CRII: SaTC: Towards Paving the Way for Large-Scale Malware Analysis: New Directions in Generic Binary Unpacking

CRII：SaTC：为大规模恶意软件分析铺平道路：通用二进制解包的新方向

• 批准号: 1850434
• 负责人: Jiang Ming
• 金额: $ 17.5万
• 依托单位: University of Texas at Arlington
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-05-01 至 2022-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1850434&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Paving; Way

Malware, with harmful intent to compromise computer systems, has been one of the significant challenges to the Internet. Driven by the rich profit, relentless malware developers apply various obfuscation schemes to circumvent malware detection. Binary packing is the most common obfuscation adopted by malware authors to camouflage malicious code and defeat popular signature-based malware detection. Binary packing first encrypts or compresses malware code as data, making it immune to static analysis. At run time, the attached unpacking routine writes the decoded code to memory and then resumes malicious payload execution. Over the past two decades, packed malware has been a challenge in the anti-malware landscape. This project addresses this problem from new angles and advances the state of the art in terms of better performance and stronger anti-analysis resistance. The project's novelties are new methods and efficient tools to extract packed malware payload without the prior knowledge of packers. The project's impacts are paving the way for large-scale malware analysis and helping people respond to emerging malware attacks promptly.Existing generic binary unpacking work suffers from high runtime overhead and lack of anti-analysis resistance. This project conducts an in-depth study on an enormous variety of malware packers and reveals promising research directions to address the long-standing binary unpacking problem. Based on the investigator's encouraging preliminary results, this project goes one step further to address the unsolved challenges and pave the last mile to a complete generic unpacking solution. This project develops a novel machine learning model to extract the semantics of the original entry point. The proposed technique notably outperforms existing search heuristics. This project's hybrid de-obfuscation approaches enable unpacking tools to recover a fully functional version of the original binary, which is the ultimate goal of unpacking technique. To achieve stronger resilience to various anti-analysis attacks, the investigator advances the use of hardware supported lower-level features to detecting the end of unpacking. The proposed methods can handle a broader range of malware packers, even brand new packers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

恶意软件具有危害计算机系统的恶意，一直是互联网面临的重大挑战之一。在丰厚利润的推动下，无情的恶意软件开发人员应用各种混淆方案来规避恶意软件检测。二进制打包是恶意软件作者用来伪装恶意代码和挫败流行的基于签名的恶意软件检测的最常见的混淆方法。二进制打包首先将恶意软件代码加密或压缩为数据，使其不受静态分析的影响。在运行时，附加的解包例程将解码的代码写入内存，然后恢复恶意有效负载执行。在过去的二十年里，打包恶意软件一直是反恶意软件领域的一个挑战。该项目从新的角度解决了这一问题，并在更好的性能和更强的抗分析能力方面提高了技术水平。该项目的新颖性是在打包者事先不知道的情况下提取打包的恶意软件有效载荷的新方法和有效工具。该项目的影响正在为大规模恶意软件分析铺平道路，并帮助人们快速应对新出现的恶意软件攻击。现有的通用二进制解包工作存在运行时开销高且缺乏反分析能力的问题。这个项目对大量的恶意软件打包程序进行了深入的研究，并揭示了解决长期存在的二进制解包问题的有前途的研究方向。基于研究人员令人鼓舞的初步结果，该项目进一步解决了未解决的挑战，并为完整的通用拆包解决方案铺平了最后一英里。该项目开发了一种新的机器学习模型来提取原始入口点的语义。该方法的性能明显优于现有的搜索启发式算法。该项目的混合反模糊方法使解包工具能够恢复原始二进制文件的全功能版本，这是解包技术的最终目标。为了实现对各种反分析攻击的更强的弹性，调查者提出了使用硬件支持的底层特征来检测解包结束。建议的方法可以处理更广泛的恶意软件打包程序，甚至是全新的打包程序。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

• DOI: 10.1145/3460120.3484544
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Wenna Song;Jiang Ming;Lin Jiang;Yi Xiang;Xuanchen Pan;Jianming Fu;Guojun Peng

Obfuscation-Resilient Executable Payload Extraction From Packed Malware

• 发表时间: 2021
• 作者: Binlin Cheng;Jiang Ming;Erika A. Leal;Haotian Zhang;Jianming Fu;Guojun Peng;Jean-Yves Marion

Chosen-Instruction Attack Against Commercial Code Virtualization Obfuscators

• DOI: 10.14722/ndss.2022.24015
• 发表时间: 2022
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: Shijia Li;Chunfu Jia;Pengda Qiu;Qiyuan Chen;Jiang Ming;Debin Gao

VAHunt: Warding Off New Repackaged Android Malware in App-Virtualization's Clothing

• DOI: 10.1145/3372297.3423341
• 发表时间: 2020-10
• 期刊: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Luman Shi;Jiang Ming;Jianming Fu;Guojun Peng;Dongpeng Xu;Kun Gao;Xuanchen Pan

PatchScope: Memory Object Centric Patch Diffing

• DOI: 10.1145/3372297.3423342
• 发表时间: 2020-10
• 期刊: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Lei Zhao;Yuncong Zhu;Jiang Ming;Yichen Zhang;Haotian Zhang;Heng Yin