Attackers often take advantage of vulnerabilities in benign
software, and the authors of benign software must search their code
for bugs in hopes of finding vulnerabilities before they are
exploited.
But there has been little research on the converse question of whether
defenders can turn the tables by finding vulnerabilities in malware.
We provide a first affirmative answer to that question.
We introduce a new technique, stitched dynamic symbolic execution,
that makes it possible to use powerful exploration techniques based on
symbolic execution in the presence of functionalities that are common
in malware and otherwise hard to analyze, such as decryption and
checksums.
The technique is based on decomposing the constraints induced by a
program, solving only a subset, and then re-stitching the constraint
solution into a complete input.
We implement the approach in a system for x86 binaries, and apply it
to 4 families of bots and other malware.
We find 6 bugs that could be exploited by a network attacker to
terminate or subvert a broad range of malware client versions, and we
discuss the possible applications and ethical considerations of this
new capability.