Matthew Schmid

A toolkit for detecting and analyzing malicious software

We present PEAT: the Portable Executable Analysis Toolkit. It is a software prototype designed to provide a selection of tools that an analyst may use in order to examine structural aspects of a Windows Portable Executable (PE) file, with the goal of determining whether malicious code has been inserted into an application after compilation. These tools rely on structural features of executables that are likely to indicate the presence of inserted malicious code. The underlying premise is that typical application programs are compiled into one binary, homogeneous from beginning to end with respect to certain structural features; any disruption of this homogeneity is a strong indicator that the binary has been tampered with. For example, it could now harbor a virus or a Trojan horse program. We present our investigation into structural feature analysis, the development of these ideas into the PEAT prototype, and results that illustrate PEATs practical effectiveness.

Testing the robustness of Windows NT software

To date, most studies on the robustness of operating system software have focused on Unix based systems. The paper develops a methodology and architecture for performing intelligent black box analysis of software that runs on the Windows NT platform. The goals of the research are three fold: first, to develop intelligent robustness testing techniques for commercial Off-The-Shelf (COTS) software; second, to benchmark the robustness of NT software in handling anomalous events; and finally, to identify robustness gaps to permit fortification for fault tolerance. The random and intelligent data design library environment (RIDDLE) is a tool for analyzing operating system software, system utilities, desktop applications, component based software, and network services. RIDDLE was used to assess the robustness of native Windows NT system utilities as well as Win32 ports of the GNU utilities. Experimental results comparing the relative performance of the ported utilities versus the native utilities are presented.

An approach to testing COTS software for robustness to operating system exceptions and errors

One of the least tested but most critical portions of software systems is error and exception handling. Error/exception handling routines are the safety net for any system to handle unexpected circumstances such as when operating system (OS) or hardware failures occur. As more critical systems are developed from commercial off the shelf (COTS) software, the robustness of these applications to operating system failures, and in general, to failures from third party software, becomes increasingly critical. We present an approach and tool for assessing the robustness of COTS applications to failures from OS functions or other third-party COTS software. The approach consists of wrapping executable application software with an instrumentation layer that can capture, record, perturb, and question all interactions with the operating system. The wrapper is used to return error codes and exceptions from calls to operating system functions. The effect of the failure from the OS call is then assessed. If the application crashes under these anomalous conditions, the application is determined to be non-robust to a particular failing OS call. A failure simulation tool has been developed for testing the robustness of Win32 applications to these types of anomalous OS conditions.

Wrapping windows NT software for robustness

As Windows NT workstations become more entrenched in enterprise-critical and even mission-critical applications, the dependability of the Windows 32-bit (Win32) platform is becoming critical. To date, studies on the robustness of system software have focused on Unix-based systems. This paper describes an approach to assessing the robustness for Win32 software and providing robustness wrappers for third party commercial off-the-shelf (COTS) software. The robustness of Win32 applications to failing operating system (OS) functions is assessed by using fault injection techniques at the interface between the application and the operating system. Finally, software wrappers are developed to handle OS failures gracefully in order to mitigate catastrophic application failures.

Preventing the execution of unauthorized Win32 applications

Describes an approach and tool for providing administrative control over the execution of software on a Windows NT/2000 system. The kernel-driver-based approach provides the system administrator with a way of restricting users to running only approved applications. As a result, illegal, pirated, personal and malicious software executables can be prevented from running on corporate machines. We describe the key issues involved in the development of this tool and the features that make this tool an important part of regaining enterprise-wide control over corporate machines.

Techniques for evaluating the robustness of Windows NT software

Windows NT is rapidly becoming the platform of choice for organizations engaging in commerce, engineering, and research. The Windows NT operating system and its software are being relied upon for an increasing number of critical applications in both the military and civilian arenas. It is essential that software testing techniques are created that will enable the development of software that is capable of functioning in such roles, This paper presents two approaches that can be used to aid in the robustness testing of Windows NT software. The first approach uses a test data generator to analyze the robustness of Windows NT Dynamic Link Libraries. The second approach uses binary wrapping and fault injection techniques to study the effects of operating system failures on an application. A Failure Simulation Tool has been developed to this end.