PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis

A Reduced Semantics for Deciding Trace Equivalence

Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e., without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M\"odersheim et al. have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called APTE. We conducted complete benchmarks showing dramatic improvements.Comment: Accepted for publication in LMC

Quantifying the benefits of SPECint distant parallelism in simultaneous multithreading architectures

We exploit the existence of distant parallelism that future compilers could detect and characterise its performance under simultaneous multithreading architectures. By distant parallelism we mean parallelism that cannot be captured by the processor instruction window and that can produce threads suitable for parallel execution in a multithreaded processor. We show that distant parallelism can make feasible wider issue processors by providing more instructions from the distant threads, thus better exploiting the resources from the processor in the case of speeding up single integer applications. We also investigate the necessity of out-of-order processors in the presence of multiple threads of the same program. It is important to notice at this point that the benefits described are totally orthogonal to any other architectural techniques targeting a single thread.Peer ReviewedPostprint (published version

Scalable discovery of hybrid process models in a cloud computing environment

Process descriptions are used to create products and deliver services. To lead better processes and services, the first step is to learn a process model. Process discovery is such a technique which can automatically extract process models from event logs. Although various discovery techniques have been proposed, they focus on either constructing formal models which are very powerful but complex, or creating informal models which are intuitive but lack semantics. In this work, we introduce a novel method that returns hybrid process models to bridge this gap. Moreover, to cope with today’s big event logs, we propose an efficient method, called f-HMD, aims at scalable hybrid model discovery in a cloud computing environment. We present the detailed implementation of our approach over the Spark framework, and our experimental results demonstrate that the proposed method is efficient and scalabl

A reduced semantics for deciding trace equivalence using constraint systems

Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e., without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M\"odersheim et al. have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimization in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly.Comment: Accepted for publication at POST'1

The Penn Jerboa: A Platform for Exploring Parallel Composition of Templates

We have built a 12DOF, passive-compliant legged, tailed biped actuated by four brushless DC motors. We anticipate that this machine will achieve varied modes of quasistatic and dynamic balance, enabling a broad range of locomotion tasks including sitting, standing, walking, hopping, running, turning, leaping, and more. Achieving this diversity of behavior with a single under-actuated body, requires a correspondingly diverse array of controllers, motivating our interest in compositional techniques that promote mixing and reuse of a relatively few base constituents to achieve a combinatorially growing array of available choices. Here we report on the development of one important example of such a behavioral programming method, the construction of a novel monopedal sagittal plane hopping gait through parallel composition of four decoupled 1DOF base controllers. For this example behavior, the legs are locked in phase and the body is fastened to a boom to restrict motion to the sagittal plane. The platform's locomotion is powered by the hip motor that adjusts leg touchdown angle in flight and balance in stance, along with a tail motor that adjusts body shape in flight and drives energy into the passive leg shank spring during stance. The motor control signals arise from the application in parallel of four simple, completely decoupled 1DOF feedback laws that provably stabilize in isolation four corresponding 1DOF abstract reference plants. Each of these abstract 1DOF closed loop dynamics represents some simple but crucial specific component of the locomotion task at hand. We present a partial proof of correctness for this parallel composition of template reference systems along with data from the physical platform suggesting these templates are anchored as evidenced by the correspondence of their characteristic motions with a suitably transformed image of traces from the physical platform.Comment: Technical Report to Accompany: A. De and D. Koditschek, "Parallel composition of templates for tail-energized planar hopping," in 2015 IEEE International Conference on Robotics and Automation (ICRA), May 2015. v2: Used plain latex article, correct gap radius and specific force/torque number