let's see how far we can push this! #include <stdio.h, string.h> const char foo[] = "foobar"; char bar[7]; int main(int argc, char* argv[]) { strcpy(bar, "barfoo"); printf("Hello World %s %s\n", foo, bar); printf("Arguments: %d, executable: %s\n", argc, argv[0]); return 0; }

  21. Scenario 1: malware generator ? *.cpp Compiler Malware Malware Malware

  22. Scenario 2: self-diversifying MW Malware Malware* Malware* Malware* LLVM Opt LLVM Opt* LLVM Opt* LLVM Opt* Malware bc Malware bc* Malware bc* Malware bc* LLVM bc LLVM bc* LLVM bc* LLVM bc*

  23. Possible mitigation: Better security practices Image (c) Wikimedia

  24. Mitigation ● Recover high-level semantics from code – Hard (and results in an arms race) ● Full behavioral analysis – Harder ● Prohibit initial intrusion – Fix broken software & educate users – Hardest

  25. Conclusion Image (c) Wikimedia

  26. Conclusion ● Diversity evades malware detection – Fully automatic, built into compiler – No need for packers anymore ● Adopts to new similarity metrics ● New arms race between defenders and compiler writers ● Don't rely on simple, static similarity!

  27. Questions? Mathias Payer <mathias.payer@nebelwelt.net> Project: https://github.com/gannimo/MalDiv Homepage: https://nebelwelt.net

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
EMBRACING INNOVATION EMBRACING INNOVATION HOW DO WE UNDERSTAND, ACCEPT, PREPARE FOR AND EMBRACE

EMBRACING INNOVATION EMBRACING INNOVATION HOW DO WE UNDERSTAND, ACCEPT, PREPARE FOR AND EMBRACE

EMBRACING INNOVATION EMBRACING INNOVATION HOW DO WE UNDERSTAND, ACCEPT, PREPARE FOR AND EMBRACE - INNOVATION Wealth-management services require &quot;educated, credentialed, experienced advisors ,,,,,,, I don't see their &quot;Neither RedBox

393 views • 12 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come from? Why Cloud? Cloud for small, medium, enterprise, and government Barriers to adoption Embracing Cloud Social Mobile Cloud

972 views • 45 slides
Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be

Active Threat on Campus Prevention &amp; Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
UC TCA and Embracing Change Nancy Purcille, UCOP Jennifer Forsberg, UCOP Katherine

UC TCA and Embracing Change Nancy Purcille, UCOP Jennifer Forsberg, UCOP Katherine

UC TCA and Embracing Change Nancy Purcille, UCOP Jennifer Forsberg, UCOP Katherine Fitzpatrick, UCOP California Intersegmental Articulation Council Conference Thursday, April 4, 2019 4/4/2019 1 Embracing Change Embracing change in 2019

376 views • 14 slides
Light: Embracing emerging technologies Dr Scott Hollier UWA 2018 Technology for everyone

Light: Embracing emerging technologies Dr Scott Hollier UWA 2018 Technology for everyone

The Seeing without Light: Embracing emerging technologies Dr Scott Hollier UWA 2018 Technology for everyone Embracing life as a person with a disability Supportive family, friends and mentors Education Perseverance with

785 views • 35 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force Los Angeles RWQCB Presentation September 15, 2011 Prologue Low-Threat Policy: An Evolutionary Process STATE WATER RESOURCES CONTROL BOARD

528 views • 31 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3 Denial of Service Attack (DoS) 4 THREAT CATEGORY THREAT ACTION TYPE Malware/Badware Send data to the external entity/site, Trapdoor/Backdoor Entry,

719 views • 23 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR 2010 Introduction Cause Current threat around IEDs is continuously changing Little known about possible future threat Goal List

210 views • 16 slides
and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy

and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy

Harmful Algal Blooms, Agricultural Initiatives, and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy (Fisheries, Recreation, Tourism etc.) Sources: both Urban &amp; Rural Whats Agricultures

