TY - GEN
T1 - Input generation via decomposition and re-stitching
T2 - 17th ACM Conference on Computer and Communications Security, CCS'10
AU - Caballero, Juan
AU - Poosankam, Pongsin
AU - McCamant, Stephen
AU - Babić, Domagoj
AU - Song, Dawn
PY - 2010
Y1 - 2010
N2 - Attackers often take advantage of vulnerabilities in benign software, and the authors of benign software must search their code for bugs in hopes of finding vulnerabilities before they are exploited. But there has been little research on the converse question of whether defenders can turn the tables by finding vulnerabilities in malware. We provide a first affirmative answer to that question. We introduce a new technique, stitched dynamic symbolic execution, that makes it possible to use exploration techniques based on symbolic execution in the presence of functionalities that are common in malware and otherwise hard to analyze, such as decryption and checksums. The technique is based on decomposing the constraints induced by a program, solving only a subset, and then re-stitching the constraint solution into a complete input. We implement the approach in a system for ×86 binaries, and apply it to 4 prevalent families of bots and other malware. We find 6 bugs that could be exploited by a network attacker to terminate or subvert the malware. These bugs have persisted across malware revisions for months, and even years. We discuss the possible applications and ethical considerations of this new capability.
AB - Attackers often take advantage of vulnerabilities in benign software, and the authors of benign software must search their code for bugs in hopes of finding vulnerabilities before they are exploited. But there has been little research on the converse question of whether defenders can turn the tables by finding vulnerabilities in malware. We provide a first affirmative answer to that question. We introduce a new technique, stitched dynamic symbolic execution, that makes it possible to use exploration techniques based on symbolic execution in the presence of functionalities that are common in malware and otherwise hard to analyze, such as decryption and checksums. The technique is based on decomposing the constraints induced by a program, solving only a subset, and then re-stitching the constraint solution into a complete input. We implement the approach in a system for ×86 binaries, and apply it to 4 prevalent families of bots and other malware. We find 6 bugs that could be exploited by a network attacker to terminate or subvert the malware. These bugs have persisted across malware revisions for months, and even years. We discuss the possible applications and ethical considerations of this new capability.
KW - Binary analysis
KW - Composition
KW - Input generation
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=78650029404&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650029404&partnerID=8YFLogxK
U2 - 10.1145/1866307.1866354
DO - 10.1145/1866307.1866354
M3 - Conference contribution
AN - SCOPUS:78650029404
SN - 9781450302449
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 413
EP - 425
BT - CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
Y2 - 4 October 2010 through 8 October 2010
ER -