SlideShare una empresa de Scribd logo

Simseer and Bugwise - Web Services for Binary-level Software Similarity and Defect Detection

Descargar como PPTX, PDF
Silvio Cesare
Silvio Cesare
1 de 22
Simseer and Bugwise Web Services for Binary-level Software Similarity and Defect Detection SILVIO CESARE AND YANG XIANG DEAKIN UNIVERSITY
Introduction  Defect detection  Finds software bugs  E.g., buffer overflows, divide-by-zeros, use-after-frees  Malware variant detection  Discover obfuscated, evolved, mutated copies of malware  Software theft detection  Discover illegitimate copies of software  Plagiarism detection  Discover unauthorized copying of software code.  E.g., student assignments.
Motivation  Defect detection  External Auditing  Verification of compilation and linkage  Malware variant detection  Increase predictive power of signatures  Most new malware are variants of existing malware  Software theft detection  Protection of intellectual property  Automated detection reduces costs of investigation  Plagiarism detection  Provide a deterrent through automated detection  Manual approach not scalable
Innovation  This research makes the following contributions:  We propose an online web service, Bugwise, to perform binary-level defect detection.  We propose an online web service, Simseer, to address malware variant detection, software theft detection and plagiarism detection.  We use state-of-the-art algorithms in novel applications.  We implement and make our services public
Related Work  Defect detection  Formal methods, program analysis, abstract interpretation, data flow analysis.  Software similarity  Features make a birthmark (fingerprint)  Similarity function comparing birthmarks (euclidean distance, cosine similarity etc).  Birthmarks  Vectors, strings, sets, trees, graphs etc.  Byte-level content, instructions, basic blocks, control flow, API calls etc.  Our system uses control flow.
Our Approach  Bugwise and Simseer use a unified backend from our previous work – Malwise.  We implement two web services using cloud-based virtual private servers.  Simseer  Uses control flow as a feature to generate a signature (birthmark).  Bugwise  Combines decompilation with traditional data flow analysis to detect several bug classes.
Web Services Workflow Web Frontend Scan Server Script SSH Tunnel Scheduler Script Evolutionary SSH Tunnel (Simseer) Malwise Tree Creation Store and Display SSH Tunnel (Bugwise) Results
The Web Frontend  Accepts submission of archives and executables.  Implemented with server side PHP programming language.  PHP launches script to process submitted binary.  Script performs validation.  E.g., Filenames have no special characters.  Launches C++ network client to submit binary to scan server.
The Web Frontend
The Scheduling Work Queue  Listens to TCP port on scan server.  Connects to web frontend via SSH tunnel.  Accepts binaries from web frontend.  Queues jobs so that only 1 is running at any time.  Launches Simseer or Bugwise script to process binary.
Malwise Backend  Malwise is a native C++ application of ~100,000 LOC.  Plugin-based modular system.  Simseer and Bugwise differ by their configuration and plugins.  Configuation specified in XML.
The Simseer Backend  Performs unpacking to remove malware obfsucation.  Decompiles the control flow.  1st pass generates signatures.  2nd pass shows similarity between signatures.
The Bugwise Backend  Performs decompilation of local variables.  Performs compiler-style optimisations (dead code elimiation, copy propagation, constant folding etc).  Performs data flow analysis (reaching defintions, upwards exposed uses etc).  Detects double frees (deallocating the same memory twice) using the data flow analysis results.
Configuration - Simseer (l), Bugwise (r) <ModuleGroup> <ModuleGroup> <Name>Scan</Name> <Name>Scan</Name> <Run>Code Optimsation 1</Run> <Run>Packer Detection Using Entropy</Run> <Run>Linux Arch</Run> <Run>Unpacker Using Application Level Emulation</Run> <Run>Pre Decompiler Data Flow Analysis</Run> <Run>Structuring</Run> <Run>X86 Decompiler Data Flow Analysis</Run> <Run>NGram Structuring</Run> <Run>Decompiler Data Flow Analysis</Run> </ModuleGroup> <Run>Code Optimsation 2</Run> <Run>IRDataFlowAnalysis</Run> <Run>Double Free Detection</Run> </ModuleGroup>
Simseer Evolutionary Tree Visualization  Phylogenetic tree – e.g. tree of life.  The closer nodes are in the tree, the more similar those nodes are.  Simseer backend generates distance/similarity matrix.  PHYLIP software package takes matrix and generates tree.  Tree is rendered to an image.
Program Realtionships Visualization
Results Processing  Parse XML output from Malwise  PHP parser  Simseer  Display evolutionary tree and similarity matrix  Bugwise  Display table showing address of double frees
Efficiency of Malwise as a Web Services  Does a web service incur much overhead compared to command line usage?  Test case is 9 samples submitted to Simseer.  Python script sends samples and waits for results.  We compare the times of command line versus the web service.  Mean overhead is 0.64 seconds.
Processing times Simseer Web Service (l), Malwise Command Line (r)
Availability  http://www.FooCodeChu.Com  Rate limiting of submissions.  Limit of sample sizes and the number of samples in archives.  We intend to relax these restrictions as we migrate to more scalable infrastructure.
Future Work  Enterprise messaging to perform load balancing and queuing?  More options to scans to exploit Malwise plugin system.  Any-time clustering to cluster new samples incrementally in real-time?  Bug detection could be developed as bug management system.
Conclusion  We make available new services for bug detection and software similarity.  Our backend Malwise is versatile and allows plugins to implement these services.  Bugwise has found real bugs in Linux.  The web service overhead is minimal.  We believe web services in these applications will have future growth.

