Tools and techniques for understanding and defending real systems

Опубликовано 7 сентября 2016, 16:54

My research philosophy is to approach security not as a problem to be solved, but as a battle for defenders (such as antivirus professionals, law enforcement, and next-generation security technology developers) to wage; so my goal is to provide them with the tools they need, both as implementations of actual techniques they can use, and as theory that is firmly grounded in practice and can be applied to the situations that they face. This talk will cover two projects I have worked on: DACODA (DAvis malCODe Analyzer) and Temporal Search. The threat of malware, such as worms and botnets, to the Internet infrastructure and other parts of the information economy is constantly growing and evolving. Where simple worms had once wreaked senseless havoc and vandalized hundreds of thousands of systems, now large botnets carry out the instructions of organized criminal enterprises - not because the former problem is solved, but because the threat has developed. One promising line of defense is network signatures that detect the exploits that worms and botnets use to spread. While malware writers could use polymorphism and metamorphism to change the network signature of their malware, they have not done so except in a very limited fashion, probably because defenses are not mature enough to warrant the effort. Given a lack of significant polymorphic and metamorphic worms and botnets in the wild, how can we assess the ability of defenses to protect against polymorphism and metamorphism before those defenses are deployed? DACODA is a full-system implementation of symbolic execution for analyzing worm exploits. As a worm exploits a vulnerability on a victim host, such as a buffer overflow, there are particular bytes of the network traffic that cannot be changed without causing the attack to fail, for example GET