Chi-Wei Wang

Cloudebug: A Programmable Online Malware Testbed

Virtual machines for malware analysis in current cloud-based debugging services are not easily accessible or operable by end users. Cloudebug allows users to operate its VM directly in the cloud.

Light-Weight CSRF Protection by Labeling User-Created Contents

Cross-site request forgery (CSRF/XSRF) is a serious vulnerability in Web 2.0 environment. With CSRF, an adversary can spoof the payload of an HTTP request and entice the victims browser to transmit an HTTP request to the web server. Consequently, the server cannot determine legitimacy of the HTTP request. This paper presents a light-weight CSRF prevention method by introducing a quarantine system to inspect suspicious scripts on the server-side. Instead of using script filtering and rewriting approach, this scheme is based on a new labeling mechanism (we called it Content Box) which enables the web server to distinguish the malicious requests from the harmless requests without the need to modify the user created contents (UCCs). Consequently, a malicious request can be blocked when it attempts to access critical web services that was defined by the web administrator. To demonstrate the effectiveness of the proposed scheme, the proposed scheme was implemented and the performance was evaluated.

DROIT: Dynamic Alternation of Dual-Level Tainting for Malware Analysis

Taint analysis for Android malware has received much attention in recent research. Existing taint techniques operate either at Java object level or at deeper instruction level. Object-level tracking is suitable for malware written in Java byte-code, but not for native ones. Instruction-level tracking captures the finest data flow. However, it leads to obscure semantic reconstruction and low performance. In this paper, we present DROIT, a taint tracker which dynamically alternates between object-level and instruction-level tracking on demands. DROIT tracks data flow at Java object level in general. When its Dalvik VM exits the byte-code execution, DROIT automatically switches to instructionlevel tracking, and vice versa. The trigger-based DROIT can alternate between the two levels in an efficient manner, and can provide dual-level whole image of the data flow, rather than fragments. Tracking at the dual levels also eases the semantic reconstruction significantly. The experiment with Android information-stealing trojans showed that DROIT can handle Java-based malware, those composed in native code, and those alternating between the two levels (e.g., DroidKungFu), respectively.

Divergence Detector: A Fine-Grained Approach to Detecting VM-Awareness Malware

Virtualized execution has become an effective mechanism to analyze malware in a dynamic way. To conceal its malicious behaviors, VM-aware malware probes the execution environment for analysis-resistance. These malware programs hide their malicious behaviors if they are launched in a virtual machine (VM). VM awareness becomes a barrier for malware analysis due to the concealment of malicious behaviors. In this paper, we discover that uncertain factors have significant influence on the effectiveness of malware detection. To cope with the problems, a new VM-aware detection scheme, namely Divergence Detector, is proposed to address the swindle of the evolved malware. Unlike conventional schemes, the Divergence Detector reduces the uncertain factors at instruction level, and can detect the divergence of multiexecution traces across heterogeneous virtual machines. The proposed Divergence Detector is implemented across the three commonly used VM platforms, that is, QEMU, Bochs and Xen. It compares the code coverage of the execution traces on various VM platforms to discover the deviation of behavior, thereby precisely detecting the VM-awareness. We will formally predict the effectiveness of Divergence Detector by constructing a mathematic model, which shows the maximum false positive rate is exponentially decreased with respect to the number of multi-executions. Representative samples utilizing seven types of commonly used VM-aware techniques were also employed for evaluation. The evaluation results indicate that the maximum false positive rate complies with our prediction. The uncertain factors play the major role in the VM-awareness detection. To reduce uncertain factors causing false positives, a method is proposed for VM-aware detection. The Divergence Detector can also enable the identification of new types of malware since the benign programs do not need to be aware of execution environment.

MrKIP: Rootkit Recognition With Kernel Function Invocation Pattern *

Existing mechanisms tracing user-level activities such as system calls and APIs can be circumvented by the kernel-level rootkits. In this paper, a novel system, MrKIP, is proposed to recognize rootkits based on their kernel-level activities. Our scheme semiautomatically generates suitable locations for analysts to implement checkpoints, which are used to profile kernel-space activities. Then, collected rootkits are executed in an emulator with these checkpoints for behavior profiling. The collected behaviors are clustered and used for model construction. The constructed model can be used to recognize new variants of rootkit families. Our scheme differs from conventional tracers due to its ability to cover kernel-space malware and the whole-system scope. In addition, monitoring at the kernel level raises high barrier for malware to evade, since all tasks are eventually executed through the basic kernel functions.

Combating Software Piracy in Public Clouds

CodeMist is an innovative security framework that leverages both passive and active approaches to prevent piracy of cloud-based rental software.

ProbeBuilder: Uncovering Opaque Kernel Data Structures for Automatic Probe Construction

VM-based inspection tools generally implement probes in the hypervisor to monitor events and the state of kernel of the guest system. The most important function of a probe is to carve information of interest out of the memory of the guest when it is triggered. Implementing probes for a closed-source OS demands manually reverse-engineering the undocumented code/data structures in the kernel binary image. Furthermore, the reverse-engineering result is often non-reusable between OS versions or even kernel updates due to the rapid change of these structures. In this paper, we propose ProbeBuilder, a system automating the process to inference kernel data structures. Based on dynamic execution, ProbeBuilder searches for data structures matching the “pointer-offset-pointer” pattern in guest memory. The sequences of these offsets, which are referred to as dereferences, are then verified by ProbeBuilder with instruction evidence that traverse them. The experiment on Windows kernel shows that ProbeBuilder efficiently narrows thousands of choices for kernel-level probes down to dozens. The finding allows analysts to quickly implement probes, facilitating rapid development/update of inspection tools for different OSes. With these features, ProbeBuilder is the first system capable of automatically generating practical probes that extracts information through dereferences to opaque kernel data structures.

SWIFT: Decoupled System-Wide Information Flow Tracking and its Optimizations

Information flow analysis is a widely-adopted technique in software testing and malware analysis. For information flow analysis, a system-level emulator equipped with dynamic information flow tracking capability, DIFT, is needed. However, its effectiveness comes at a price of severe performance degradation due to interleaved system emulation and DIFT analysis. In this paper, a decoupled system-wide information flow tracking scheme, SWIFT, is proposed. Through decoupling system-wide information flow tracking from emulation, SWIFT regains the memory locality and code optimization. The proposed methods are able to aggressively eliminate dependency between the system-level emulator and the analysis thread. Our performance evaluation indicates that, under the same hardware specifications, SWIFT runs 2.74~7.48 times faster than the conventional interleaved design while being benchmarked by PassMark Performance Test 6.0. The performance improvement consequently makes the online analysis feasible in practice.