Input generation via decomposition and re-stitching: Finding bugs in malware

Juan Caballero, Pongsin Poosankam, Stephen McCamant, Domagoj Babić, Dawn Song

Research output: Chapter in Book/Report/Conference proceedingConference contribution

29 Scopus citations

Abstract

Attackers often take advantage of vulnerabilities in benign software, and the authors of benign software must search their code for bugs in hopes of finding vulnerabilities before they are exploited. But there has been little research on the converse question of whether defenders can turn the tables by finding vulnerabilities in malware. We provide a first affirmative answer to that question. We introduce a new technique, stitched dynamic symbolic execution, that makes it possible to use exploration techniques based on symbolic execution in the presence of functionalities that are common in malware and otherwise hard to analyze, such as decryption and checksums. The technique is based on decomposing the constraints induced by a program, solving only a subset, and then re-stitching the constraint solution into a complete input. We implement the approach in a system for ×86 binaries, and apply it to 4 prevalent families of bots and other malware. We find 6 bugs that could be exploited by a network attacker to terminate or subvert the malware. These bugs have persisted across malware revisions for months, and even years. We discuss the possible applications and ethical considerations of this new capability.

Original languageEnglish (US)
Title of host publicationCCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security
Pages413-425
Number of pages13
DOIs
StatePublished - Dec 16 2010
Event17th ACM Conference on Computer and Communications Security, CCS'10 - Chicago, IL, United States
Duration: Oct 4 2010Oct 8 2010

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other17th ACM Conference on Computer and Communications Security, CCS'10
CountryUnited States
CityChicago, IL
Period10/4/1010/8/10

Keywords

  • Binary analysis
  • Composition
  • Input generation
  • Malware

Fingerprint Dive into the research topics of 'Input generation via decomposition and re-stitching: Finding bugs in malware'. Together they form a unique fingerprint.

  • Cite this

    Caballero, J., Poosankam, P., McCamant, S., Babić, D., & Song, D. (2010). Input generation via decomposition and re-stitching: Finding bugs in malware. In CCS'10 - Proceedings of the 17th ACM Conference on Computer and Communications Security (pp. 413-425). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/1866307.1866354