CAMP: Content-Agnostic Malware Protection

In spite of recent advances, the world wide web remains
an important vector for malware installation. Approaches
to evaluating potentially malicious code before execution in a
browser, such as blacklisting or content-based detection are
hindered by an attacker’s ability to easily change hosting domains
or mutate malware binaries. On the other hand, whitelistbased
approaches are challenged by the large, dynamic, and
heterogeneous space of benign binaries that they must track. In
practice these approaches continue to provide value for popular
binaries at either extreme of maliciousness (e.g., the current large
outbreak of malware, the benign binaries shipped with an OS),
but bridging the gap between whitelist and blacklist detection
for web malware remains a significant challenge.
This paper presents CAMP, a content-agnostic malware protection
system based on binary reputation that is designed to
address these shortcomings. CAMP is built into the browser and
determines the reputation of most downloads locally, relying on
server-side reputation data only when a local decision cannot be
made. This paper gives a detailed overview of CAMP and its
architecture and provides an evaluation of the system through
a six-month deployment in which 200 million users of Google
Chrome requested between eight to ten million reputation requests
a day. Our evaluation shows that CAMP exhibits accuracy
close to 99% relative to proprietary VM-based dynamic analysis,
is able to process requests in less than 130 ms on average, and
was able to detect approximately five million intentional malware
downloads per month that were not detected by existing solutions.

Source: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/41137.pdf

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware

Although the concept of ransomware is not new (i.e.,
such attacks date back at least as far as the 1980s), this
type of malware has recently experienced a resurgence
in popularity. In fact, in the last few years, a number
of high-profile ransomware attacks were reported, such
as the large-scale attack against Sony that prompted the
company to delay the release of the film “The Interview.”
Ransomware typically operates by locking the desktop
of the victim to render the system inaccessible to the
user, or by encrypting, overwriting, or deleting the user’s
files. However, while many generic malware detection
systems have been proposed, none of these systems have
attempted to specifically address the ransomware detection
problem.
In this paper, we present a novel dynamic analysis system
called UNVEIL that is specifically designed to detect
ransomware. The key insight of the analysis is that
in order to mount a successful attack, ransomware must
tamper with a user’s files or desktop. UNVEIL automatically
generates an artificial user environment, and detects
when ransomware interacts with user data. In parallel,
the approach tracks changes to the system’s desktop
that indicate ransomware-like behavior. Our evaluation
shows that UNVEIL significantly improves the state
of the art, and is able to identify previously unknown
evasive ransomware that was not detected by the antimalware
industry.

Source: http://www.ccs.neu.edu/home/mkharraz/publications/unveil-USENIX.pdf

XRay: A Function Call Tracing System

Debugging high throughput, low-latency C/C++ systems in production is hard. At Google we developed XRay, a function call tracing system that allows Google engineers to get accurate function call traces with negligible overhead when off and moderate overhead when on, suitable for services deployed in production. XRay enables efficient function call entry/exit logging with high accuracy timestamps, and can be dynamically enabled and disabled. This white paper describes the XRay tracing system and its implementation. It also describes future plans with open sourcing XRay and engaging open source communities.

Source: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45287.pdf

Flayer: Exposing Application Internals

Flayer is a tool for dynamically exposing application
innards for security testing and analysis. It is implemented
on the dynamic binary instrumentation framework
Valgrind [17] and its memory error detection plugin,
Memcheck [21]. This paper focuses on the implementation
of Flayer, its supporting libraries, and their application
to software security.
Flayer provides tainted, or marked, data flow analysis
and instrumentation mechanisms for arbitrarily altering
that flow. Flayer improves upon prior taint tracing
tools with bit-precision. Taint propagation calculations
are performed for each value-creating memory or register
operation. These calculations are embedded in the
target application’s running code using dynamic instrumentation.
The same technique has been employed to allow
the user to control the outcome of conditional jumps
and step over function calls.
Flayer’s functionality provides a robust foundation for
the implementation of security tools and techniques. In
particular, this paper presents an effective fault injection
testing technique and an automation library, LibFlayer.
Alongside these contributions, it explores techniques for
vulnerability patch analysis and guided source code auditing.
Flayer finds errors in real software. In the past year, its
use has yielded the expedient discovery of flaws in security
critical software including OpenSSH and OpenSSL.

Source: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33253.pdf

Combining compile-time and run-time instrumentation for testing tools

Dynamic program analysis and testing tools typically require inserting extra instrumentation code into the program to test. The inserted instrumentation then gathers data about the program execution and hands it off to the analysis algorithm. Various analysis algorithms can be used to perform CPU profiling, processor cache simulation, memory error detection, data race detection, etc. Usually the instrumentation is done either at run time or atcompile time – called dynamic instrumentation and compiler instrumentation, respectively. However, each of these methods has to make a compromise between performance and versatil-ity when used in industry software development. This paper presents a combined approach to instrumentationwhich takes the best of the two worlds – the low run-time overhead and unique features of compile-time instrumentation and the flexibility of dynamic instrumentation. Wepresent modifications of two testing tools that benefit from thisapproach: AddressSanitizer and MemorySanitizer. We propose benchmarks to compare different instrumentation frameworks in conditions specific to hybrid instrumenta-tion. We discuss the changes we made to one of the state-of-the-art instrumentation frameworks to significantly improve the performance of hybrid tools.

Source: http://swsys.ru/index.php?page=article&id=3593&lang=en