Software backdoor analysis based on sensitive flow tracking and concolic execution
Tóm tắt
In order to effectively detect and analyze the backdoors, this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution (BASEC). BASEC uses sensitive flow tracking to effectively discover backdoor behaviors, such as stealing secret information and injecting evil data into system, with less false negatives. With concolic execution on predetermined path, the backdoor trigger condition can be extracted and analyzed to achieve high accuracy. BASEC has been implemented and experimented on several software backdoor samples widespread on the Internet, and over 90% of them can be detected. Compared with behavior-based and system-call-based detection methods, BASEC relies less on the historical sample collections, and is more effective in detecting software backdoors, especially those injected into software by modifying and recompiling source codes.
Tài liệu tham khảo
Weaver N, Paxson V, Staniford S, et al. A taxonomy of computer worms [C] // Proceedings of the 2003 ACM Workshop on Rapid Malcode. New York: ACM Press, 2003: 11–18.
Brumley D, Hartwig C, Liang Z, et al. Automatically identifying trigger-based behavior in malware [C] // Botnet Detection. Berlin, Heidelberg: Springer-Verlag, 2008: 65–88.
Wang Y M, Beck D, Vo B, et al. Detecting stealth software with strider ghostbuster [C] // 2005 International Conference on Dependable Systems and Networks. Washington D C: IEEE Press, 2005: 368–377.
Christodorescu M, Jha S, Seshia S A, et al. Semantics-aware malware detection [C] // 2005 IEEE Symposium on Security and Privacy. Washington D C: IEEE Press, 2005: 32–46.
Jiang X, Wang X, Xu D. Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction [J]. ACM Transactions on Information and System Security (TISSEC), 2010, 13(2): 12.
Kirda E, Kruegel C, Banks G, et al. Behavior-based spyware detection [C] // Usenix Security. Vancouver D C: USENIX Press, 2006: 273–288.
Wang X, Jhi Y C, Zhu S, et al. Detecting software theft via system call based birthmarks [C] // 2009 Annual Computer Security Applications Conference. Washington D C: IEEE Press, 2009: 149–158.
Caballero J, Song D. Automatic protocol reverse-engineering: Message format extraction and field semantics inference [J]. Computer Networks, 2013, 57(2): 451–474.
Newsom J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C] // Proceedings of Network and Distributed System Secureity 2005. Sacramento: ISOC Press, 167–174.
Clause J, Li W, Orso A. Dytan: A generic dynamic taint analysis framework [C] // Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM Press, 2007: 196–206.
Mateusz Jurczyk (Google). Windows X86 System Call Table[EB/DL].[2015-11-10]. http: //j00ru.vexillium.org/ntapi/.
King J C. Symbolic execution and program testing [J]. Communications of the ACM, 1976, 19(7): 385–394.
Godefroid P, Klarlund N, Sen K. DART: directed automated random testing [C] // ACM Sigplan Notices. New York: ACM, 2005: 213–223.
Sen K. Concolic testing [C] // Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering. New York: ACM Press, 2007: 571–572.
[15] De Moura L, Bjørner N. Z3:An efficient SMT solver [C] // Tools and Algorithms for the Construction and Analysis of Systems. Berlin, Heidelberg: Springer-Verlag, 2008: 337–340.