News Archives

[Colloquium] Tools and techniques for understanding and defending real systems

February 1, 2007

Watch Colloquium: 

AVI file (379 MB)
Quicktime (154 MB)


  • Date: Thursday, February 1, 2007 
  • Time: 11 am — 12:15 pm 
  • Place: ECE 118

Jed Crandall University of California, Davis

Abstract: My research philosophy is to approach security not as a problem to be solved, but as a battle for defenders (such as antivirus professionals, law enforcement, and next-generation security technology developers) to wage; so my goal is to provide them with the tools they need, both as implementations of actual techniques they can use, and as theory that is firmly grounded in practice and can be applied to the situations that they face. This talk will cover two projects I have worked on: DACODA (DAvis malCODe Analyzer) and Temporal Search.

The threat of malware, such as worms and botnets, to the Internet infrastructure and other parts of the information economy is constantly growing and evolving. Where simple worms had once wreaked senseless havoc and vandalized hundreds of thousands of systems, now large botnets carry out the instructions of organized criminal enterprises – not because the former problem is solved, but because the threat has developed. One promising line of defense is network signatures that detect the exploits that worms and botnets use to spread. While malware writers could use polymorphism and metamorphism to change the network signature of their malware, they have not done so except in a very limited fashion, probably because defenses are not mature enough to warrant the effort. Given a lack of significant polymorphic and metamorphic worms and botnets in the wild, how can we assess the ability of defenses to protect against polymorphism and metamorphism before those defenses are deployed?

DACODA is a full-system implementation of symbolic execution for analyzing worm exploits. As a worm exploits a vulnerability on a victim host, such as a buffer overflow, there are particular bytes of the network traffic that cannot be changed without causing the attack to fail, for example “GET HTTP” cannot be removed from the Code Red worm exploit or the attack will not work. We used DACODA as a tool to quantify and study the limits of polymorphism and metamorphism and develop a theory to understand this threat to signature-based worm defenses. This theory is based on the intricacies of 14 real exploits that we analyzed, seven of them actual attacks or worms on our Minos/DACODA Internet honeypots.

We have also looked at the problem of responding to malware that has already spread out enough to cause a threat. Temporal search is a behavior-based analysis technique using virtual machines where it is possible to discover that a piece of malware is counting down to some event in the future (when it might, for example, delete all of your files or download new instructions from a public web server) without waiting for the event to occur. It is based on slight time perturbations, symbolic execution, predicate inversion, and then a weakest precondition analysis to account for quirks in the Gregorian calendar (leap years, number of days in each month, etc.). Applying a prototype of this technique to six real worms taught us a lot about timebomb attacks and behavior-based malware analysis in general.