Code synchronization by morphological analysis

International audienceReverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSL's use within waledac.La rétroconception de programmes malveillants est une tâche difficile, parsemée des embûches préparées par les développeurs du malware. La qualité des logiciels de défense dépendant grandement de l'analyse faite du malware, il est nécessaire de fournir aux analystes des outils automatiques. Nous décrivons ici un outil qui synchronise deux programmes binaires ayant des similarités. Notre outil trouve des instructions assembleur communes et affiche les correspondances dans IDA. Des expériences ont été réalisées sur plusieurs malware tels Stuxnet, Duqu, Sality ou Waledac. Nous avons retrouvé certains liens entre Duqu et Stuxnet ainsi que l'utilisation que Waledac fait d'OpenSSL

Efficient Irregular Wavefront Propagation Algorithms on Hybrid CPU-GPU Machines

In this paper, we address the problem of efficient execution of a computation pattern, referred to here as the irregular wavefront propagation pattern (IWPP), on hybrid systems with multiple CPUs and GPUs. The IWPP is common in several image processing operations. In the IWPP, data elements in the wavefront propagate waves to their neighboring elements on a grid if a propagation condition is satisfied. Elements receiving the propagated waves become part of the wavefront. This pattern results in irregular data accesses and computations. We develop and evaluate strategies for efficient computation and propagation of wavefronts using a multi-level queue structure. This queue structure improves the utilization of fast memories in a GPU and reduces synchronization overheads. We also develop a tile-based parallelization strategy to support execution on multiple CPUs and GPUs. We evaluate our approaches on a state-of-the-art GPU accelerated machine (equipped with 3 GPUs and 2 multicore CPUs) using the IWPP implementations of two widely used image processing operations: morphological reconstruction and euclidean distance transform. Our results show significant performance improvements on GPUs. The use of multiple CPUs and GPUs cooperatively attains speedups of 50x and 85x with respect to single core CPU executions for morphological reconstruction and euclidean distance transform, respectively.Comment: 37 pages, 16 figure

Cellular Classes in the Human Brain Revealed In Vivo by Heartbeat-Related Modulation of the Extracellular Action Potential Waveform

Determining cell types is critical for understanding neural circuits but remains elusive in the living human brain. Current approaches discriminate units into putative cell classes using features of the extracellular action potential (EAP); in absence of ground truth data, this remains a problematic procedure. We find that EAPs in deep structures of the brain exhibit robust and systematic variability during the cardiac cycle. These cardiac-related features refine neural classification. We use these features to link bio-realistic models generated from in vitro human whole-cell recordings of morphologically classified neurons to in vivo recordings. We differentiate aspiny inhibitory and spiny excitatory human hippocampal neurons and, in a second stage, demonstrate that cardiac-motion features reveal two types of spiny neurons with distinct intrinsic electrophysiological properties and phase-locking characteristics to endogenous oscillations. This multi-modal approach markedly improves cell classification in humans, offers interpretable cell classes, and is applicable to other brain areas and species

Odor-driven attractor dynamics in the antennal lobe allow for simple and rapid olfactory pattern classification

The antennal lobe plays a central role for odor processing in insects, as demonstrated by electrophysiological and imaging experiments. Here we analyze the detailed temporal evolution of glomerular activity patterns in the antennal lobe of honeybees. We represent these spatiotemporal patterns as trajectories in a multidimensional space, where each dimension accounts for the activity of one glomerulus. Our data show that the trajectories reach odor-specific steady states (attractors) that correspond to stable activity patterns at about 1 second after stimulus onset. As revealed by a detailed mathematical investigation, the trajectories are characterized by different phases: response onset, steady-state plateau, response offset, and periods of spontaneous activity. An analysis based on support-vector machines quantifies the odor specificity of the attractors and the optimal time needed for odor discrimination. The results support the hypothesis of a spatial olfactory code in the antennal lobe and suggest a perceptron-like readout mechanism that is biologically implemented in a downstream network, such as the mushroom body

On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

Dynamic reorganization of the genome shapes the recombination landscape in meiotic prophase.

In meiotic prophase, chromosomes are organized into compacted loop arrays to promote homolog pairing and recombination. Here, we probe the architecture of the mouse spermatocyte genome in early and late meiotic prophase using chromosome conformation capture (Hi-C). Our data support the established loop array model of meiotic chromosomes, and infer loops averaging 0.8-1.0 megabase pairs (Mb) in early prophase and extending to 1.5-2.0 Mb in late prophase as chromosomes compact and homologs undergo synapsis. Topologically associating domains (TADs) are lost in meiotic prophase, suggesting that assembly of the meiotic chromosome axis alters the activity of chromosome-associated cohesin complexes. While TADs are lost, physically separated A and B compartments are maintained in meiotic prophase. Moreover, meiotic DNA breaks and interhomolog crossovers preferentially form in the gene-dense A compartment, revealing a role for chromatin organization in meiotic recombination. Finally, direct detection of interhomolog contacts genome-wide reveals the structural basis for homolog alignment and juxtaposition by the synaptonemal complex

Event Recognition Using Signal Spectrograms in Long Pulse Experiments

As discharge duration increases, real-time complex analysis of the signal becomes more important. In this context, data acquisition and processing systems must provide models for designing experiments which use event oriented plasma control. One example of advanced data analysis is signal classification. The off-line statistical analysis of a large number of discharges provides information to develop algorithms for the determination of the plasma parameters from measurements of magnetohydrodinamic waves, for example, to detect density fluctuations induced by the Alfvén cascades using morphological patterns. The need to apply different algorithms to the signals and to address different processing algorithms using the previous results necessitates the use of an event-based experiment. The Intelligent Test and Measurement System platform is an example of architecture designed to implement distributed data acquisition and real-time processing systems. The processing algorithm sequence is modeled using an event-based paradigm. The adaptive capacity of this model is based on the logic defined by the use of state machines in SCXML. The Intelligent Test and Measurement System platform mixes a local multiprocessing model with a distributed deployment of services based on Jini