Trace-based analysis of memory corruption malware attacks

Zhixing Xu; Aarti Gupta; Sharad Malik

doi:10.1007/978-3-319-70389-3_5

Trace-based analysis of memory corruption malware attacks

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.

Original language	English (US)
Title of host publication	Hardware and Software
Subtitle of host publication	Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings
Editors	Rachel Tzoref-Brill, Ofer Strichman
Publisher	Springer Verlag
Pages	67-82
Number of pages	16
ISBN (Print)	9783319703886
DOIs	https://doi.org/10.1007/978-3-319-70389-3_5
State	Published - 2017
Event	13th International Haifa Verification Conference, HVC 2017 - Haifa, Israel Duration: Nov 13 2017 → Nov 15 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10629 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	13th International Haifa Verification Conference, HVC 2017
Country/Territory	Israel
City	Haifa
Period	11/13/17 → 11/15/17

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-70389-3_5

Cite this

Xu, Z., Gupta, A., & Malik, S. (2017). Trace-based analysis of memory corruption malware attacks. In R. Tzoref-Brill, & O. Strichman (Eds.), Hardware and Software: Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings (pp. 67-82). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10629 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-70389-3_5

Xu, Zhixing ; Gupta, Aarti ; Malik, Sharad. / Trace-based analysis of memory corruption malware attacks. Hardware and Software: Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings. editor / Rachel Tzoref-Brill ; Ofer Strichman. Springer Verlag, 2017. pp. 67-82 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{d940a76df2954841b9ce46e57822b60f,

title = "Trace-based analysis of memory corruption malware attacks",

abstract = "Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.",

author = "Zhixing Xu and Aarti Gupta and Sharad Malik",

note = "Funding Information: This work was supported in part by SONIC (one of the six SRC STARnet centers, sponsored by MARCO and DARPA) and NSF Grant 1525936. Any opinions, findings, and conclusions presented here are those of the authors and do not necessarily reflect those of SONIC or NSF. Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 13th International Haifa Verification Conference, HVC 2017 ; Conference date: 13-11-2017 Through 15-11-2017",

year = "2017",

doi = "10.1007/978-3-319-70389-3_5",

language = "English (US)",

isbn = "9783319703886",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "67--82",

editor = "Rachel Tzoref-Brill and Ofer Strichman",

booktitle = "Hardware and Software",

address = "Germany",

}

Xu, Z, Gupta, A & Malik, S 2017, Trace-based analysis of memory corruption malware attacks. in R Tzoref-Brill & O Strichman (eds), Hardware and Software: Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10629 LNCS, Springer Verlag, pp. 67-82, 13th International Haifa Verification Conference, HVC 2017, Haifa, Israel, 11/13/17. https://doi.org/10.1007/978-3-319-70389-3_5

Trace-based analysis of memory corruption malware attacks. / Xu, Zhixing; Gupta, Aarti ; Malik, Sharad.

Hardware and Software: Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings. ed. / Rachel Tzoref-Brill; Ofer Strichman. Springer Verlag, 2017. p. 67-82 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10629 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Trace-based analysis of memory corruption malware attacks

AU - Xu, Zhixing

AU - Gupta, Aarti

AU - Malik, Sharad

N1 - Funding Information: This work was supported in part by SONIC (one of the six SRC STARnet centers, sponsored by MARCO and DARPA) and NSF Grant 1525936. Any opinions, findings, and conclusions presented here are those of the authors and do not necessarily reflect those of SONIC or NSF. Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.

AB - Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.

UR - http://www.scopus.com/inward/record.url?scp=85034618678&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85034618678&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-70389-3_5

DO - 10.1007/978-3-319-70389-3_5

M3 - Conference contribution

AN - SCOPUS:85034618678

SN - 9783319703886

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 67

EP - 82

BT - Hardware and Software

A2 - Tzoref-Brill, Rachel

A2 - Strichman, Ofer

PB - Springer Verlag

T2 - 13th International Haifa Verification Conference, HVC 2017

Y2 - 13 November 2017 through 15 November 2017

ER -

Xu Z, Gupta A , Malik S. Trace-based analysis of memory corruption malware attacks. In Tzoref-Brill R, Strichman O, editors, Hardware and Software: Verification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings. Springer Verlag. 2017. p. 67-82. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-70389-3_5

Trace-based analysis of memory corruption malware attacks

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this