检索结果-内蒙古大学图书馆

FOSSIL: A Resilient and Efficient System for Identifying FOSS Functions in Malware Binaries

ACM TRANSACTIONS ON PRIVACY AND SECURITY 2018年第2期21卷 1–34页

作者： Alrabaee, Saed Shirani, Paria Wang, Lingyu Debbabi, Mourad Concordia Univ Secur Res Ctr CIISE Montreal PQ H3G 1M8 Canada

Identifying free open-source software (FOSS) packages on binaries when the source code is unavailable is important for many security applications, such as malware detection, software infringement, and digital forensics. This capability enhances both the accuracy and the efficiency of reverse engineering tasks by avoiding false correlations between irrelevant code bases. Although the FOSS package identification problem belongs to the field of software engineering, conventional approaches rely strongly on practical methods in data mining and database searching. However, various challenges in the use of these methods prevent existing function identification approaches from being effective in the absence of source code. To make matters worse, the introduction of obfuscation techniques, the use of different compilers and compilation settings, and software refactoring techniques has made the automated detection of FOSS packages increasingly difficult. With very few exceptions, the existing systems are not resilient to such techniques, and the exceptions are not sufficiently efficient. To address this issue, we propose FOSSIL, a novel resilient and efficient system that incorporates three components. The first component extracts the syntactical features of functions by considering opcode frequencies and applying a hidden Markov model statistical test. The second component applies a neighborhood hash graph kernel to random walks derived from control-flow graphs, with the goal of extracting the semantics of the functions. The third component applies z-score to the normalized instructions to extract the behavior of instructions in a function. The components are integrated using a Bayesian network model, which synthesizes the results to determine the FOSS function. The novel approach of combining these components using the Bayesian network has produced stronger resilience to code obfuscation. We evaluate our system on three datasets, including real-world projects whose use of

关键词： Security Information Systems binary code analysis malicious code analysis function fingerprinting free software packages

来源：评论

学校读者我要写书评

暂无评论

An Empirical Study of SDK Credential Misuse in iOS Apps 25

An Empirical Study of SDK Credential Misuse in iOS Apps

引用

25th Asia-Pacific Software Engineering Conference (APSEC)

作者： Wen, Haohuang Li, Juanru Zhang, Yuanyuan Gu, Dawu South China Univ Technol Sch Software Engn Guangzhou Guangdong Peoples R China Shanghai Jiao Tong Univ Lab Cryptol & Comp Secur Shanghai Peoples R China

ISBN: (纸本)9781728119700

During the development of web-based mobile apps, third-party SDKs (Software Development Kit) are frequently used to facilitate the integration of certain functionality such as push notification and mobile payment. Unfortunately, security issues are often considered as a second-tier problem and app developers are prone to implement apps with SDK misuses. Among those typical SDK misuses, the misuse of credentials is the one that introduces serious security threats. A credential is a set of unique information (e.g., APP ID, App Token, etc) allocated to a specific developer to help app authenticate the identity. However, if not properly used, the credential can be easily obtained by attackers and leads to not only the leak of confidential information of mobile developers but also direct threats to the privacy of end users. To investigate the SDK credential misuse issue on iOS platform, in this paper we conduct an empirical study against 100 popular iOS apps using two popular mobile SDKs (each SDK are widely used by at least 40 million users). We implemented iCredFinder, an automated analysis tool to search credential misuses in those apps and our experiment demonstrates 68 apps contain at least one misuse case. Our study demonstrates the severity of credential misuse on iOS platform: even for those well-developed SDKs and apps, credentials are not well protected and can be easily discovered. We expect that our study could help developers fix those flaws and promote better implementations.

关键词： iOS apps Third-party SDKs binary code analysis Credential exposure

来源：评论

学校读者我要写书评

暂无评论

Context-Sensitive Flow Graph and Projective Single Assignment Form for Resolving Context-Dependency of binary code 13

Context-Sensitive Flow Graph and Projective Single Assignmen...

引用

13th ACM SIGSAC Workshop on Programming Languages and analysis for Security (PLAS)

作者： Izumida, Tomonori Mori, Akira Hashimoto, Masatomo IIJ Res Lab Tokyo Japan Natl Inst Adv Ind Sci & Technol Tokyo Japan Chiba Inst Technol Narashino Chiba Japan

ISBN: (纸本)9781450359931

Program analysis on binary code is considered as difficult because one has to resolve destinations of indirect jumps. However, there is another difficulty of context-dependency that matters when one processes binary programs that are not compiler generated. In this paper, we propose a novel approach for tackling these difficulties and describe a way to reconstruct a control flow from a binary program with no extra assumptions than the operational meaning of machine instructions.

