Commit 95d0f0f8 authored by Yonghwi Kwon's avatar Yonghwi Kwon
Browse files

weak updates / [53]

parent 5eaec2f9
# Fdb version 3
["bibtex malmax_ccs19"] 1567360708 "malmax_ccs19.aux" "malmax_ccs19.bbl" "malmax_ccs19" 1567360732
["bibtex malmax_ccs19"] 1567366920 "malmax_ccs19.aux" "malmax_ccs19.bbl" "malmax_ccs19" 1567366998
"./ACM-Reference-Format.bst" 1566237166 97471 94d2174e63fb9cd866ec1d0b392ce46c ""
"bibliography.bib" 1567358090 25864 2c59eaf8096125618e7c9823a2ec05d1 ""
"malmax_ccs19.aux" 1567360731 24478 b995e2ac2cdf1520e15cd86b103fdd9c "pdflatex"
"malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb "pdflatex"
(generated)
"malmax_ccs19.blg"
"malmax_ccs19.bbl"
["pdflatex"] 1567360728 "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf" "malmax_ccs19" 1567360732
"malmax_ccs19.blg"
["pdflatex"] 1567366994 "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf" "malmax_ccs19" 1567366998
"acmart.cls" 1566237166 79165 9bd9819004b9cbcd198fd558b6385e8a ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.aux" 1567360731 24478 b995e2ac2cdf1520e15cd86b103fdd9c ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" 1567360728 2059 98cbaa0bb0780f92c22bb970e486c461 ""
"c:/texlive/2019/texmf-dist/fonts/enc/dvips/base/8r.enc" 1564961813 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
"c:/texlive/2019/texmf-dist/fonts/enc/dvips/libertine/lbtn_25tcsq.enc" 1564962551 2921 8ca0eb0831f9bc5da080d3697cfe67bf ""
......@@ -310,9 +310,9 @@
"fig/scanned_files.pdf" 1566237166 27844 35daa5de9c15f348b6245184597b76a1 ""
"fig/total_file_category.pdf" 1566237166 11090 3eb57ca7b23a2abd789ac04c12fc3690 ""
"fig/vttypes.pdf" 1566237166 12913 03c627debe93a0b4215d2b3d6d46c546 ""
"malmax_ccs19.aux" 1567360731 24478 b995e2ac2cdf1520e15cd86b103fdd9c "pdflatex"
"malmax_ccs19.bbl" 1567360709 40253 9d61caf79a2b9f01e7bc67690cd92e23 "bibtex malmax_ccs19"
"malmax_ccs19.out" 1567360731 5338 bd229c1d70aeec79c5b9144a7e01e758 "pdflatex"
"malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb "pdflatex"
"malmax_ccs19.bbl" 1567366920 40253 9d61caf79a2b9f01e7bc67690cd92e23 "bibtex malmax_ccs19"
"malmax_ccs19.out" 1567366997 5338 bd229c1d70aeec79c5b9144a7e01e758 "pdflatex"
"malmax_ccs19.tex" 1567360728 2059 98cbaa0bb0780f92c22bb970e486c461 ""
"sections/abstract.tex" 1567358090 4076 fadbcd1baf271175daf23a728db1a5c1 ""
"sections/appendix-counterfactual.tex" 1567358090 40038 ceab15dcd009424a22f32f82dae8a577 ""
......@@ -327,16 +327,16 @@
"sections/future-work.tex" 1566237166 1793 3f0cd6541049c944d02dbae4083525e3 ""
"sections/introduction.tex" 1567358090 17337 6e5badf8a44a3c179c3a158c4e2f9c0b ""
"sections/method.tex" 1567358542 44172 4ff0a957275aebacabf4eae644184abc ""
"sections/related-work.tex" 1567360682 9472 3cbf9a8ce163a5168b09d61fdcbdc6f8 ""
"sections/related-work.tex" 1567366993 10188 415cf0d361d3698b1f24bb3d4fea8201 ""
"sections/summary.tex" 1567100002 2197 d7e8c8e5d41c9d9310dda781b7d08d2f ""
"table-category.tex" 1567359043 1150 914138172c680826c111b5185b18620e ""
"table-details.tex" 1567358090 16764 4dc16ea4c37e23a0bbe53166c2adeb6c ""
"table-fp.tex" 1567358090 4063 6906fb82a424f51a06da7637524adaad ""
"table-perf.tex" 1567358090 842 fc9c92e6825eca28e313974d7cac082d ""
(generated)
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf"
"malmax_ccs19.pdf"
"malmax_ccs19.aux"
"malmax_ccs19.log"
"malmax_ccs19.pdf"
"malmax_ccs19.out"
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf"
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.log"
"malmax_ccs19.log"
......@@ -515,14 +515,14 @@ INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/future
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/future-work.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/summary.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/summary.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/newtx/nxlmi.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/rfxlri-alt.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/txfonts/txmi.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/zxlr-8r.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/zxlri-8r.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/rntxmi.tfm
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinLibertineTI-tlf-t1.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/newtx/nxlmi7.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/fxlri-7alt.tfm
......
