what role for static analysis in malware detection
play

What role for static analysis in malware detection? Laurence Tratt - PowerPoint PPT Presentation

Jul 15, 2023 •753 likes •1.3k views

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

  1. What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21

  2. Overview What is malware and how do we traditionally detect it? 1 What is static analysis? 2 How does static analysis promise to help detect malware? 3 How far can we go with it? 4 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 2 / 21

  3. What is malware? Malign software: infiltrates and subverts. Uses from spam e-mail botnets to IP theft. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 3 / 21

  4. What is malware? Malign software: infiltrates and subverts. Uses from spam e-mail botnets to IP theft. Executive summary: malware is bad. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 3 / 21

  5. How do we detect malware? Traditionally: signature (‘fingerprint’) detection. If a binary matches a malware signature, it’s a bad ’un. ❬ Note: the signature may be for part(s) of a malware. ❪ L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 4 / 21

  6. ✵ ✻ ❂ ✵ How to defeat traditional signature matching. Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Give it hash H . L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 5 / 21

  7. How to defeat traditional signature matching. Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Give it hash H . Malware author (remember: bad, not mad) obfuscates it to: MOV R0, #3 x := 3 MOV R1, #4 y := 4 BL DO_SOMETHING_WITH_R0 f(x) Will have hash H ✵ where H ✻ ❂ H ✵ . L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 5 / 21

  8. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  9. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  10. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  11. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) No regular expression matching will match that! L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  12. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) No regular expression matching will match that! Metamorphic / polymorphic malware on the rise. Traditional signature detection ever less effective. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  13. A proposed approach. Traditional signature detection looks at program syntax. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  14. A proposed approach. Traditional signature detection looks at program syntax. What about the programs semantics? Intuition: a malware’s core semantics must be the same before and after obfuscation. So: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  15. A proposed approach. Traditional signature detection looks at program syntax. What about the programs semantics? Intuition: a malware’s core semantics must be the same before and after obfuscation. So: we need to statically analyse its semantics! L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  16. Static analysis. Looking at a static program (source code or binary) and uncovering information about it. Take LLVM’s static analyser ( scan-build ). Spot the bug? char *expand_path(const char *path) { char *exp_path; // If path begins with "~/", we expand that to the users home directory. if (strncmp(path, HOME_PFX, strlen(HOME_PFX)) == 0) { struct passwd *pw_ent = getpwuid(geteuid()); if (pw_ent == NULL) { free(exp_path); return NULL; } if (asprintf(&exp_path, "%s%s%s", pw_ent->pw_dir, DIR_SEP, path + strlen(HOME_PFX)) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } else { if (asprintf(&exp_path, "%s", path) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } return exp_path; } L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 8 / 21

  17. Static analysis. Looking at a static program (source code or binary) and uncovering information about it. Take LLVM’s static analyser ( scan-build ). Spot the bug? char *expand_path(const char *path) { char *exp_path; // If path begins with "~/", we expand that to the users home directory. if (strncmp(path, HOME_PFX, strlen(HOME_PFX)) == 0) { struct passwd *pw_ent = getpwuid(geteuid()); if (pw_ent == NULL) { free(exp_path); return NULL; } if (asprintf(&exp_path, "%s%s%s", pw_ent->pw_dir, DIR_SEP, path + strlen(HOME_PFX)) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } else { if (asprintf(&exp_path, "%s", path) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } return exp_path; } L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 8 / 21

  18. Static analysis (2). L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 9 / 21

  19. Static analysis (2). L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 9 / 21

  20. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  21. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. If they match: it’s a malware; otherwise it’s OK. (We might need to play around with the ‘fuzziness’ a bit, but it should work.) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  22. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. If they match: it’s a malware; otherwise it’s OK. (We might need to play around with the ‘fuzziness’ a bit, but it should work.) My argument: if you deploy this tomorrow, by the following day it will have been irrevocably circumvented. Why? L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  23. Static analysis assumptions. Underlying assumption of static analysis: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  24. Static analysis assumptions. Underlying assumption of static analysis: programs are amenable to static analysis techniques and when a part of a program violates a static analysis technique, users are happy to adjust their program accordingly. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  25. Static analysis assumptions. Underlying assumption of static analysis: programs are amenable to static analysis techniques and when a part of a program violates a static analysis technique, users are happy to adjust their program accordingly. Bunnies and photo: Anna Hull. (CC BY-NC-ND 3.0) The pink fluffy bunny assumption. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  26. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

