Understanding and Measuring Inter-Process Code Injection in Windows Malware

Malware aims to stay undetected for as long as possible. One common method for avoiding or delaying detection is the use of code injection, by which a malicious process injects code into another running application. Despite code injection being known as one of the main features of today’s malware, it is often overlooked and no prior research performed a comprehensive study to fundamentally understand and measure code injection in Windows malware. In this paper, we conduct a systematic study of code injection techniques and propose the first taxonomy to group these methods into classes based on common traits. Then, we leverage our taxonomy to implement models of the studied techniques and collect empirical evidence for the prevalence of each specific technique in the malware scene. Finally, we perform a large-scale, longitudinal measurement of the adoption of code injection, highlighting that at least 9.1% of Windows malware between 2017 and 2021 performs code injection. Our systematization and results show that Process Hollowing is the most commonly used technique across different malware families, but, more importantly, this trend is shifting towards other, less traditional methods. We conclude with takeaways that impact how future malware research should be conducted. Without comprehensively accounting for code injection and modeling emerging techniques, future studies based on dynamic analysis are bound to limited observations

解析回避機能を持つマルウェアの解析手法: テイント伝播によるアプローチ

早大学位記番号:新8140早稲田大

Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware

The Host-Based Code Injection Attack (HBCIAs) is a technique that malicious software utilizes in order to avoid detection or steal sensitive information. In a nutshell, this is a local attack where code is injected across process boundaries and executed in the context of a victim process. Malware employs HBCIAs on several operating systems including Windows, Linux, and macOS. This thesis investigates the topic of HBCIAs in the context of malware. First, we conduct basic research on this topic. We formalize HBCIAs in the context of malware and show in several measurements, amongst others, the high prevelance of HBCIA-utilizing malware. Second, we present Bee Master, a platform-independent approach to dynamically detect HBCIAs. This approach applies the honeypot paradigm to operating system processes. Bee Master deploys fake processes as honeypots, which are attacked by malicious software. We show that Bee Master reliably detects HBCIAs on Windows and Linux. Third, we present Quincy, a machine learning-based system to detect HBCIAs in post-mortem memory dumps. It utilizes up to 38 features including memory region sparseness, memory region protection, and the occurence of HBCIA-related strings. We evaluate Quincy with two contemporary detection systems called Malfind and Hollowfind. This evaluation shows that Quincy outperforms them both. It is able to increase the detection performance by more than eight percent

The Taint Rabbit: Optimizing Generic Taint Analysis with Dynamic Fast Path Generation

Generic taint analysis is a pivotal technique in software security. However, it suffers from staggeringly high overhead. In this paper, we explore the hypothesis whether just-in-time (JIT) generation of fast paths for tracking taint can enhance the performance. To this end, we present the Taint Rabbit, which supports highly customizable user-defined taint policies and combines a JIT with fast context switching. Our experimental results suggest that this combination outperforms notable existing implementations of generic taint analysis and bridges the performance gap to specialized trackers. For instance, Dytan incurs an average overhead of 237x, while the Taint Rabbit achieves 1.7x on the same set of benchmarks. This compares favorably to the 1.5x overhead delivered by the bitwise, non-generic, taint engine LibDFT

Reinforcing the weakest link in cyber security: securing systems and software against attacks targeting unwary users