No preview for this file type
......@@ -12,9 +12,9 @@ A sizable group of related work focus on discovering malicious payloads on serve
\begin{newtext} %TODO: cover more here, and throw some more bones
Starov et al. extend a vulnerability analysis engine for PHP program~\cite{Dahse:2014wj} to discover and quantify features of a PHP webshell dataset~\cite{starov2016no}.
They mark functions of interest as potential sources of vulnerability and rely on manual code auditing to verify extracted features. Regarding webshells, our analysis results echo their findings.
However, while \cite{Dahse:2014wj} focuses on webshells, \sysname deals with diverse types of malware that are heavily obfuscated and injected into complex benign applications.
In fact, many of malware found by \sysname are implanted into the benign applications, and leverage Object-Oriented Programming (OOP) features and multiple functions to carry out the attacks. The webshells that Starov et al. analyze were comparably simple (no OOP features and inter-procedure malicious code)~\cite{Dahse:2014wj}.
Moreover, \cite{Dahse:2014wj} relies on unPHP~\cite{unphp} for deobfuscation of malware, which fails to deobfuscate about 40\% of their samples~\cite{starov2016no}. During our evaluation, \sysname handles samples that unPHP failed to deobfuscate.
However, while \cite{starov2016no} focuses on webshells, \sysname deals with diverse types of malware that are heavily obfuscated and injected into complex benign applications.
In fact, many of malware found by \sysname are implanted into the benign applications, and leverage Object-Oriented Programming (OOP) features and multiple functions to carry out the attacks. The webshells that Starov et al. analyze were comparably simple (i.e., no OOP features and inter-procedure malicious code, mentioned in \cite{starov2016no}).
Moreover, \cite{starov2016no} relies on unPHP~\cite{unphp} for deobfuscation of malware, which fails to deobfuscate about 40\% of their samples~\cite{starov2016no}. During our evaluation, \sysname handles samples that unPHP failed to deobfuscate.
%\sysname is an automated malware analysis and detection method and is able to handles different types of PHP malware, including heavily obfuscated ones.
\end{newtext}
......@@ -45,11 +45,11 @@ Peng et al. advance counterfactual execution on binaries by providing better err
\begin{newtext}
Rozzle~\cite{kolbitsch2012rozzle} and GoldenEye~\cite{xu2014goldeneye} provide a similar approach to counterfactual execution, focusing on discovery of environment targeted malware.
In particular, Rozzle~\cite{kolbitsch2012rozzle} proposes a system that explores multiple execution paths by executing both possibilities whenever it encounters a branch that depends on the environment (e.g., for environment matching or fingerprinting).
Malware that does not rely on control flow branches can evade Rozzle~\cite{Kapravelos:2013tx}.
In particular, Rozzle~\cite{kolbitsch2012rozzle} explores multiple execution paths by executing both possibilities whenever it encounters a branch that depends on the environment (e.g., for environment matching or fingerprinting).
However, malware that does not rely on control flow branches can evade Rozzle~\cite{Kapravelos:2013tx}.
For example, a typical server-side malware injected into a plugin of a benign application (e.g., Joomla) will be activated by a statement \code{load\_plugin(\$config[`plugins'][...])} where \code{\$config} is a global variable that determines what plugin shoud be loaded. The malware may or may not be executed depending on \code{\$config}. As there are no branches involved, Rozzle would fail to detect this malware. Cooperative isolated execution handles this case by sharing the global variable \code{\$config} between isolated executions (Details in Section~\ref{design:cooperativeisolations}).
In addition, server-side malware are often injected into large benign applications, which may cause scalability issues for Rozzle and other approaches that use symbolic execution~\cite{yu2015handling}.
For example, a typical server-side malware injected into a plugin of a benign application (e.g., Joomla) will be activated by a statement \code{load\_plugin(\$config[`plugins'][...])} where \code{\$config} is a global variable that determines what plugin shoud be loaded. The malware may or may not be executed depending on \code{\$config}. As there are no branches involved, Rozzle would fail to detect this malware, and no weak updates are performed (they are only performed under branches). Cooperative isolated execution handles this case by sharing the global variable \code{\$config} between isolated executions (Details in Section~\ref{design:cooperativeisolations}).
In addition, PHP malware are often injected into complex benign programs, which cause scalability issues for approaches that use symbolic execution~\cite{yu2015handling, kolbitsch2012rozzle}.
%to symbolically track fingerprinting that relies on control flow branches. %TODO: continue based on usenix paper and https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_kapravelos.pdf and http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.726.5481&rep=rep1&type=pdf
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment