what role for static analysis in malware detection
play

What role for static analysis in malware detection? Laurence Tratt - PowerPoint PPT Presentation

Jul 15, 2023 •753 likes •1.3k views

What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21 Overview

  1. What role for static analysis in malware detection? Laurence Tratt http://tratt.net/laurie/ Middlesex University With thanks to David Clark 2011/4/6 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 1 / 21

  2. Overview What is malware and how do we traditionally detect it? 1 What is static analysis? 2 How does static analysis promise to help detect malware? 3 How far can we go with it? 4 L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 2 / 21

  3. What is malware? Malign software: infiltrates and subverts. Uses from spam e-mail botnets to IP theft. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 3 / 21

  4. What is malware? Malign software: infiltrates and subverts. Uses from spam e-mail botnets to IP theft. Executive summary: malware is bad. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 3 / 21

  5. How do we detect malware? Traditionally: signature (‘fingerprint’) detection. If a binary matches a malware signature, it’s a bad ’un. ❬ Note: the signature may be for part(s) of a malware. ❪ L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 4 / 21

  6. ✵ ✻ ❂ ✵ How to defeat traditional signature matching. Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Give it hash H . L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 5 / 21

  7. How to defeat traditional signature matching. Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Give it hash H . Malware author (remember: bad, not mad) obfuscates it to: MOV R0, #3 x := 3 MOV R1, #4 y := 4 BL DO_SOMETHING_WITH_R0 f(x) Will have hash H ✵ where H ✻ ❂ H ✵ . L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 5 / 21

  8. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  9. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  10. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  11. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) No regular expression matching will match that! L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  12. How to defeat traditional signature matching (2). Idea: can signatures be like regular expressions, ‘skipping’ over irrelevant stuff? Original malware: MOV R0, #3 x := 3 BL DO_SOMETHING_WITH_R0 f(x) Malware author obfuscates it to: MOV R0, #1 x := 1 ADD R0, R0, #2 x += 2 BL DO_SOMETHING_WITH_R0 f(x) No regular expression matching will match that! Metamorphic / polymorphic malware on the rise. Traditional signature detection ever less effective. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 6 / 21

  13. A proposed approach. Traditional signature detection looks at program syntax. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  14. A proposed approach. Traditional signature detection looks at program syntax. What about the programs semantics? Intuition: a malware’s core semantics must be the same before and after obfuscation. So: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  15. A proposed approach. Traditional signature detection looks at program syntax. What about the programs semantics? Intuition: a malware’s core semantics must be the same before and after obfuscation. So: we need to statically analyse its semantics! L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 7 / 21

  16. Static analysis. Looking at a static program (source code or binary) and uncovering information about it. Take LLVM’s static analyser ( scan-build ). Spot the bug? char *expand_path(const char *path) { char *exp_path; // If path begins with "~/", we expand that to the users home directory. if (strncmp(path, HOME_PFX, strlen(HOME_PFX)) == 0) { struct passwd *pw_ent = getpwuid(geteuid()); if (pw_ent == NULL) { free(exp_path); return NULL; } if (asprintf(&exp_path, "%s%s%s", pw_ent->pw_dir, DIR_SEP, path + strlen(HOME_PFX)) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } else { if (asprintf(&exp_path, "%s", path) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } return exp_path; } L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 8 / 21

  17. Static analysis. Looking at a static program (source code or binary) and uncovering information about it. Take LLVM’s static analyser ( scan-build ). Spot the bug? char *expand_path(const char *path) { char *exp_path; // If path begins with "~/", we expand that to the users home directory. if (strncmp(path, HOME_PFX, strlen(HOME_PFX)) == 0) { struct passwd *pw_ent = getpwuid(geteuid()); if (pw_ent == NULL) { free(exp_path); return NULL; } if (asprintf(&exp_path, "%s%s%s", pw_ent->pw_dir, DIR_SEP, path + strlen(HOME_PFX)) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } else { if (asprintf(&exp_path, "%s", path) == -1) errx(1, "expand_path: asprintf: unable to allocate memory"); } return exp_path; } L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 8 / 21

  18. Static analysis (2). L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 9 / 21

  19. Static analysis (2). L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 9 / 21

  20. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  21. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. If they match: it’s a malware; otherwise it’s OK. (We might need to play around with the ‘fuzziness’ a bit, but it should work.) L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  22. Static analysis (3). Intuition: do a ‘fuzzy match’ against a malware’s semantic signature and that of a new binary. If they match: it’s a malware; otherwise it’s OK. (We might need to play around with the ‘fuzziness’ a bit, but it should work.) My argument: if you deploy this tomorrow, by the following day it will have been irrevocably circumvented. Why? L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 10 / 21

  23. Static analysis assumptions. Underlying assumption of static analysis: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  24. Static analysis assumptions. Underlying assumption of static analysis: programs are amenable to static analysis techniques and when a part of a program violates a static analysis technique, users are happy to adjust their program accordingly. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  25. Static analysis assumptions. Underlying assumption of static analysis: programs are amenable to static analysis techniques and when a part of a program violates a static analysis technique, users are happy to adjust their program accordingly. Bunnies and photo: Anna Hull. (CC BY-NC-ND 3.0) The pink fluffy bunny assumption. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 11 / 21

  26. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

  27. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: malware authors will find and exploit any and all weak points. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

  28. Static analysis assumptions (2). The pink fluffy bunny assumption breaks down with malware: malware authors will find and exploit any and all weak points. The hostile assumption. L. Tratt http://tratt.net/laurie/ Static analysis and malware 2011/4/6 12 / 21

Recommend

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

870 views • 45 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C.

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

929 views • 78 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj

SigMal: A Static Signal Processing Based Malware Triage Dhilung Kirat Lakshmanan Nataraj Giovanni Vigna B.S Manjunath Ezeanaka Kingsley CISC850 Cyber Analytics CISC850 Cyber Analytics Abstract Sigmal as a malware detection framework -

454 views • 17 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services Nuno Antunes, Marco Vieira PRDC 2009 nmsa@dei.uc.pt, mvieira@dei.uc.pt University of Coimbra

370 views • 24 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides

More recommend