BitScope
[Overview] [Publications] [Back to BitBlaze]
The ability to automatically dissect a malicious binary and extract
information from it is an important cornerstone for system forensic
analysis and system defense. Malicious binaries, also called malware,
include denial of service attack tools, spamming systems, worms, and
botnets. New malware samples are uncovered daily through widely
deployed honeypots/honeyfarms, forensic analysis of compromised
systems, and through underground channels. As a result of the
break-neck speed of malware development and recovery, automated
analysis of malicious programs has become necessary in order to create
effective defenses. Malware analysis is needed to create signatures
for subsequent malware detection, detecting scams, and in general
"knowing thy enemy".
Automatic dissection of malicious binaries, however, is a challenging
task. There is no source code available, and to make things worse, the
binary could be packed or obfuscated to evade purely static binary
analysis. There may be different behavior embedded in the malicious
binary which will only be activated under certain conditions such as
receiving a command from the network. Regardless of the type of
malware, there are common high-level questions we would like to
answer, such as:
- What
actions may the malware perform, and what is the control flow between
potential actions? For example, does the malware write or delete
files, does it send out network packets, and does it accept remote
commands?
- How do we run the malware to uncover its
behavior? Since malware typically does not come with a user manual, it
may be difficult to derive inputs which cause embedded behavior to be
activated. For example, a malware sample may immediately exit without
a particular registry key.
- How do inputs and outputs
relate? For example, a DDoS client's may create a packet which in
part depends upon attacker's input, and is in part constant.
We propose a system, called BitScope, to perform automatic malware
dissection. BitScope takes as input a malicious binary, and outputs
information about execution paths. This information is then be used by
supplemental analysis designed to answer specific questions, such as
what behavior the malware exhibits, what inputs activate interesting
behavior, and dependency between inputs and outputs. BitScope
dissection is not performed by executing the malware with different
concrete input values. Instead, BitScope abstracts away specific
concrete inputs by executing the program on symbolic inputs which
simultaneously capture a multitude of different inputs to the
program. Executing with symbolic inputs allows us to reason about code
paths without constraining the analysis to a particular input value.
- Automatically Identifying
Trigger-based Behavior in Malware
- David Brumley, Cody Hartwig, Zhenkai Liang James Newsome,
Dawn Song, and Heng Yin. Book chapter in "Botnet Analysis", Editors W. Lee, et. al.,
2007.
- BitScope: Automatically Dissecting Malicious Binaries
- David Brumley, Cody Hartwig, Min Gyung Kang, Zhenkai Liang
James Newsome, Pongsin Poosankam, Dawn Song, and Heng Yin.
Technical Report CMU-CS-07-133, School of Computer Science, Carnegie
Mellon University, March 18, 2007
Back to BitBlaze