Abstract
Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.
This work was supported in part by SONIC (one of the six SRC STARnet centers, sponsored by MARCO and DARPA) and NSF Grant 1525936. Any opinions, findings, and conclusions presented here are those of the authors and do not necessarily reflect those of SONIC or NSF.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security
Bilar, D.: Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics , 156–168 (2007)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Tech. rep, DTIC Document (2006)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (2005)
Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: Hardware-assisted flow integrity extension. In: Proceedings of the 52nd Annual Design Automation Conference, p. 74. ACM (2015)
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., Stolfo, S.: On the feasibility of online malware detection with performance counters. SIGARCH Comput. Archit. News 41(3), 559–570 (2013)
Gantz, J.F., Florean, A., Lee, R., Lim, V., Sikdar, B., Lakshmi, S.K.S., Madhavan, L., Nagappan, M.: The link between pirated software and cybersecurity breaches. https://news.microsoft.com/download/presskits/dcu/docs/idc_031814.pdf
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology 4(3), 251–266 (2008)
Li, H.: Understanding and exploiting flash actionscript vulnerabilities (2011)
Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 213–222. ACM (2005)
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Conference on Programming Language Design and Implementation (2005)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-third AnnualComputer Security Applications Conference, ACSAC 2007 (2007)
Ozsoy, M., Donovick, C., Gorelik, I., Abu-Ghazaleh, N., Ponomarev, D.: Malware-aware processors: A framework for efficient online malware detection. In: 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA) (2015)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security, vol. 30, p. 38 (2013)
Ringenburg, M. F., Grossman, D.: Preventing format-string attacks via automatic and efficient dynamic checking. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 354–363. ACM (2005)
Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. Journal in Computer Virology 8, 37–52 (2012)
Sen, K., Marinov, D., Agha, G.: Cute: A concolic unit testing engine for c. In: ACM SIGSOFT Software Engineering Notes, vol. 30, pp. 263–272. ACM (2005)
Sezer, E.C., Ning, P., Kil, C., Xu, J.: Memsherlock: an automated debugger for unknown memory corruption vulnerabilities. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 562–572. ACM(2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004)
Viega, J., Bloch, J.-T., Kohno, Y., McGraw, G.: Its4: A static vulnerability scanner for c and c++ code. In: Computer Security Applications (2000)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_11
Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and Privacy (SP) (2010)
Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: Ripe: runtime intrusion prevention evaluator. In: 27th Computer Security Applications Conference (2011)
Xu, R.-G., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis, pp. 27–38. ACM (2008)
Xu, Z., Ray, S., Subramanyan, P., Malik, S.: Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of the 2017 Design, Automation & Test in Europe Conference & Exhibition (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Xu, Z., Gupta, A., Malik, S. (2017). Trace-based Analysis of Memory Corruption Malware Attacks . In: Strichman, O., Tzoref-Brill, R. (eds) Hardware and Software: Verification and Testing. HVC 2017. Lecture Notes in Computer Science(), vol 10629. Springer, Cham. https://doi.org/10.1007/978-3-319-70389-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-70389-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70388-6
Online ISBN: 978-3-319-70389-3
eBook Packages: Computer ScienceComputer Science (R0)