CRII: SaTC: Towards Paving the Way for Large-Scale Malware Analysis: New Directions in Generic Binary Unpacking

CRII：SaTC：为大规模恶意软件分析铺平道路：通用二进制解包的新方向

• 批准号: 1850434
• 负责人: Jiang Ming
• 金额: $ 17.5万
• 依托单位: University of Texas at Arlington
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-05-01 至 2022-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1850434&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Paving; Way

Malware, with harmful intent to compromise computer systems, has been one of the significant challenges to the Internet. Driven by the rich profit, relentless malware developers apply various obfuscation schemes to circumvent malware detection. Binary packing is the most common obfuscation adopted by malware authors to camouflage malicious code and defeat popular signature-based malware detection. Binary packing first encrypts or compresses malware code as data, making it immune to static analysis. At run time, the attached unpacking routine writes the decoded code to memory and then resumes malicious payload execution. Over the past two decades, packed malware has been a challenge in the anti-malware landscape. This project addresses this problem from new angles and advances the state of the art in terms of better performance and stronger anti-analysis resistance. The project's novelties are new methods and efficient tools to extract packed malware payload without the prior knowledge of packers. The project's impacts are paving the way for large-scale malware analysis and helping people respond to emerging malware attacks promptly.Existing generic binary unpacking work suffers from high runtime overhead and lack of anti-analysis resistance. This project conducts an in-depth study on an enormous variety of malware packers and reveals promising research directions to address the long-standing binary unpacking problem. Based on the investigator's encouraging preliminary results, this project goes one step further to address the unsolved challenges and pave the last mile to a complete generic unpacking solution. This project develops a novel machine learning model to extract the semantics of the original entry point. The proposed technique notably outperforms existing search heuristics. This project's hybrid de-obfuscation approaches enable unpacking tools to recover a fully functional version of the original binary, which is the ultimate goal of unpacking technique. To achieve stronger resilience to various anti-analysis attacks, the investigator advances the use of hardware supported lower-level features to detecting the end of unpacking. The proposed methods can handle a broader range of malware packers, even brand new packers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

具有损害计算机系统的有害意图的恶意软件一直是互联网面临的重大挑战之一。在富裕利润的驱动下，无情的恶意软件开发人员应用了各种混淆计划来规避恶意软件检测。二进制包装是恶意软件作者采用的最常见的混淆，以伪装恶意代码并击败流行的基于签名的恶意软件检测。二进制包装首先加密或压缩恶意软件代码作为数据，使其不受静态分析的影响。在运行时，随附的解压缩例程将解码的代码写入内存，然后恢复恶意有效载荷执行。在过去的二十年中，包装的恶意软件一直是反恶意软件景观的挑战。该项目从新的角度解决了这个问题，并以更好的性能和更强的抗分析抗性来提高最新技术的状态。该项目的新颖性是新方法和有效的工具，可以在没有包装工的事先了解的情况下提取包装的恶意软件有效载荷。该项目的影响为大规模恶意软件分析铺平了道路，并帮助人们迅速对新兴的恶意软件攻击做出反应。将通用的二进制解拆箱工作遭受高运行时开销和缺乏抗分析阻力的影响。该项目对各种恶意软件包装工进行了深入的研究，并揭示了有前途的研究方向，以解决长期存在的二进制解开问题。基于研究者的令人鼓舞的初步结果，该项目进一步迈出了一步，以应对未解决的挑战，并在最后一英里为完整的通用解开解决方案铺路。该项目开发了一种新颖的机器学习模型，以提取原始入口点的语义。提出的技术尤其优于现有的搜索启发式方法。该项目的混合脱束方法实现了拆卸工具，以恢复原始二进制功能的功能齐全的版本，这是解开包装技术的最终目标。为了对各种抗分析攻击实现更强的韧性，研究人员推进了使用硬件支持的低级功能来检测解开包装的结束。 所提出的方法可以处理更广泛的恶意软件包装工，甚至全新的包装工。该奖项反映了NSF的法定任务，并且使用基金会的知识分子优点和更广泛的影响评估标准，被认为值得通过评估来获得支持。

项目成果

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

• DOI: 10.1145/3503222.3507768
• 发表时间: 2022-02
• 期刊: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
• 作者: Haotian Zhang;Mengfei Ren;Yu Lei;Jiang Ming

PolyCruise: A Cross-Language Dynamic Information Flow Analysis

PolyCruise：跨语言动态信息流分析

• 发表时间: 2022
• 期刊: Proceedings of the 31st USENIX Security Symposium
• 作者: Wen Li, Jiang Ming

Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

• DOI: 10.1145/3460120.3484544
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Wenna Song;Jiang Ming;Lin Jiang;Yi Xiang;Xuanchen Pan;Jianming Fu;Guojun Peng

Obfuscation-Resilient Executable Payload Extraction From Packed Malware

• 发表时间: 2021
• 作者: Binlin Cheng;Jiang Ming;Erika A. Leal;Haotian Zhang;Jianming Fu;Guojun Peng;Jean-Yves Marion

Chosen-Instruction Attack Against Commercial Code Virtualization Obfuscators

• DOI: 10.14722/ndss.2022.24015
• 发表时间: 2022
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: Shijia Li;Chunfu Jia;Pengda Qiu;Qiyuan Chen;Jiang Ming;Debin Gao