@@ -12,9 +12,9 @@ A sizable group of related work focus on discovering malicious payloads on serve
\begin{newtext}%TODO: cover more here, and throw some more bones
Starov et al. extend a vulnerability analysis engine for PHP program~\cite{Dahse:2014wj} to discover and quantify features of a PHP webshell dataset~\cite{starov2016no}.
They mark functions of interest as potential sources of vulnerability and rely on manual code auditing to verify extracted features. Regarding webshells, our analysis results echo their findings.
However, while \cite{Dahse:2014wj} focuses on webshells, \sysname deals with diverse types of malware that are heavily obfuscated and injected into complex benign applications.
In fact, many of malware found by \sysname are implanted into the benign applications, and leverage Object-Oriented Programming (OOP) features and multiple functions to carry out the attacks. The webshells that Starov et al. analyze were comparably simple (no OOP features and inter-procedure malicious code)~\cite{Dahse:2014wj}.
Moreover, \cite{Dahse:2014wj} relies on unPHP~\cite{unphp} for deobfuscation of malware, which fails to deobfuscate about 40\% of their samples~\cite{starov2016no}. During our evaluation, \sysname handles samples that unPHP failed to deobfuscate.
However, while \cite{starov2016no} focuses on webshells, \sysname deals with diverse types of malware that are heavily obfuscated and injected into complex benign applications.
In fact, many of malware found by \sysname are implanted into the benign applications, and leverage Object-Oriented Programming (OOP) features and multiple functions to carry out the attacks. The webshells that Starov et al. analyze were comparably simple (i.e., no OOP features and inter-procedure malicious code, mentioned in \cite{starov2016no}).
Moreover, \cite{starov2016no} relies on unPHP~\cite{unphp} for deobfuscation of malware, which fails to deobfuscate about 40\% of their samples~\cite{starov2016no}. During our evaluation, \sysname handles samples that unPHP failed to deobfuscate.
%\sysname is an automated malware analysis and detection method and is able to handles different types of PHP malware, including heavily obfuscated ones.
\end{newtext}
...
...
@@ -45,11 +45,11 @@ Peng et al. advance counterfactual execution on binaries by providing better err
\begin{newtext}
Rozzle~\cite{kolbitsch2012rozzle} and GoldenEye~\cite{xu2014goldeneye} provide a similar approach to counterfactual execution, focusing on discovery of environment targeted malware.
In particular, Rozzle~\cite{kolbitsch2012rozzle}proposes a system that explores multiple execution paths by executing both possibilities whenever it encounters a branch that depends on the environment (e.g., for environment matching or fingerprinting).
Malware that does not rely on control flow branches can evade Rozzle~\cite{Kapravelos:2013tx}.
In particular, Rozzle~\cite{kolbitsch2012rozzle} explores multiple execution paths by executing both possibilities whenever it encounters a branch that depends on the environment (e.g., for environment matching or fingerprinting).
However, malware that does not rely on control flow branches can evade Rozzle~\cite{Kapravelos:2013tx}.
For example, a typical server-side malware injected into a plugin of a benign application (e.g., Joomla) will be activated by a statement \code{load\_plugin(\$config[`plugins'][...])} where \code{\$config} is a global variable that determines what plugin shoud be loaded. The malware may or may not be executed depending on \code{\$config}. As there are no branches involved, Rozzle would fail to detect this malware. Cooperative isolated execution handles this case by sharing the global variable \code{\$config} between isolated executions (Details in Section~\ref{design:cooperativeisolations}).
In addition, server-side malware are often injected into large benign applications, which may cause scalability issues for Rozzle and other approaches that use symbolic execution~\cite{yu2015handling}.
For example, a typical server-side malware injected into a plugin of a benign application (e.g., Joomla) will be activated by a statement \code{load\_plugin(\$config[`plugins'][...])} where \code{\$config} is a global variable that determines what plugin shoud be loaded. The malware may or may not be executed depending on \code{\$config}. As there are no branches involved, Rozzle would fail to detect this malware, and no weak updates are performed (they are only performed under branches). Cooperative isolated execution handles this case by sharing the global variable \code{\$config} between isolated executions (Details in Section~\ref{design:cooperativeisolations}).
In addition, PHP malware are often injected into complex benign programs, which cause scalability issues for approaches that use symbolic execution~\cite{yu2015handling, kolbitsch2012rozzle}.
%to symbolically track fingerprinting that relies on control flow branches. %TODO: continue based on usenix paper and https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_kapravelos.pdf and http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.726.5481&rep=rep1&type=pdf
