Input generation via decomposition and re-stitching: Finding bugs in malware

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 413-425

  Caballero, Juan ^a   Poosankam, Pongsin ^a   McCamant, Stephen ^a   Babić, Domagoj ^a   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Binary analysis; Composition; Input generation; Malware

Indexed keywords

BINARY ANALYSIS; COMPOSITION; DYNAMIC SYMBOLIC EXECUTIONS; ETHICAL CONSIDERATIONS; EXPLORATION TECHNIQUES; INPUT GENERATION; LITTLE RESEARCH; MALWARES; NETWORK ATTACKERS; SYMBOLIC EXECUTION;

COMPUTER CRIME; CRYPTOGRAPHY;

PROGRAM DEBUGGING;

EID: 78650029404     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866354     Document Type: Conference Paper

References (46)

1. BitBlaze: Binary analysis for computer security. http://bitblaze.cs. berkeley.edu/.
2. D. Brumley, J. Caballero, Z. Liang, J. Newsome, and D. Song. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In Proceedings of the 16th USENIX Security Symposium, pages 213-228, Montreal, Quebec, Canada, Aug. 2007.
3. D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In IEEE Symposium on Security and Privacy, 2008.
4. J. Caballero, N. M. Johnson, S. McCamant, and D. Song. Binary code extraction and interface identification for security applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium, pages 391-408, San Diego, California, USA,Mar. 2010.
5. J. Caballero, Z. Liang, P. Poosankam, and D. Song. Towards generating high coverage vulnerability-based signatures with protocol-level constraint-guided exploration. In RAID'09: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, volume 5758 of Lecture Notes in Computer Science, Saint-Malo, France, Sept. 2009.
6. J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 621-634, Chicago, Illinois, USA, Nov. 2009.
7. C. Cadar and D. R. Engler. Execution generated test cases: How to make systems code crash itself. In SPIN'05: Proceedings of the 12th International SPIN Workshop on Model Checking Software, volume 3639 of Lecture Notes in Computer Science, pages 2-23, San Francisco, California, USA, Aug. 2005.
8. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA'08: Proceedings of the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment, volume 5137 of Lecture Notes inComputer Science, pages 143-163, Paris, France, July 2008.
9. CVE: Common vulnerabilities and exposures. http://cve.mitre.org/.
10. J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg, Germany, Mar. 2002.
11. D. Danchev. Help! someone hijacked my 100k+ Zeus botnet!, Feb. 2009.help-someone-hijacked-my-100k-zeus.html.
12. D. De, A. Kumarasubramanian, and R. Venkatesan. Inversion attacks on secure hash functions using SAT solvers. In SAT'07: Proceedings of the Tenth International Conference on Theory and Applications of Satisfiability Testing, volume 4501 of Lecture Notes in Computer Science, pages 377-382, Lisbon, Portugal, 2007.
13. D. Dittrich, F. Leder, and T. Werner. A case study in ethical decision making regarding remote mitigation of botnets. In WECSR'10: Workshop on Ethics in Computer Security Research, Lecture Notes in Computer Science, Tenerife, Canary Islands, Spain, Jan. 2010.
14. J. W. Duran and S. C. Ntafos. An evaluation of random testing. IEEE Trans. Software Eng., 10(4):438-444, 1984.
15. Security guru gives hackers a taste of their own medicine, Apr. 2008. http://www.wired.com/threatlevel/2008/04/researcher-demo.
16. V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV'07: Proceedings of the 19th International Conference on Computer Aided Verification, volume 4590 of Lecture Notes in Computer Science, pages 519-531, Berlin, Germany, July 2007.
17. V. Ganesh, T. Leek, and M. C. Rinard. Taint-based directed whitebox fuzzing. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering, pages 474-484, Vancouver, British Columbia, Canada, May 2009.
18. P. Godefroid. Compositional dynamic test generation. In POPL'07: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 47-54, Nice, France, Jan. 2007.
