Please enable JavaScript.
Coggle requires JavaScript to display documents.
2006 - Whole-system Fine-grained Taint Analysis for Automatic Malware…
2006 - Whole-system Fine-grained Taint Analysis for Automatic Malware Detection and Analysis
Authors
H Yin
Goals
Problem
Traditional malware detection
Watch point based detection
Monitor specific points in the computer system
Detect malware code based on heuristics
Need to know which detection point should be watched and what behavior should be monitored
Malware able to evade previously identified detection points, e.g. malware operate on kernel level, avoiding detection points that monitors userland, system, API call
Signature based detection
Unable to detect new malware due to lack of signature
Information
Conclusion
Approach
TaintQemu
Dynamic Taint Analysis
Taint source: Hardware, keyboard, network interface, disk. e.g. Keystroke tainting taints bytes as they are read from virtual keyboard
Taint propagation
Arithmetic operation
Tainted only if any byte of operand is tainted
Data movement operation
Tainted only if source is tainted
Situation when propagation rule fails
Table lookup
When a tainted value is used as a index to read an entry from table, the result is tainted.
To prevent over tainting, limit the maximum of table lookup depth a tainted value have
Control flow evasion
Propagating to I/O devices
Taint may also propagate to I/O devices
Constant function
Instructions or instruction sets that always have the same result
Code origin resolution
Need to know which module an instruction interacting with tainted data orginated
QEMU
Good emulation speed using Dynamic Translation
Splits target instruction
Data movement operations
Arithmetic operations
Neither
OS > Windows 2000
Taint graph
How data is propagated during system execution
Usage
Basis for policy engine
Learning pattern based on observing taint graph of benign execution
Basis for further analysis of malware behavior.
Nodes: hardware input,output, instructions
Edge: Taint propagation relationship
Optimization
A short-duration execution could result in a taint graph of gigabyte size
Abstracting away certain detailed information and representing the taint graph at different levels of granularity
Whole-system fine-grained taint tracking
Monitor whole-system
Malware unable to evade as in watch point detection
Generate taint graphs
Malware detection and analysis
Malware trait
Malware is inclined to monitor, intercept, and modify data not intended for the malware
Malware access information in eccentric way
Taint graph analysis
Presents
Process and module level information
Dependency and relations between nodes
Given any event of interest such as a node causing the detection of a malicious behavior
Backwards and forwards reachability analysis
Backwards reachability analysis
To where the malware has been downloaded and installed and reveal what other actions have been performed by the malware before the detection step
Forwards reachability analysis
Other actions and consequences has this malicious behavior led to
What is
Contribution
A novel approach for malware detection and analysis
Features
Does not rely on signatures and thus can detect new attacks
Prevents malware from evading detection by avoiding previously identified watch points