Virtualization and Binary Centric Approach to Malware Analysis
ABSTRACT
The objective of this project is to advance malware analysis techniques by taking a virtualization and binary centric approach. To address the common challenges in malware analysis, our first effort is to build a generic virtualization-‐based binary analysis framework, named DECAF. Compared to other virtualization-‐based malware analysis platforms, DECAF advances in the following ways: 1) address the transparency issue in software emulation by heterogeneous replay from hardware virtualization; 2) seamlessly provide multi-‐layer semantic views (OS and Dalvik) for mobile malware analysis; 3) formally verify the correctness of taint analysis implementation (one of the core binary analysis techniques).
Based on DECAF, we further tackle several important security problems. To diagnosis sophisticated multi-‐stage software exploits, we propose to conduct dynamic type inference while monitoring exploit execution on DECAF. To improve the completeness and robustness of memory forensics, we monitor the kernel execution on DECAF and reconstruct the kernel data structure graphs, and then apply a machine learning technique (random surf model) to infer kernel objects from an unknown memory dump.
Award ID: 1054605
Submitted by Katie Dey
on
ABSTRACT
The objective of this project is to advance malware analysis techniques by taking a virtualization and binary centric approach. To address the common challenges in malware analysis, our first effort is to build a generic virtualization-‐based binary analysis framework, named DECAF. Compared to other virtualization-‐based malware analysis platforms, DECAF advances in the following ways: 1) address the transparency issue in software emulation by heterogeneous replay from hardware virtualization; 2) seamlessly provide multi-‐layer semantic views (OS and Dalvik) for mobile malware analysis; 3) formally verify the correctness of taint analysis implementation (one of the core binary analysis techniques).
Based on DECAF, we further tackle several important security problems. To diagnosis sophisticated multi-‐stage software exploits, we propose to conduct dynamic type inference while monitoring exploit execution on DECAF. To improve the completeness and robustness of memory forensics, we monitor the kernel execution on DECAF and reconstruct the kernel data structure graphs, and then apply a machine learning technique (random surf model) to infer kernel objects from an unknown memory dump.
Award ID: 1054605