Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report - Archive ouverte HAL Access content directly
Preprints, Working Papers, ... Year :

Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report

(1) , (1) , (1) , (1) , (2) , (1) , (1) , (1)
1
2

Abstract

The ramping up use of network connected devices is providing hackers more incentives and opportunities to design and spread new security threats. Usually, malware analysts employ a mix of automated tools and human expertise to study the behavior of suspicious binaries and design suitable countermeasures. The analysis techniques adopted by automated tools include symbolic execution. Symbolic execution envisages the exploration of all the possible execution paths of the binary without neither concretizing the values of the variables nor dynamically executing the code (i.e., the binary is analyzed statically). Instead, all the values are represented symbolically. Progressing in the code exploration, constraints on symbolic variables are built and system calls tracked. A satisfiability-modulo-theory (SMT) checker is in charge of verifying the satisfiability of the collected symbolic constraints and thus the validity of an execution path. Unfortunately, while widely considered promising, this approach suffers from high resource consumption. Therefore, optimizing the constraint solver and tuning the features controlling symbolic execution is of fundamental importance to effectively adopting the technique. In this article, we identify the metrics characterizing the quality of binary signatures expressed as system call dependency graphs extracted from a malware database. Then, we pinpoint some optimizations allowing to extract better binary signatures and thus to outperform the vanilla version of symbolic analysis tools in terms of malware classification and exploitation of the available resources. CCS CONCEPTS • Security and privacy → Malware and its mitigation; • General and reference → Empirical studies; Evaluation; • Software and its engineering → Constraint and logic languages;
Fichier principal
Vignette du fichier
agrOptTune_main_halAuthors.pdf (1.1 Mo) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01954483 , version 1 (14-12-2018)

Identifiers

Cite

Eduard Baranov, Fabrizio Biondi, Olivier Decourbe, Thomas Given-Wilson, Axel Legay, et al.. Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report. 2018. ⟨hal-01954483⟩
385 View
787 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More