Understanding Linux Malware

Cozzi, Emanuele; Graziano, Mariano; Fratantonio, Yanick; Balzarotti, Davide

doi:10.1109/sp.2018.00054

Cited by 141 publications

(101 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is consistent with the study of Cozzi et al[11] that showed that in the 10 548 Linux malware they studied, only 0.24 % of them tried to detect if they were in a virtualized environment.…”

supporting

confidence: 91%

Survivor

Chevalier

Plaquin

Dalton

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead. CCS CONCEPTS• Security and privacy → Operating systems security; Malware and its mitigation.

show abstract

supporting

confidence: 91%

Survivor

Chevalier

Plaquin

Dalton

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…In contrast, an analysis that can disclose most true (indirect) call edges and have a low chance of missing some may be more useful in practice. Malware behavior analysis [Cozzi et al 2018] aims to understand hidden payloads of malware samples by reporting the system calls performed by the samples and the corresponding concrete arguments of these system calls (e.g., file delete system call with directory argument ł/homež). Missing a few dependences (by chance) may not critically impact the generated behavior report whereas having a large number of bogus dependences would lead to substantial false positives, significantly enlarging the human inspection efforts.…”

Section: Introductionmentioning

confidence: 99%

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

Zhang

You

Tao

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Binary program dependence analysis determines dependence between instructions and hence is important for many applications that have to deal with executables without any symbol information. A key challenge is to identify if multiple memory read/write instructions access the same memory location. The state-of-the-art solution is the value set analysis (VSA) that uses abstract interpretation to determine the set of addresses that are possibly accessed by memory instructions. However, VSA is conservative and hence leads to a large number of bogus dependences and then substantial false positives in downstream analyses such as malware behavior analysis. Furthermore, existing public VSA implementations have difficulty scaling to complex binaries. In this paper, we propose a new binary dependence analysis called BDA enabled by a randomized abstract interpretation technique. It features a novel whole program path sampling algorithm that is not biased by path length, and a per-path abstract interpretation avoiding precision loss caused by merging paths in traditional analyses. It also provides probabilistic guarantees. Our evaluation on SPECINT2000 programs shows that it can handle complex binaries such as gcc whereas VSA implementations from the-state-of-art platforms have difficulty producing results for many SPEC binaries. In addition, the dependences reported by BDA are 75 and 6 times smaller than Alto, a scalable binary dependence analysis tool, and VSA, respectively, with only 0.19% of true dependences observed during dynamic execution missed (by BDA). Applying BDA to call graph generation and malware analysis shows that BDA substantially supersedes the commercial tool IDA in recovering indirect call targets and outperforms a state-of-the-art malware analysis tool Cuckoo by disclosing 3 times more hidden payloads. CCS Concepts: • Security and privacy → Software reverse engineering; • Software and its engineering → Interpreters; Automated static analysis.

show abstract

“…We have compiled our malware source codes into ARM (Version 5, Little Endian) and MIPS (R3000, Little Endian) binaries and used these binaries in our test suite. Other commonly used architectures for IoT malware include x86-64, PowerPC and Motorola 68000 [9], and we plan to evaluate these platforms in the future.…”

Section: Limitations and Future Workmentioning

confidence: 99%

2019 International Conference on Cyber Security for Emerging Technologies (CSET)

2019

View full text Add to dashboard Cite

Defending against the threat of IoT malware will require new techniques and tools. An important security capability, that precedes a number of security analyses, is the ability to reverse engineer IoT malware binaries effectively. A key question is whether PC-oriented disassemblers can be effective on IoT malware, given the difference in the malware programs and the processors that support them. In this paper, we develop a systematic approach and a tool for evaluating the effectiveness of disassemblers on IoT malware binaries. The key components of the approach are: (a) we find the source code for 20 real-world malware programs, (b) we compile them to form a test set of 240 binaries using various compiler optimization options, device architectures, and considering both stripped and unstripped versions of the binaries, and (c) we establish the ground-truth for all these binaries for six disassembly accuracy metrics, such as the percentage of correctly disassembled instructions, and the accuracy of the control flow graph. Overall, we find that IDA Pro performs well for unstripped binaries with a precision and recall accuracy of over 85% for all the metrics. However, IDA Pro's performance deteriorates significantly with stripped binaries, mainly because the recall accuracy of identifying the start of functions drops to around 60% for both platforms. The results for the stripped ARM and MIPS binaries are similar to stripped x86 binaries in [2]. Interestingly, we find that most compiler optimization options, except the -O3 option for the MIPS architecture, do not cause any noticeable effect in the accuracy. We view our approach as an important capability for assessing and improving reverse engineering tools focusing on IoT malware.

show abstract

Understanding Linux Malware

Cited by 141 publications

References 12 publications

Survivor

Survivor

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

2019 International Conference on Cyber Security for Emerging Technologies (CSET)

Contact Info

Product

Resources

About