TC: Small: Increasing The Cost of Malware

TC：小：增加恶意软件的成本

• 批准号: 1017034
• 负责人: Wu-chang Feng
• 金额: $ 49.84万
• 依托单位: Portland State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1017034&HistoricalAwards=false
• 关键词: TC; Small; Increasing; Cost; Malware

As seen by the proliferation of commercial-grade malware, attacking networked applications is a profitable enterprise. There are two advantages malware authors currently have against us. The first advantage is that because users run a diverse set of applications on their systems, anti-virus and anti-malware programs must exhaustively search for specific malware instances across all pieces of software on a system. Malware easily thwarts this through the use of polymorphism, metamorphism, obfuscation, and cryptographic packing, placing a financial burden on anti-malware vendors and a performance burden on their users. The second advantage malware authors enjoy is that while there are a lot of applications to attack, each software target is static across many client machines. As a result, malware authors only need to reverse and exploit a single instance of an application in order to compromise thousands of machines. This project examines two novel approaches for reversing the advantages held by malware authors. The first approach explores a white-listed execution model that extends integrity-checks beyond the operating system and into the running application in an on-line manner. The second approach explores the on-line, run-time transformation of applications in order to force a malware adversary to reverse and exploit a new application for each new client it wishes to compromise. Finally, the project aims to demonstrate the impact these techniques have on the cost of developing malware.

从商业级恶意软件的激增中可以看出，攻击网络应用程序是一项有利可图的业务。目前，恶意软件作者对我们有两个优势。第一个优势是，因为用户在他们的系统上运行不同的应用程序集，所以防病毒和反恶意软件程序必须在系统上的所有软件中详尽地搜索特定的恶意软件实例。恶意软件很容易通过使用多态、变形、混淆和加密打包来阻止这一点，从而给反恶意软件供应商带来经济负担，并给他们的用户带来性能负担。恶意软件作者享有的第二个优势是，虽然有很多应用程序可以攻击，但每个软件目标在许多客户端计算机上都是静态的。因此，恶意软件作者只需逆转和利用应用程序的单个实例，即可危害数千台机器。这个项目研究了两种扭转恶意软件作者优势的新方法。第一种方法探索白名单执行模型，该模型将完整性检查扩展到操作系统之外，并以在线方式进入正在运行的应用程序。第二种方法探索应用程序的在线、运行时转换，以迫使恶意软件攻击者为其希望危害的每个新客户端逆转和利用新应用程序。最后，该项目旨在展示这些技术对开发恶意软件的成本的影响。