Unwary computer users are often blamed as the weakest link on the security chain, for unknowingly facilitating incoming cyber attacks and jeopardizing the efforts to secure systems and networks. However, in my opinion, average users should not bear the blame because of their lack of expertise to predict the security consequence of every action they perform, such as browsing a webpage, downloading software to their computers, or installing an application to their mobile devices. My thesis work aims to secure software and systems by reducing or eliminating the chances where users’ mere action can unintentionally enable external exploits and attacks. In achieving this goal, I follow two complementary paths: (i) building runtime monitors to identify and interrupt the attack-triggering user actions; (ii) designing offline detectors for the software vulnerabilities that allow for such actions. To maximize the impact, I focus on securing software that either serve the largest number of users (e.g. web browsers) or experience the fastest user growth (e.g. smartphone apps), despite the platform distinctions. I have addressed the two dominant attacks through which most malicious software (a.k.a. malware) infections happen on the web: drive-by download and rogue websites. BLADE, an OS kernel extension, infers user intent through OS-level events and prevents the execution of download files that cannot be attributed to any user intent. Operating as a browser extension and identifying malicious post-search redirections, SURF protects search engine users from falling into the trap of poisoned search results that lead to fraudulent websites. In the infancy of security problems on mobile devices, I built Dalysis, the first comprehensive static program analysis framework for vetting Android apps in bytecode form. Based on Dalysis, CHEX detects the component hijacking vulnerability in large volumes of apps. My thesis as a whole explores, realizes, and evaluates a new perspective of securing software and system, which limits or avoids the unwanted security consequences caused by unwary users. It shows that, with the proposed approaches, software can be reasonably well protected against attacks targeting its unwary users. The knowledge and insights gained throughout the course of developing the thesis have advanced the community’s awareness of the threats and the increasing importance of considering unwary users when designing and securing systems. Each work included in this thesis has yielded at least one practical threat mitigation system. Evaluated by the large-scale real-world experiments, these systems have demonstrated the effectiveness at thwarting the security threats faced by most unwary users today. The threats addressed by this thesis have span multiple computing platforms, such as desktop operating systems, the Web, and smartphone devices, which highlight the broad impact of the thesis.Ph.D

On the malware detection problem : challenges and novel approaches

Orientador: André Ricardo Abed GrégioCoorientador: Paulo Lício de GeusTese (doutorado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba,Inclui referênciasÁrea de concentração: Ciência da ComputaçãoResumo: Software Malicioso (malware) é uma das maiores ameaças aos sistemas computacionais atuais, causando danos à imagem de indivíduos e corporações, portanto requerendo o desenvolvimento de soluções de detecção para prevenir que exemplares de malware causem danos e para permitir o uso seguro dos sistemas. Diversas iniciativas e soluções foram propostas ao longo do tempo para detectar exemplares de malware, de Anti-Vírus (AVs) a sandboxes, mas a detecção de malware de forma efetiva e eficiente ainda se mantém como um problema em aberto. Portanto, neste trabalho, me proponho a investigar alguns desafios, falácias e consequências das pesquisas em detecção de malware de modo a contribuir para o aumento da capacidade de detecção das soluções de segurança. Mais especificamente, proponho uma nova abordagem para o desenvolvimento de experimentos com malware de modo prático mas ainda científico e utilizo-me desta abordagem para investigar quatro questões relacionadas a pesquisa em detecção de malware: (i) a necessidade de se entender o contexto das infecções para permitir a detecção de ameaças em diferentes cenários; (ii) a necessidade de se desenvolver melhores métricas para a avaliação de soluções antivírus; (iii) a viabilidade de soluções com colaboração entre hardware e software para a detecção de malware de forma mais eficiente; (iv) a necessidade de predizer a ocorrência de novas ameaças de modo a permitir a resposta à incidentes de segurança de forma mais rápida.Abstract: Malware is a major threat to most current computer systems, causing image damages and financial losses to individuals and corporations, thus requiring the development of detection solutions to prevent malware to cause harm and allow safe computers usage. Many initiatives and solutions to detect malware have been proposed over time, from AntiViruses (AVs) to sandboxes, but effective and efficient malware detection remains as a still open problem. Therefore, in this work, I propose taking a look on some malware detection challenges, pitfalls and consequences to contribute towards increasing malware detection system's capabilities. More specifically, I propose a new approach to tackle malware research experiments in a practical but still scientific manner and leverage this approach to investigate four issues: (i) the need for understanding context to allow proper detection of localized threats; (ii) the need for developing better metrics for AV solutions evaluation; (iii) the feasibility of leveraging hardware-software collaboration for efficient AV implementation; and (iv) the need for predicting future threats to allow faster incident responses

