News Archives

[Colloquium] Hybrid Analysis and Control of Malware

April 23, 2012

Watch Colloquium: 

M4V file (716 MB)

  • Date: Monday, April 23, 2012 
  • Time: 3:30 pm — 4:30 pm 
  • Place: Centennial Engineering Center 1041 (NOTE DIFFERENT LOCATION AND TIME)

Barton P. Miller
Computer Sciences Department University of Wisconsin

Malware attacks necessitate extensive forensic analysis efforts that are manual-labor intensive because of the analysis-resistance techniques that malware authors employ. The most prevalent of these techniques are code unpacking, code overwriting, and control transfer obfuscations. We simplify the analyst’s task by analyzing the code prior to its execution and by providing the ability to selectively monitor its execution. We achieve pre-execution analysis by combining static and dynamic techniques to construct control- and data-flow analyses. These analyses form the interface by which the analyst instruments the code. This interface simplifies the instrumentation task, allowing us to reduce the number of instrumented program locations by a hundred-fold relative to existing instrumentation-based methods of identifying unpacked code. We implement our techniques in SD-Dyninst and apply them to a large corpus of malware, performing analysis tasks such as code coverage tests and call-stack traversals that are greatly simplified by hybrid analysis.

 

Bio: Barton P. Miller is a Professor of Computer Sciences at the University of Wisconsin, Madison. He received his B.A. degree from the University of California, San Diego in 1977, and M.S. and Ph.D. degrees in Computer Science from the University of California, Berkeley in 1980 and 1984. Professor Miller is a Fellow of the ACM.