520 views • 24 slides
: WHY INTENTION DOES NOT LEAD TO RECYCLING BEHAVIOR FOR MILLENNIALS Master Thesis 29 June 2017

: WHY INTENTION DOES NOT LEAD TO RECYCLING BEHAVIOR FOR MILLENNIALS Master Thesis 29 June 2017

: WHY INTENTION DOES NOT LEAD TO RECYCLING BEHAVIOR FOR MILLENNIALS Master Thesis 29 June 2017 A CHANGING WORLD Climate change Extreme weather events Increasing levels of waste A changing generation A SOLUTION

347 views • 17 slides
AutoTM: Automatic Tensor Movement in Heterogeneous Memory Systems using Integer Linear Programming

AutoTM: Automatic Tensor Movement in Heterogeneous Memory Systems using Integer Linear Programming

AutoTM: Automatic Tensor Movement in Heterogeneous Memory Systems using Integer Linear Programming Mark Hildebrand 1 , Jawad Khan 2 , Sanjeev Trika 2 , Jason Lowe-Power 1 , Venkatesh Akella 1 1 University of California, Davis 2 Intel Corporation

523 views • 51 slides
CBSM? A Sustainability Gamechanger Michelle Vigen U of M Regional Sustainable Development

CBSM? A Sustainability Gamechanger Michelle Vigen U of M Regional Sustainable Development

CBSM? A Sustainability Gamechanger Michelle Vigen U of M Regional Sustainable Development Partnerships Clean Energy Resource Teams (CERTs) and the Bush Foundation U of M Extension 2011 Fall Conference Lighting Talk Changing to preserve

738 views • 20 slides
Behavioral Economics: Lessons from Retirement Research for Health Care and Beyond A Presentation

Behavioral Economics: Lessons from Retirement Research for Health Care and Beyond A Presentation

Behavioral Economics: Lessons from Retirement Research for Health Care and Beyond A Presentation by CBO Director Peter Orszag to the Retirement Research Consortium August 7, 2008 Its a great pleasure for me to be with you at the Retirement

1.38k views • 14 slides
ICA ICAO HQ O HQ PRESENT PRESENTATION TION TO O THE THE AP APANPIR ANPIRG/26 G/26 Saulo

ICA ICAO HQ O HQ PRESENT PRESENTATION TION TO O THE THE AP APANPIR ANPIRG/26 G/26 Saulo

ICA ICAO HQ O HQ PRESENT PRESENTATION TION TO O THE THE AP APANPIR ANPIRG/26 G/26 Saulo da Silva Chief, Air Navigation Implementation Planning and Support Section APANPIRG/26, Bangkok, Thailand 7-11 September 2015 Objectiv

588 views • 30 slides
ABA Provider Workshop Confidential and Proprietary Information 1 Confidential and Proprietary

ABA Provider Workshop Confidential and Proprietary Information 1 Confidential and Proprietary

ABA Provider Workshop Confidential and Proprietary Information 1 Confidential and Proprietary Information Presentation Outline SilverSummit Healthplan Overview Provider Manual Website and Secure Portal Tools Provider Support

353 views • 33 slides
What School Psychologists need to know about Functional Behavior Assessment and Behavior

What School Psychologists need to know about Functional Behavior Assessment and Behavior

What School Psychologists need to know about Functional Behavior Assessment and Behavior Intervention Planning Maryann Trott, MA, BCBA New Mexico Association for School Psychologists November 12, 2015 Objectives Participants will:

526 views • 50 slides
2019 Annual Passenger Count Citizens Advisory Committee (CAC) June 19 th , 2019 Agenda Item #8

2019 Annual Passenger Count Citizens Advisory Committee (CAC) June 19 th , 2019 Agenda Item #8

2019 Annual Passenger Count Citizens Advisory Committee (CAC) June 19 th , 2019 Agenda Item #8 OVERVIEW 1. Purpose of Annual Count 2. Count Methodology 3. 2019 Challenges 4. 2019 Count Results 5. Summary 6. Next Steps 2 ANNUAL PASSENGER

666 views • 28 slides

More recommend