Securing emerging IoT systems through systematic analysis and design

The Internet of Things (IoT) is growing very rapidly. A variety of IoT systems have been developed and employed in many domains such as smart home, smart city and industrial control, providing great benefits to our everyday lives. However, as IoT becomes increasingly prevalent and complicated, it is also introducing new attack surfaces and security challenges. We are seeing numerous IoT attacks exploiting the vulnerabilities in IoT systems everyday. Security vulnerabilities may manifest at different layers of the IoT stack. There is no single security solution that can work for the whole ecosystem. In this dissertation, we explore the limitations of emerging IoT systems at different layers and develop techniques and systems to make them more secure. More specifically, we focus on three of the most important layers: the user rule layer, the application layer and the device layer. First, on the user rule layer, we characterize the potential vulnerabilities introduced by the interaction of user-defined automation rules. We introduce iRuler, a static analysis system that uses model checking to detect inter-rule vulnerabilities that exist within trigger-action platforms such as IFTTT in an IoT deployment. Second, on the application layer, we design and build ProvThings, a system that instruments IoT apps to generate data provenance that provides a holistic explanation of system activities, including malicious behaviors. Lastly, on the device layer, we develop ProvDetector and SplitBrain to detect malicious processes using kernel-level provenance tracking and analysis. ProvDetector is a centralized approach that collects all the audit data from the clients and performs detection on the server. SplitBrain extends ProvDetector with collaborative learning, where the clients collaboratively build the detection model and performs detection on the client device

Automated Security Analysis of Web Application Technologies

TheWeb today is a complex universe of pages and applications teeming with interactive content that we use for commercial and social purposes. Accordingly, the security of Web applications has become a concern of utmost importance. Devising automated methods to help developers to spot security flaws and thereby make the Web safer is a challenging but vital area of research. In this thesis, we leverage static analysis methods to automatically discover vulnerabilities in programs written in JavaScript or PHP. While JavaScript is the number one language fueling the client-side logic of virtually every Web application, PHP is the most widespread language on the server side. In the first part, we use a series of program transformations and information flow analysis to examine the JavaScript Helios voting client. Helios is a stateof- the-art voting system that has been exhaustively analyzed by the security community on a conceptual level and whose implementation is claimed to be highly secure. We expose two severe and so far undiscovered vulnerabilities. In the second part, we present a framework allowing developers to analyze PHP code for vulnerabilities that can be freely modeled. To do so, we build socalled code property graphs for PHP and import them into a graph database. Vulnerabilities can then be modeled as appropriate database queries. We show how to model common vulnerabilities and evaluate our framework in a large-scale study, spotting hundreds of vulnerabilities.DasWeb hat sich zu einem komplexen Netz aus hochinteraktiven Seiten und Anwendungen entwickelt, welches wir täglich zu kommerziellen und sozialen Zwecken einsetzen. Dementsprechend ist die Sicherheit von Webanwendungen von höchster Relevanz. Das automatisierte Auffinden von Sicherheitslücken ist ein anspruchsvolles, aber wichtiges Forschungsgebiet mit dem Ziel, Entwickler zu unterstützen und das Web sicherer zu machen. In dieser Arbeit nutzen wir statische Analysemethoden, um automatisiert Lücken in JavaScript- und PHP-Programmen zu entdecken. JavaScript ist clientseitig die wichtigste Sprache des Webs, während PHP auf der Serverseite am weitesten verbreitet ist. Im ersten Teil nutzen wir eine Reihe von Programmtransformationen und Informationsflussanalyse, um den JavaScript HeliosWahl-Client zu untersuchen. Helios ist ein modernesWahlsystem, welches auf konzeptueller Ebene eingehend analysiert wurde und dessen Implementierung als sehr sicher gilt. Wir enthüllen zwei schwere und bis dato unentdeckte Sicherheitslücken. Im zweiten Teil präsentieren wir ein Framework, das es Entwicklern ermöglicht, PHP Code auf frei modellierbare Schwachstellen zu untersuchen. Zu diesem Zweck konstruieren wir sogenannte Code-Property-Graphen und importieren diese anschließend in eine Graphdatenbank. Schwachstellen können nun als geeignete Datenbankanfragen formuliert werden. Wir zeigen, wie wir herkömmliche Schwachstellen modellieren können und evaluieren unser Framework in einer groß angelegten Studie, in der wir hunderte Sicherheitslücken identifizieren.CISP

Computer Aided Verification

This open access two-volume set LNCS 13371 and 13372 constitutes the refereed proceedings of the 34rd International Conference on Computer Aided Verification, CAV 2022, which was held in Haifa, Israel, in August 2022. The 40 full papers presented together with 9 tool papers and 2 case studies were carefully reviewed and selected from 209 submissions. The papers were organized in the following topical sections: Part I: Invited papers; formal methods for probabilistic programs; formal methods for neural networks; software Verification and model checking; hyperproperties and security; formal methods for hardware, cyber-physical, and hybrid systems. Part II: Probabilistic techniques; automata and logic; deductive verification and decision procedures; machine learning; synthesis and concurrency. This is an open access book