Use of Cryptography in Malware Obfuscation

Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique's potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate versions of programs

Detection of Organics at Mars: How Wet Chemistry Onboard SAM Helps

For the first time in the history of space exploration, a mission of interest to astrobiology could be able to analyze refractory organic compounds in the soil of Mars. Wet chemistry experiment allow organic components to be altered in such a way that improves there detection either by releasing the compounds from sample matricies or by changing the chemical structure to be amenable to analytical conditions. The latter is particular important when polar compounds are present. Sample Analysis at Mars (SAM), on the Curiosity rover of the Mars Science Laboratory mission, has onboard two wet chemistry experiments: derivatization and thermochemolysis. Here we report on the nature of the MTBSTFA derivatization experiment on SAM, the detection of MTBSTFA in initial SAM results, and the implications of this detection

SoK: Use of Cryptography in Malware Obfuscation

We look at the use of cryptography to obfuscate malware. Most surveys on malware obfuscation only discuss simple encryption techniques (e.g., XOR encryption), which are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. This SoK proposes a principled definition of malware obfuscation, and categorises instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. The SoK first examines easily detectable schemes such as string encryption, class encryption and XOR encoding, found in most obfuscated malware. It then details schemes that can be shown to be hard to break, such as the use of environmental keying. We also analyse formal cryptographic obfuscation, i.e., the notions of indistinguishability and virtual black box obfuscation, from the lens of our proposed model on malware obfuscation

Zoledronic acid renders human M1 and M2 macrophages susceptible to Vδ2(+) γδ T cell cytotoxicity in a perforin-dependent manner.

Vδ2(+) T cells are a subpopulation of γδ T cells in humans that are cytotoxic towards cells which accumulate isopentenyl pyrophosphate. The nitrogen-containing bisphosphonate, zoledronic acid (ZA), can induce tumour cell lines to accumulate isopentenyl pyrophosphate, thus rendering them more susceptible to Vδ2(+) T cell cytotoxicity. However, little is known about whether ZA renders other, non-malignant cell types susceptible. In this study we focussed on macrophages (Mϕs), as these cells have been shown to take up ZA. We differentiated peripheral blood monocytes from healthy donors into Mϕs and then treated them with IFN-γ or IL-4 to generate M1 and M2 Mϕs, respectively. We characterised these Mϕs based on their phenotype and cytokine production and then tested whether ZA rendered them susceptible to Vδ2(+) T cell cytotoxicity. Consistent with the literature, IFN-γ-treated Mϕs expressed higher levels of the M1 markers CD64 and IL-12p70, whereas IL-4-treated Mϕs expressed higher levels of the M2 markers CD206 and chemokine (C-C motif) ligand 18. When treated with ZA, both M1 and M2 Mϕs became susceptible to Vδ2(+) T cell cytotoxicity. Vδ2(+) T cells expressed perforin and degranulated in response to ZA-treated Mϕs as shown by mobilisation of CD107a and CD107b to the cell surface. Furthermore, cytotoxicity towards ZA-treated Mϕs was sensitive-at least in part-to the perforin inhibitor concanamycin A. These findings suggest that ZA can render M1 and M2 Mϕs susceptible to Vδ2(+) T cell cytotoxicity in a perforin-dependent manner, which has important implications regarding the use of ZA in cancer immunotherapy

The Search for Nitrates on Mars by the Sample Analysis at Mars (SAM) Instrument

Planetary models suggest that nitrogen was abundant in the early Martian atmosphere as N2 but it was lost by sputtering and photochemical loss to space, impact erosion, and chemical oxidation to nitrates. A nitrogen cycle may exist on Mars where nitrates, produced early in Mars' history, may have been later decomposed back into N2 by the current impact flux. Nitrates are a fundamental source of nitrogen for terrestrial microorganisms, and they have evolved metabolic pathways to perform both oxidation and reduction to drive a complete biological nitrogen cycle. Therefore, the characterization of nitrogen in Martian soils is important to assess habitability of the Martian environment, particularly with respect to the presence of nitrates. The only previous mission that was designed to search for soil nitrates was the Phoenix mission but N-containing species were not detected by TEGA or the MECA WCL. Nitrates have been tentatively identified in Nakhla meteorites, and if nitrogen was oxidized on Mars, this has important implications for the habitability potential of Mars. Here we report the results from the Sample Analysis at Mars (SAM) instrument suite aboard the Curiosity rover during the first year of surface operations in Gale Crater. Samples from the Rocknest aeolian deposit and sedimentary rocks (John Klein) were heated to approx 835degC under helium flow and the evolved gases were analyzed by MS and GC-MS. Two and possibly three peaks may be associated with the release of m/z 30 at temperatures ranging from 180degC to 500degC. M/z 30 has been tentatively identified as NO; other plausible contributions include CH2O and an isotopologue of CO, 12C18O. NO, CH2O, and CO may be reaction products of reagents (MTBSTFA/DMF) carried from Earth for the wet chemical derivatization experiments with SAM and/or derived from indigenous soil nitrogenated organics. Laboratory analyses indicate that it is also possible that <550degC evolved NO is produced via reaction of HCl with nitrates arising from the decomposition of perchlorates. All sources of m/z 30 whether it be martian or terrestrial will be considered and their implications for Mars will be discussed

Search for organic molecules on Mars with the Gas Chromatograph-Mass Spectrometer of the Sample Analysis at Mars experiment onboard the MSL 2011 Curiosity rover

In past times, life might have emerged under Martian conditions milder than the present ones, and left some remnants at the surface. Even if this did not happen, prebiotic molecules may have been preserved in the soil, and they might be similar to those that prevailed on the Earth surface some 3.5 to 4 billion years ago. NASA's MSL2011 rover Curiosity will explore the surface and subsurface of Mars, seeking traces of prebiotic or biological activity. Organic signatures are among the main signatures of interest in this frame, and they will be among the main targets of the Gas Chromatograph Quadrupole Mass Spectrometer (GC-QMS) which constitutes the core of the Sample Analysis at Mars (SAM) analytical laboratory, developed by the NASA/GSFC in collaboration with the University of Paris (Fr) and the JPL. The main goal of this instrumentation is indeed to determine molecular abundances and isotopic ratios of organic molecules present in the collected samples, by analyzing gases either sampled from the atmosphere, or obtained from soil processing, either by physical heating or chemical reactions. In order to prepare for the interpretation of the data obtained in situ with the GCQMS of SAM, and due to the complexity of this instrumentation, a number of calibrations are required to determine the exact behaviour of each part of this instrumentation, that is required to correctly treat the signal and obtain a correct interpretation of it. In order to prepare the SAM-GC in situ results treatment and interpretation, it is necessary: (1) to determine the instrument ability to detect targets molecules under the instrument operating conditions and (2) to create data bases to help for the identification and quantification of the molecules that could be detected with SAM. With this aim we first selected molecules which might be analyzed with SAM-GC using the following criteria: (1) abundance at the Mars surface (2) astrobiological interest, (3) formation during the sample preparation. Then we characterized these target molecules with laboratory instrumentation using discrete spare components of the GC flight model ; in a second step, we used a SAM-GC spare model, in a vacuum chamber roughly reproducing the environmental conditions inside the Curiosity rover. A following step will be to carry out similar experiments with the whole SAM testbed located at the NASA/GSFC. This paper will present an overview of the analytical capabilities of the GC-QMS, with a focus on the GC part, relying on the calibration described previously. In addition, we will present analyses done on Atacama soil samples, Mars soil analogue, to get an evaluation of the SAM GC performances with a natural sample