TY - GEN
T1 - Trace-based analysis of memory corruption malware attacks
AU - Xu, Zhixing
AU - Gupta, Aarti
AU - Malik, Sharad
N1 - Funding Information:
This work was supported in part by SONIC (one of the six SRC STARnet centers, sponsored by MARCO and DARPA) and NSF Grant 1525936. Any opinions, findings, and conclusions presented here are those of the authors and do not necessarily reflect those of SONIC or NSF.
Publisher Copyright:
© Springer International Publishing AG 2017.
PY - 2017
Y1 - 2017
N2 - Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.
AB - Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.
UR - http://www.scopus.com/inward/record.url?scp=85034618678&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85034618678&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-70389-3_5
DO - 10.1007/978-3-319-70389-3_5
M3 - Conference contribution
AN - SCOPUS:85034618678
SN - 9783319703886
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 67
EP - 82
BT - Hardware and Software
A2 - Tzoref-Brill, Rachel
A2 - Strichman, Ofer
PB - Springer Verlag
T2 - 13th International Haifa Verification Conference, HVC 2017
Y2 - 13 November 2017 through 15 November 2017
ER -