19. P. Godefroid, A. Kie?zun, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI'08: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, pages 206-215, Tucson, Arizona, USA, June 2008.
20. P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI'05: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 213-223, Chicago, Illinois, USA, June 2005.
21. P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In NDSS'08: Proceedings of the Network and Distributed System Security Symposium, San Diego, California, USA, Feb. 2008.
22. M. Kassner. The top 10 spam botnets: New and improved, Feb. 2010. http://blogs.techrepublic.com.com/10things/?p=1373.
23. A. Kie?zun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering, pages 199-209, Vancouver, British Columbia, Canada, May 2009.
24. J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385-394, 1976.
25. C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector Gadget: Automated extraction of proprietary gadgets from malware binaries. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, California, USA, May 2010.
26. J. Leyden. Monster botnet held 800,000 people's details. The Register, Mar. 2010. http://www.theregister.co.uk/2010/03/04/mariposa-police-hunt-more- botherders/.
27. 27] M86 Security Labs. Botnet statistics for week ending April 11, 2010, Apr. 2010. http://www.m86security.com/labs/bot-statistics.asp.
28. S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In PLDI'08: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, pages 193-205, Tucson, Arizona, USA, June 2008.
29. Smashing the Mega-d/Ozdok botnet in 24 hours. http://blog.fireeye.com/ research/2009/11/smashing-the-ozdok.html.
30. B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Communications of the ACM, 33(12):32-44, 1990.
31. D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th USENIX Security Symposium, pages 67-81, Montreal, Quebec, Canada, Aug. 2009.
32. National Institute of Standards and Technology, Gaithersburg, MD, USA. Federal Information Processing Standard 180-2: Secure Hash Standard, Aug. 2002.
33. OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org/.
34. OSVDB. Cutwail Bot svchost.exe CC Message Handling Remote Overflow, July 2010. http://osvdb.org/66497.
35. OSVDB. Gheg Bot RtlAllocateHeap Function Null Dereference Remote DoS, July 2010. http://osvdb.org/66498.
36. OSVDB. Zbot Trojan svchost.exe Compressed Input Handling Remote Overflow, July 2010. http://osvdb.org/66501.
37. OSVDB. Zbot Trojan svchost.exe Network Message Crafted Payload Size Handling Infinite Loop Remote DoS, July 2010. http://osvdb.org/66500.
38. OSVDB. Zbot Trojan svchost.exe RtlAllocateHeap Function Null Dereference Remote DoS, July 2010. http://osvdb.org/66499.
39. W. A. Owens, K. W. Dam, and H. S. Lin, editors. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. The National Academies Press, Washington, DC, USA, 2009.
40. B. Potter, Beetle, CowboyM, D. Moniz, R. Thayer, 3ricj, and Pablos. Shmoo-fu: Hacker goo, goofs, and gear with the shmoo. In DEFCON, Las Vegas, Nevada, USA, July 2005. http://www.defcon.org/images/defcon-13/dc13- presentations/dc-13-beetle-shmoo-fu.pdf.
41. Shadowserver foundation. http://www.shadowserver.org/.
42. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis (keynote invited paper). In ICISS'08: Proceedings of the 4th International Conference on Information Systems Security, volume 5352 of Lecture Notes in Computer Science, pages 1-25, Hyderabad, India, Dec. 2008.
43. T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In SP'10: Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, California, USA, May 2010.
44. Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace. ReFormat: Automatic reverse engineering of encrypted messages. In ESORICS'09: 14th European Symposium on Research in Computer Security, volume 5789 of Lecture Notes in Computer Science, pages 200-215, Saint-Malo, France, Sept. 2009.
45. Y. Xie and A. Aiken. Scalable error detection using Boolean satisfiability. In POPL'05: Proceedings of the 32nd ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 351-363, Long Beach, California, USA, Jan. 2005.
46. The zlib library. http://www.zlib.net/.