Trace-based analysis of memory corruption malware attacks

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Understanding malware behavior is critical for cybersecurity. This is still largely done through expert manual analysis of the malware code/binary. In this work, we introduce a fully automated method for malware analysis that utilizes memory traces of program execution. Given both benign and malicious execution traces of a program, the method identifies memory segments specific to the malware attack, and then uses them to localize the attack in the source code. We evaluated our method on the RIPE benchmark for memory corruption malware attacks and demonstrated its ability to: (i) perform diagnosis by identifying the program location of both code corruption (e.g. buffer overflow location) and attack execution (e.g. control flow to payload), (ii) recognize the characteristics of different attacks.

Original languageEnglish (US)
Title of host publicationHardware and Software
Subtitle of host publicationVerification and Testing - 13th International Haifa Verification Conference, HVC 2017, Proceedings
EditorsRachel Tzoref-Brill, Ofer Strichman
PublisherSpringer Verlag
Number of pages16
ISBN (Print)9783319703886
StatePublished - 2017
Event13th International Haifa Verification Conference, HVC 2017 - Haifa, Israel
Duration: Nov 13 2017Nov 15 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10629 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other13th International Haifa Verification Conference, HVC 2017

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Trace-based analysis of memory corruption malware attacks'. Together they form a unique fingerprint.

Cite this