关键词： binary code analysis static single assignment context-dependency

来源：评论

学校读者我要写书评

暂无评论

Opaque Predicate: Attack and Defense in Obfuscated binary code

Opaque Predicate: Attack and Defense in Obfuscated Binary Co...

引用

作者： Xu, Dongpeng PennState University Libraries

学位级别：Doctor of Philosophy

An opaque predicate is a predicate whose value is known to the obfuscator but is difficult to deduce. It can be seamlessly applied together with other obfuscation methods such as junk code to turn reverse engineering attempts into arduous work. Opaque predicates have been widely used in various areas of software security such as software protection, software watermarking, obfuscation, and metamorphic malware. The arms race between the construction and detection of opaque predicates is an interesting topic in computer security *** thesis introduces new attack and defense techniques about opaque predicates in binary code. First, a logic oriented opaque predicate detection tool called LOOP is proposed. By conducting symbolic execution along a trace, LOOP constructs general logical formulas to represent the intrinsic characteristics of opaque predicates. The formulas are then solved by a constraint solver and the result answers whether the predicate under examination is opaque or not. Besides, LOOP is obfuscation resilient and able to detect previously unknown opaque predicates. Our experimental result demonstrates LOOP is effective and efficient. By integrating LOOP with code normalization for matching metamorphic malware variants, we show that LOOP is an appealing complement to existing malware ***, a new control flow obfuscation scheme called generalized dynamic opaque predicate is proposed. We extend the conventional concept of dynamic opaque predicate to common program structures (e.g., straight-line code, branch, and loop). Besides, our new design does not require dynamic opaque predicates to be strictly adjacent, which is more resilient to deobfuscation techniques. The evaluation result shows generalized dynamic opaque predicates overcome the limitations in conventional opaque ***, we propose a novel technique called bit-precise symbolic loop mapping to identify cryptographic functions in obfuscated binary code. Advanced opaque pred

关键词： Opaque Predicate Software Obfuscation Cryptographic Function Detection binary code analysis

来源：评论

学校读者我要写书评

暂无评论

Timing Performance Profiling of Substation Control code for IED Malware Detection 2017

Timing Performance Profiling of Substation Control Code for ...

引用

3rd Annual Industrial Control System Security Workshop (ICSS)

作者： Rrushi, Julian L. Western Washington Univ Dept Comp Sci Bellingham WA 98225 USA

ISBN: (纸本)9781450363334

We present a binary static analysis approach to detect intelligent electronic device (IED) malware based on the time requirements of electrical substations. We explore graph theory techniques to model the timing performance of an IED executable. Timing performance is subsequently used as a metric for IED malware detection. More specifically, we perform a series of steps to reduce a part of the IED malware detection problem into a classical problem of graph theory, namely finding single-source shortest paths on a weighted directed acyclic graph (DAG). Shortest paths represent execution flows that take the longest time to compute. Their clock cycles are examined to determine if they violate the real-time nature of substation monitoring and control, in which case IED malware detection is attained. We did this work with particular reference to implementations of protection and control algorithms that use the IEC 61850 standard for substation data representation and network communication. We tested our approach against IED exploits and malware, network scanning code, and numerous malware samples involved in recent ICS malware campaigns.

关键词： Intelligent electronic devices control system malware graph theory binary code analysis

来源：评论

学校读者我要写书评

暂无评论

Packer identification based on metadata signature 7

Packer identification based on metadata signature

引用

7th Software Security, Protection, and Reverse Engineering Workshop (SSPREW)

作者： Nguyen Minh Hai Ogawa, Mizuhito Quan Thanh Tho HoChiMinh City Univ Technol Ho Chi Minh City Vietnam Japan Adv Inst Sci & Technol Nomi Ishikawa Japan

ISBN: (纸本)9781450353878

Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.

关键词： concolic testing malware binary code analysis packer

来源：评论

学校读者我要写书评

暂无评论

Comparison of binary Procedures: A Set of Techniques for Evading Compiler Transformations

引用

COMPUTER JOURNAL 2016年第1期59卷 106-118页

作者： Radivojevic, Zaharije Cvetanovic, Milos Stojanovic, Sasa Univ Belgrade Sch Elect Engn Bulevar Kralja Aleksandra 73 Belgrade 11000 Serbia

License violation analysis may require digital forensics in the performance of a time-consuming search in order to find out whether a binary code of a product contains a procedure that originates from a source code for which a license is required. The conducted experiment shows that the production of a binary code using an arbitrary compiler decreases results of the evaluated solutions up to 10 times. The best performing solution, among those evaluated, uses software metrics for assessing similarities between procedures and ranks procedures from the binary code according to their similarities with the target forensics procedure. This paper tries to improve the ranking by proposing five techniques for making similarities assessment more robust against compiler transformations. The proposed techniques filter stack instructions and transfer instructions, retain partial information about the instruction order, simulate inlining, and eliminate procedures that significantly differ from the searched procedure. The techniques are evaluated using a dataset based on the STAMP benchmark and re-evaluated using a dataset based on the BusyBox toolset. The evaluation shows that the use of the proposed techniques increases recall by 47 and 42% for the first and second datasets, respectively.

