Automated Malware Invariant Generation

In our days, any social infrastructure relies on computer security and privacy: a malicious intent to a computer is a threat to society. Our project aims to design and develop a powerful binary analysis framework based on formal methods and employ the platform in order to provide automatic in-depth malware analysis. We propose a new method to detect and identify malware by generating automatically invariants directly from the specified malware code and use it as semantic aware signatures that we call malware-invariant. Also, we propose a host-based intrusion detection systems using automatically generated model where system calls are guarded by pre-computed invariant in order to report any deviation observed during the execution of the application. Our methods provides also technics for the detection of logic bugs and vulnerability in the application. Current malware detectors are “signature-based” but is it well-known that Malware writers use obfuscation to evade current detectors easily. We propose automatic semantic aware detection, identification and model extraction methods, hereby circumventing difficulties met by recent approaches.

[1]  Leonard M. Adleman,et al.  An Abstract Theory of Computer Viruses , 1988, CRYPTO.

[2]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[3]  Rajeev Alur,et al.  Visibly pushdown languages , 2004, STOC '04.

[4]  Ben Wegbreit,et al.  The synthesis of loop predicates , 1974, CACM.

[5]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[6]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[7]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[8]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[9]  Christopher Krügel,et al.  Automating Mimicry Attacks Using Static Binary Analysis , 2005, USENIX Security Symposium.

[10]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[11]  Henny B. Sipma,et al.  Generalized Temporal Verification Diagrams , 1995, FSTTCS.

[12]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[14]  Jan Vitek,et al.  Efficient intrusion detection using automaton inlining , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[16]  Tomás E. Uribe,et al.  Generating Finite-State Abstractions of Reactive Systems Using Decision Procedures , 1998, CAV.

[17]  Thomas W. Reps,et al.  Low-Level Library Analysis and Summarization , 2007, CAV.

[18]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[19]  Frederick B. Cohen,et al.  A short course on computer viruses (2nd ed.) , 1994 .

[20]  Zohar Manna,et al.  Automatic Generation of Invariants and Intermediate Assertions , 1997, Theor. Comput. Sci..

[21]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[22]  Liu Lin Mining Specifications of Malicious Behaviors Based on Multiple Paths in Linux , 2010 .

[23]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[24]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[25]  Somesh Jha,et al.  Automated Discovery of Mimicry Attacks , 2006, RAID.

[26]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[27]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[28]  Gopalan Nadathur,et al.  The Bedwyr System for Model Checking over Syntactic Expressions , 2007, CADE.

[29]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[30]  Ashish Tiwari,et al.  A Technique for Invariant Generation , 2001, TACAS.

[31]  Hassen Saïdi,et al.  Powerful Techniques for the Automatic Generation of Invariants , 1996, CAV.

[32]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[33]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[34]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[35]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[36]  Zohar Manna,et al.  A Heuristic Approach to Program Verification , 1973, IJCAI.

[37]  H. Saidi,et al.  Modular and incremental analysis of concurrent software systems , 1999, 14th IEEE International Conference on Automated Software Engineering.