Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware
[PDF] [PS] [PS.BZ2] [VIEW]
Bibtex:
@inproceedings{caballero10stitching,
author = {Juan Caballero and Pongsin Poosankam and Stephen McCamant
and Domagoj Babi\'c and Dawn Song},
title = {{Input Generation via Decomposition and Re-Stitching: Finding
Bugs in Malware}},
booktitle = {CCS'10: Proceedings of the 2010 ACM Conference on
Computer and Communications Security},
year = {2010},
publisher = {ACM},
pages = {413--426},
location = {Chicago, Illinois, USA},
}
Abstract:
Attackers often take advantage of vulnerabilities in benign software,
and the authors of benign software must search their code for bugs in
hopes of finding vulnerabilities before they are exploited. But there
has been little research on the converse question of whether defenders
can turn the tables by finding vulnerabilities in malware. We provide a
first affirmative answer to that question. We introduce a new
technique, stitched dynamic symbolic execution, that makes it possible
to use exploration techniques based on symbolic execution in the
presence of functionalities that are common in malware and otherwise
hard to analyze, such as decryption and checksums. The technique is
based on decomposing the constraints induced by a program, solving only
a subset, and then re-stitching the constraint solution into a complete
input. We implement the approach in a system for x86 binaries, and
apply it to 4 prevalent families of bots and other malware. We find 6
bugs that could be exploited by a network attacker to terminate or
subvert the malware. These bugs have persisted across malware revisions
for months, and even years. We discuss the possible applications and
ethical considerations of this new capability.