关键词： binary code analysis license violation dual-license software metric software library copyright infringement

来源：评论

学校读者我要写书评

暂无评论

Multi-threaded On-the-Fly Model Generation of Malware with Hash Compaction 1

引用

18th International Conference on Formal Engineering Methods (ICFEM)

作者： Nguyen Minh Hai Quan Thanh Tho Le Duc Anh HoChiMinh City Univ Technol Ho Chi Minh City Vietnam Tokyo Univ Agr & Technol Tokyo Japan

ISBN: (数字)9783319478463

ISBN: (纸本)9783319478463;9783319478456

This paper introduces multi-threaded implementation of our binary code analyzer BE-PUM for malware. On-the-fly model generation by BE-PUM is combined with duplication detection and hash compaction method to minimize the resource consumption. The method operates in three phases including parallel expansion of states, duplication detection and update of the state space. A notable feature of our algorithm is that it requires very little synchronization or cooperation between threads, which is often a bottleneck of multi-threading, due to our strategy of local resource management. The experiments on 125 real-world malware show good performance improvement.

关键词： Concolic testing Pushdown system Malware detection binary code analysis Hash compaction Multi-threaded

来源：评论

学校读者我要写书评

暂无评论

Obfuscation code Localization Based on CFG Generation of Malware 8th

Obfuscation Code Localization Based on CFG Generation of Mal...

引用

8th International Symposium on Foundations and Practice of Security (FPS)

作者： Nguyen Minh Hai Ogawa, Mizuhito Quan Thanh Tho Ho Chi Minh City Univ Technol Ho Chi Minh City Vietnam Japan Adv Inst Sci & Technol Nomi Japan

ISBN: (纸本)9783319303031;9783319303024

This paper presents a tool BE-PUM (binary Emulator for PUshdown Model generation), which generates a precise control flow graph (CFG), under presence of typical obfuscation techniques of malware, e.g., indirect jump, self-modification, overlapping instructions, and structured exception handler (SEH), which cover packers. Experiments are performed on 2000 real-world malware examples taken from VX Heaven and compare the results of a popular commercial disassembler IDA Pro, a state-of-the-art tool JakStab, and BE-PUM. It shows that BE-PUM correctly traces CFGs, whereas IDA Pro and JakStab fail. By manual inspection on 300 malware examples, we also observe that the starts of these failures exactly locate the entries of obfuscation code.

关键词： Concolic testing binary code analysis Malware Obfuscation

来源：评论

学校读者我要写书评

暂无评论

Incremental Verification of ω-regions on binary Control Flow Graph for Computer Virus Detection

Incremental Verification of ω-regions on Binary Control Flo...

引用

3rd National-Foundation-for-Science-and-Technology-Development Conference on Information and Computer Science (NICS)

作者： Nguyen Thien Binh Quan Thanh Tho Ha Minh Ngoc Nguyen Minh Hai HoChiMinh City Univ Technol Ho Chi Minh City Vietnam Eastern Int Univ Tx Thu Dau Mot Binh Duong Vietnam

ISBN: (纸本)9781509020980

Generally, a computer virus, or virus, consists of two major parts, including a syntactic pattern of signature and code segment performing the core malicious actions. Currently, most of commercial security programs rely on signature matching techniques for virus detection, thus suffering difficulty from some advanced polymorphic viruses which can infinitely change their signatures. In research community, model checking has been proposed to overcome this problem. Representing core malicious actions as temporal logic formulas, a model checker can then verify presence of malicious actions on a control flow graph (CFG) extracted from a binary executable. However, model-checking-based approaches encounter the infamous state explosion problem. In this paper, we tackle this problem by suggesting to partition the binary-extracted CFG into specific sub-graphs, known as omega-regions. Based on empirical observation on real virus samples, we argue that the code segment corresponding for a viral core malicious action should not occupy more than one omega-region. The tactic for location of those omega-egions from a CFG is also presented. This approach allows us to reduce the verification complexity by means of an incremental verification strategy. As a result, we enjoy significant performance improvement when experimenting with real dataset of viruses.

关键词： Malware detection binary code analysis pushdown model checking compositional verification omega-region

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：