  27. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: malware authors will find and exploit any and all weak points. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

  28. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: malware authors will find and exploit any and all weak points. The hostile assumption. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

870 views • 45 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj Giovanni Vigna B.S Manjunath Ezeanaka Kingsley CISC850 Cyber Analytics CISC850 Cyber Analytics Abstract Sigmal as a malware detection framework -

454 views • 17 slides
Developing art Experiment Code with Docker, Xcode , and Psychic Easter Bunny Dolphins Adam

Developing art Experiment Code with Docker, Xcode , and Psychic Easter Bunny Dolphins Adam

Developing art Experiment Code with Docker, Xcode , and Psychic Easter Bunny Dolphins Adam Lyon/Fermilab SCD & g-2 art Workshop 17 June 2016 My background Scientist on Muon g-2 and SCD Quadrant Head When I develop code, I use my Mac

433 views • 17 slides
Progressive Web Components GOTO Berlin 2016 Frederik Dohr, @fnd Stefan Tilkov, @stilkov

Progressive Web Components GOTO Berlin 2016 Frederik Dohr, @fnd Stefan Tilkov, @stilkov

Progressive Web Components GOTO Berlin 2016 Frederik Dohr, @fnd Stefan Tilkov, @stilkov History repeating Web CORBA WS-* REST Whats the client side analogy? Web app 2) Web service 1) > Uses browser as runtime >

818 views • 60 slides
Understanding and Tuning the Performance of Critical Sections with Program Analysis and Software

Understanding and Tuning the Performance of Critical Sections with Program Analysis and Software

Understanding and Tuning the Performance of Critical Sections with Program Analysis and Software Visualization Tools Michael Dilip Shah Advisor: Samuel Z. Guyer Monday July 31, 2017 1 Why Care About Performance Servers Mobile

959 views • 72 slides
CompSci 94 Classwork: Biped Procs, Review 2D views September 8, 2020 Prof. Susan Rodger 9/8/20

CompSci 94 Classwork: Biped Procs, Review 2D views September 8, 2020 Prof. Susan Rodger 9/8/20

CompSci 94 Classwork: Biped Procs, Review 2D views September 8, 2020 Prof. Susan Rodger 9/8/20 CompSci 94 Fall 2020 1 1) Setting up the scene Add in any ground, I chose desert Drag in these objects so they are in positions similar

190 views • 18 slides
Surface Simplification Using Quadric Error Metrics Michael Garland and Paul S. Heckbert 1 The

Surface Simplification Using Quadric Error Metrics Michael Garland and Paul S. Heckbert 1 The

Surface Simplification Using Quadric Error Metrics Michael Garland and Paul S. Heckbert 1 The Basic Idea 2 Vertex Decimation: [Schroeder92] Computer Graphics, 26, 2, July 1992 Computer Graphics, 26, 2, July 1992 Classify vertices as

414 views • 29 slides
Facilities 4.9.2020 Dr. Salman Ashraf, MBBS and Kate Tyner, RN, BSN, CIC Nebraska ICAP Dr.

Facilities 4.9.2020 Dr. Salman Ashraf, MBBS and Kate Tyner, RN, BSN, CIC Nebraska ICAP Dr.

Guidance and responses were provided based on information known on 4/9/2020 and may become out of date. Guidance is being updated rapidly, so users should look to CDC and NE DHHS guidance for updates. COVID-19 Guidance for Outpatient Facilities

210 views • 17 slides
!""#$%&'()*++,'-.//"01%&' !2*0%$%&'.+$%&'3220'30"&0*4+'

!""#$%&'()*++,'-.//"01%&' !2*0%$%&'.+$%&'3220'30"&0*4+'

!""#$%&'()*++,'-.//"01%&' !2*0%$%&'.+$%&'3220'30"&0*4+' 5*$6)$%'72))2820' 9#2))2820:9+2;<.+6);2=.' Lack of diversity can create unintentional problems.

443 views • 22 slides
Childrens privacy relations around their media uses in Turkey Hamide Elif zmc Visiting

Childrens privacy relations around their media uses in Turkey Hamide Elif zmc Visiting

Centre for Research on Families and Relationships & Childhood & Youth Studies Research Group, MHSE 5 June 2019 Childrens privacy relations around their media uses in Turkey Hamide Elif zmc Visiting PhD student at SSPS,

667 views • 13 slides

More recommend