Ramesh Yerraballi

Cobra: fine-grained malware analysis using stealth localized-executions

Fine-grained code analysis in the context of malware is a complex and challenging task that provides insight into malware code-layers (polymorphic/metamorphic), its data encryption/decryption engine, its memory layout etc., important pieces of information that can be used to detect and counter the malware and its variants. Current research in fine-grained code analysis can be categorized into static and dynamic approaches. Static approaches have been tailored towards malware and allow exhaustive fine-grained malicious code analysis, but lack support for self-modifying code, have limitations related to code-obfuscations and face the undecidability problem. Given that most if not all malware employ self-modifying code and code-obfuscations, poses the need to analyze them at runtime using dynamic approaches. However, current dynamic approaches for fine-grained code analysis are not tailored specifically towards malware and lack support for multithreading, self-modifying/self-checking code and are easily detected and countered by ever-evolving anti-analysis tricks employed by malware. To address this problem, we propose a powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems. Cobra cannot be detected or countered and can be dynamically and selectively deployed on malware specific code-streams while allowing other code-streams to execute as is. We also illustrate the framework utility by describing our experience with a tool employing Cobra to analyze a real-world malware

Stealth breakpoints

Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and hardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis

Issues in schedulability analysis of real-time systems

Due to the critical nature of real-time systems, there is an ever growing burden on the designer to not only guarantee that the tasks would meet their deadlines at design time, but would continue to do so as the system evolves. This implies that the schedulability analysis has to he robust. We identify the sensitivity of schedulability analysts to the task execution times. The impact this parameter has on the schedulability analyses is captured by formulating a general scaling problem. This problem is shown to relate to the problems of scalability, portability and execution time estimation. A technique to solve this general problem is developed. A proof of correctness and optimality of the technique is presented.

Scalability in real-time systems with end-to-end requirements

Abstract The stringent demands to guarantee task deadlines in real-time systems have motivated both practitioners and researchers to look at ways to analyze systems prior to run-time. This paper reports a new perspective of analyzing real-time systems that in addition to ascertaining the ability of a system to meet task deadlines also qualifies these guarantees. The guarantees are qualified by a measure (called the scaling factor) of the systems ability to continue to provide these guarantees under possible changes to the tasks. This measure is shown to have many applications in the design (task execution time estimation), development (portability and fault tolerance) and maintenance (scalability) of real-time systems. The derivation of this measure in end-to-end systems requires that we solve two fundamental problems — the uni-processor schedulability problem and the uni-processor scalability problem. The uni-processor schedulability problem involves finding whether a set of tasks (with arbitrary non-zero arrival times) will meet its deadlines. The scalability problem seeks to find the maximum scaling factor with which the execution times of a set of tasks can be scaled without invalidating its schedulability. Optimal solutions to these two fundamental problems are presented.

Enhancing Computer Science Education with a Wireless Intelligent Simulation Environment

THE GOAL OF THIS PROJECT is to develop a unique simulation environment that can be used to increase students’ in terest and expertise in Computer Science curriculum. Handson experience with physical or simulated equipment is an essential ingredient for learning, but many approaches to training develop a separate piece of equipment or software for each topic area. We describe the development of a simulation environment that provides a foundation for cross-disciplinary exercises. The Wireless Intelligent agent Simulation Environment (WISE), which combines activities from virtual and physical versions of the Wumpus World game, provides a dynamic learning environment that can enhance a number of Computer Science courses.In this paper, we describe the WISE environment design. We also describe steps for integrating WISE into Computer Science curriculum. As a demonstration of the effectiveness of the tool, we describe its use in the artificial intelligence, multimedia, and wireless networks courses at the University of Texas at Arlington.

Distributed video streaming using multicast (DVSM)

The Internet is a packet switched best effort service, which does not provide guarantees of reliability and timely packet delivery. Video streaming, requiring high bandwidth and low delay is not naturally suited for such a network. Distributed Video Streaming (DVS) takes note of this fact and attempts to provide a more reliable (and timely) way of streaming using multiple senders to stream a video to a receiver simultaneously. The essence of this approach involves utilizing path diversity of multiple senders. If a path from a sender to a receiver is congested, alternate paths are exploited to maintain the required throughput of the video stream. In this paper we report, Distributed Video Streaming using Multicast (DVSM) a research extending the protocol suggested by DVS. Many current video streaming protocols use multicast to efficiently utilize the available bandwidth of the network. DVSM operates in this vein by applying multicast to DVS thus enhancing its functionality. We discuss and evaluate modifications to the protocols and algorithms required to transition from DVS to DVSM.

Schedulability related issues in end-to-end systems

With the proliferation of scheduling algorithms there is a growing need to test these schedulers for their validity not just at design time but also as the system evolves. This implies that the schedulability analysis has to be robust. In this study, we identify a few often posed questions that address the robustness of schedulability analyses. First these questions are dealt in the context of uniprocessor systems and then we handle some of their extensions in a more general context of end-to-end systems. We show that these questions are closely related to a more general problem. We present a solution to this problem. An intuitive proof of correctness and optimality of the solution technique are presented.

Distributed streaming for video on demand

Implementing reliable Video on Demand (VoD) systems over the Internet, which is inherently best-effort, is a challenge. Distributed streaming for Video on Demand addresses this challenge with a combination of two techniques. The first, Distributed Video Streaming using Multicast (DVSM) involves video streaming from multiple servers to overcome path congestion by exploiting path diversity. The second technique, Asynchronous Hybrid mechanism for Video on Demand, implements a segmentation-based periodic broadcast to effectively utilize network bandwidth and decrease latency. The combination involves devising new algorithms for bandwidth estimation, segment partitioning and scheduling. A simulation of our proposed solution demonstrates its effectiveness. Specifically the results show, the prompt reaction of our strategy to congestion, and, the effect the various parameters have on system performance. The results shed light on parameters that can be fine-tuned for an effective VoD system.

Routing and admission control of real-time channels

Two important aspects that any study of message communication has to address are routing and admission control. The routing problem seeks to find a route for a channel and admission control involves assessing the ability to meet the demands of a channel along the chosen route. Most efforts in the area of real-time communication have been directed, primarily towards the admission control problem, not many have been targeted rewards the routing problem. The authors show that these two problems are inter-related. They address these two problems in a general framework that can abstract many practical scenarios. They assume the use of an arbitrary dynamic/fixed priority link level scheduling, thereby increasing the utility of the derived results. Their approaches for both routing and admission control are based on extending a result we have derived in a different context, viz., task scalability. A simulation study, was performed to study the effectiveness of their approach in improving both utilization of the link and admissibility of channels.