Cukier receives NSF Trustworthy Computing grant for dynamic analysis of malcode

Associate Professor Michel Cukier (ME/ISR) has been given a two-year, $150K NSF Trustworthy Computing grant, Discovering Designer Intent through Dynamic Analysis of Malware.

The research addresses the problem of identifying and providing source code-based understanding of obfuscated malcode plaguing the Internet. Obfuscated malcode presents a clear and present danger to today?s society in terms of individual privacy, security as well as to the Internet?s overall trustworthiness. Attackers continue to use obfuscation to successfully defeat attempts by defenders to prevent infection or spread of the malcode.

The goal of the research will be to develop dynamic binary analysis processes for Internet worm executables. These processes will be used to create a reverse engineering framework to create assembly code from worm machine code and in turn create associated control and data flow graphs. Generalizations of instruction sequences, known as motifs, are extracted from these graphs using new techniques based in part on program slicing and will be applied against models of worm behavior described in terms of state machine, decision tree or family tree models; partial or complete matching against these models will yield knowledge of worm interactions with its target environment, its obfuscation techniques and its means of command, control and update by the attacker.

This research will help to assess if control and data flow graphs can represent any obfuscated malcode. In case some malcode cannot be represented using these graphs, other representations will be investigated. The accuracy of the malcode representation will be evaluated since the representation will be based mainly on system call analysis. Finally, several combinations of static and dynamic analyses will be studied to assess the impact on the malcode representation details.

Published August 21, 2009