2020
|
Botacin, Marcus; Ceschin, Fabricio; de Geus, Paulo; Grégio, André We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations Journal Article Computers & Security, pp. 101859, 2020, ISSN: 0167-4048. Abstract | Links | BibTeX @article{BOTACIN2020101859,
title = {We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations},
author = {Marcus Botacin and Fabricio Ceschin and Paulo de Geus and André Grégio},
url = {http://www.sciencedirect.com/science/article/pii/S0167404820301310
https://secret.inf.ufpr.br/papers/marcus_av.pdf},
doi = {https://doi.org/10.1016/j.cose.2020.101859},
issn = {0167-4048},
year = {2020},
date = {2020-04-29},
journal = {Computers & Security},
pages = {101859},
abstract = {Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately. |
Botacin, Marcus; de Geus, Paulo Lício; Grégio, André Leveraging branch traces to understand kernel internals from within Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020,
title = {Leveraging branch traces to understand kernel internals from within},
author = {Marcus Botacin and Paulo Lício de Geus and André Grégio},
url = {https://doi.org/10.1007/s11416-019-00343-w
https://secret.inf.ufpr.br//papers/reverse_kernel_marcus.pdf},
doi = {10.1007/s11416-019-00343-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-02},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes. |
Botacin, Marcus; Zanata, Marco; Grégio, André The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020b,
title = {The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support},
author = {Marcus Botacin and Marco Zanata and André Grégio},
url = {https://doi.org/10.1007/s11416-020-00348-w
https://secret.inf.ufpr.br/papers/SMC_marcus.pdf},
doi = {10.1007/s11416-020-00348-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-01},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations. |
Sun, R; Botacin, M; Sapountzis, N; Yuan, X; Bishop, M; Porter, D E; Li, X; Gregio, A; Oliveira, D A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation Journal Article IEEE Transactions on Dependable and Secure Computing, pp. 1-1, 2020. Links | BibTeX @article{9061034,
title = {A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation},
author = {R Sun and M Botacin and N Sapountzis and X Yuan and M Bishop and D E Porter and X Li and A Gregio and D Oliveira},
url = {https://ieeexplore.ieee.org/document/9061034
https://secret.inf.ufpr.br/papers/chameleon.pdf},
year = {2020},
date = {2020-01-01},
journal = {IEEE Transactions on Dependable and Secure Computing},
pages = {1-1},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
Botacin, Marcus; ~a, Giovanni Bert; de Geus, Paulo; Grégio, André; Kruegel, Christopher; Vigna, Giovanni On the Security of Application Installers and Online Software Repositories Conference Detection of Intrusions and Malware, and Vulnerability Assessment, Springer International Publishing, Cham, 2020, ISBN: 978-3-030-52683-2. Abstract | Links | BibTeX @conference{10.1007/978-3-030-52683-2_10b,
title = {On the Security of Application Installers and Online Software Repositories},
author = {Marcus Botacin and Giovanni Bert{~a}o and Paulo de Geus and André Grégio and Christopher Kruegel and Giovanni Vigna},
editor = {Clémentine Maurice and Leyla Bilge and Gianluca Stringhini and Nuno Neves},
url = {https://link.springer.com/chapter/10.1007/978-3-030-52683-2_10
https://secret.inf.ufpr.br/papers/marcus_dimva_bundle.pdf},
isbn = {978-3-030-52683-2},
year = {2020},
date = {2020-01-01},
booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment},
pages = {192--214},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge this gap by analyzing five popular software repositories. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions; (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository); (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks); (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge this gap by analyzing five popular software repositories. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions; (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository); (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks); (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV. |
2019
|
Botacin, Marcus; Galante, Lucas; de Geus, Paulo; Grégio, André RevEngE is a Dish Served Cold: Debug-Oriented Malware Decompilation and Reassembly Inproceedings Proceedings of the 3rd Reversing and Offensive-Oriented Trends Symposium, Association for Computing Machinery, Vienna, Austria, 2019, ISBN: 9781450377751. Abstract | Links | BibTeX @inproceedings{10.1145/3375894.3375895,
title = {RevEngE is a Dish Served Cold: Debug-Oriented Malware Decompilation and Reassembly},
author = {Marcus Botacin and Lucas Galante and Paulo de Geus and André Grégio},
url = {https://doi.org/10.1145/3375894.3375895
https://secret.inf.ufpr.br/papers/roots_revenge.pdf},
doi = {10.1145/3375894.3375895},
isbn = {9781450377751},
year = {2019},
date = {2019-11-28},
booktitle = {Proceedings of the 3rd Reversing and Offensive-Oriented Trends Symposium},
publisher = {Association for Computing Machinery},
address = {Vienna, Austria},
series = {ROOTS’19},
abstract = {Malware analysis is key for cybersecurity overall improvement. Analysis tools have been evolving from complete static analyzers to decompilers. Malware decompilation allows for code inspection at higher abstraction levels, easing incident response. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others. In this paper, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges. We name this approach "DoD---debug-oriented decompilation", in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tool, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time decompilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered "clean" by all VirusTotal's AVs.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Malware analysis is key for cybersecurity overall improvement. Analysis tools have been evolving from complete static analyzers to decompilers. Malware decompilation allows for code inspection at higher abstraction levels, easing incident response. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others. In this paper, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges. We name this approach "DoD---debug-oriented decompilation", in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tool, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time decompilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered "clean" by all VirusTotal's AVs. |
