|
|
||||||||
Research Interests: I have a strong background in machine learning and database research, but my recent research has focused on building tools that make challenging malware analysis tasks easier to solve. Suppose you were a security analyst at a big firm and someone dropped a nasty virus on you. Your task would be to quickly understand that piece of malware, to find out how it got into your system and what it did to you. I have extended the Dyninst Application Programming Interface so that you can take a program in its final binary version, without needing source code, even if it's evasive, defensive malware like the virus in our example, and: find its code, analyze it, modify it, and control its execution. Dyninst is a well-stocked toolbox that makes it easy for people like software engineers and security analysts to quickly build customized test suites and analysis tools. The most important tools in our box are control- and data-flow analyses, and binary instrumentation. If you were the security analyst in my example and needed to understand a nasty virus, you could build up an understanding of it from first principles, but this is not an easy task, since most malware strongly resists analysis. To find the code in the .exe file, you'd have to separate out the code bytes from a mixture of junk and data bytes. To understand the code, you have to clarify all of the obfuscations that malware authors use to hide its meaning. To monitor the malware's execution you have to circumvent its evasive techniques. And to observe its nasty hidden behaviors, you need mechanisms to help you control and manipulate the program's execution. Today, security analysts really don't have the tools at their disposal that can help them accomplish all of these tasks, so they often do end up working out solutions from first principles, which requires them to hire expert analysts. But Dyninst has long been able to find code in uncooperative binaries, analyze and modify their code, and control their execution. My primary research contribution has been to extend Dyninst to make its full capabilities available on malware, even if it's highly defensive and evasive. Now, if analyzing a single nasty virus is a daunting task, consider what it's like for analysts at security companies. One of their biggest challenges is understanding and categorizing, literally thousands of new malware samples that get created each day. Dyninst provides the tools needed to build malware analysis factories that automate this process. The analyst tells Dyninst what analyses it wants to run, what behaviors to log, and how to control the programs. The analysis factory then executes the malware samples in an isolated environment and produces the desired reports for each sample. These factories are really easy to build, and we've implemented an example factory to serve as a starting point, that security analysts can easily customize. Publications: Kevin A. Roundy "Hybrid Analysis and Control of Malicious Code", Ph.D. Dissertation, deposited on May 2nd, 2012. [PDF] Kevin A. Roundy and Barton P. Miller. "Binary-Code Obfuscations in Prevalent Packer Tools", To appear in ACM Computing Surveys.. [PDF] This work was partially funded by a grant from PC Antivirus Reviews. Andrew R. Bernat, Kevin A. Roundy, and Barton P. Miller. "Efficient, Sensitivity Resistant Binary Instrumentation", International Symposium on Software Testing and Analysis (ISSTA), Toronto, Canada, July 2011. [PDF] Kevin A. Roundy and Barton P. Miller. "Hybrid Analysis and Control of Malware Binaries", Recent Advances in Intrusion Detection (RAID), Ottawa, Canada, September 2010. [PDF] My C.V. |