Recomendados

Web application
Web applicationWeb application
Web application
Eve_Srithong
 
AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012
Luca Carettoni
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
Maarten Balliauw
 
Building Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPABuilding Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPA
VMware Tanzu
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
Maarten Balliauw
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 

Recomendados

Web application
Web applicationWeb application
Web application
Eve_Srithong
 
AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012AMF Testing Made Easy! DeepSec 2012
AMF Testing Made Easy! DeepSec 2012
Luca Carettoni
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
Maarten Balliauw
 
Building Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPABuilding Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPA
VMware Tanzu
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
Maarten Balliauw
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Simseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made EasySimseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made Easy
Silvio Cesare
 
Using Test Triggers for Improved Defect Detection
Using Test Triggers for Improved Defect DetectionUsing Test Triggers for Improved Defect Detection
Using Test Triggers for Improved Defect Detection
Charles Schultz
 
Simseer - A Software Similarity Web Service
Simseer - A Software Similarity Web ServiceSimseer - A Software Similarity Web Service
Simseer - A Software Similarity Web Service
Silvio Cesare
 
Defect removal effectiveness
Defect removal effectivenessDefect removal effectiveness
Defect removal effectiveness
Roy Antony Arnold G
 
Migration testing
Migration testingMigration testing
Migration testing
Indium Software
 
Defect prevention techniques
Defect prevention techniquesDefect prevention techniques
Defect prevention techniques
Zarko Acimovic
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
n|u - The Open Security Community
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
Jan Seidl
 
ChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetectionChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetection
Daniel Liu
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
Pooja Bhojwani
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
Brandon Hunter
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
Amazon Web Services
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analytics
ANKIT GUPTA
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
VMware Tanzu
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Source
aspyker
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
NARESH GUMMAGUTTA
 
Resume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_expResume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_exp
Sandip Mohod
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Monitoring shootout loadays
Monitoring shootout loadaysMonitoring shootout loadays
Monitoring shootout loadays
tomdc
 
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningStart Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Amazon Web Services
 

Más contenido relacionado

Destacado

Simseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made EasySimseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made Easy
Silvio Cesare
 
Simseer - A Software Similarity Web Service
Simseer - A Software Similarity Web ServiceSimseer - A Software Similarity Web Service
Simseer - A Software Similarity Web Service
Silvio Cesare
 

Destacado (6)

Simseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made EasySimseer.com - Malware Similarity and Clustering Made Easy
Simseer.com - Malware Similarity and Clustering Made Easy
 
Using Test Triggers for Improved Defect Detection
Using Test Triggers for Improved Defect DetectionUsing Test Triggers for Improved Defect Detection
Using Test Triggers for Improved Defect Detection
 
Simseer - A Software Similarity Web Service
Simseer - A Software Similarity Web ServiceSimseer - A Software Similarity Web Service
Simseer - A Software Similarity Web Service
 
Defect removal effectiveness
Defect removal effectivenessDefect removal effectiveness
Defect removal effectiveness
 
Migration testing
Migration testingMigration testing
Migration testing
 
Defect prevention techniques
Defect prevention techniquesDefect prevention techniques
Defect prevention techniques
 

Similar a Simseer and Bugwise - Web Services for Binary-level Software Similarity and Defect Detection

aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
Jan Seidl
 
ChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetectionChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetection
Daniel Liu
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 
Resume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_expResume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_exp
Sandip Mohod
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
Joshua Saxe
 

Similar a Simseer and Bugwise - Web Services for Binary-level Software Similarity and Defect Detection (20)

Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
 
ChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetectionChongLiu-MaliciousURLDetection
ChongLiu-MaliciousURLDetection
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analytics
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
 
Netflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open SourceNetflix Cloud Architecture and Open Source
Netflix Cloud Architecture and Open Source
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Resume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_expResume_Sandip_Mohod_Java_9_plus_years_exp
Resume_Sandip_Mohod_Java_9_plus_years_exp
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Monitoring shootout loadays
Monitoring shootout loadaysMonitoring shootout loadays
Monitoring shootout loadays
 
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningStart Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
 
Operations: Production Readiness
Operations: Production ReadinessOperations: Production Readiness
Operations: Production Readiness
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
The sFlow Standard: Scalable, Unified Monitoring of Networks, Systems and App...
The sFlow Standard: Scalable, Unified Monitoring of Networks, Systems and App...The sFlow Standard: Scalable, Unified Monitoring of Networks, Systems and App...
The sFlow Standard: Scalable, Unified Monitoring of Networks, Systems and App...
 

Más de Silvio Cesare

A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERSA WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
Silvio Cesare
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
Silvio Cesare
 
Detecting Bugs in Binaries Using Decompilation and Data Flow Analysis
Detecting Bugs in Binaries Using Decompilation and Data Flow AnalysisDetecting Bugs in Binaries Using Decompilation and Data Flow Analysis
Detecting Bugs in Binaries Using Decompilation and Data Flow Analysis
Silvio Cesare
 
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
Silvio Cesare
 
Wire - A Formal Intermediate Language for Binary Analysis
Wire - A Formal Intermediate Language for Binary AnalysisWire - A Formal Intermediate Language for Binary Analysis
Wire - A Formal Intermediate Language for Binary Analysis
Silvio Cesare
 
Effective flowgraph-based malware variant detection
Effective flowgraph-based malware variant detectionEffective flowgraph-based malware variant detection
Effective flowgraph-based malware variant detection
Silvio Cesare
 
Faster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware ClassificationFaster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware Classification
Silvio Cesare
 
Automated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxAutomated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in Linux
Silvio Cesare
 
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
Silvio Cesare
 
Simple Bugs and Vulnerabilities in Linux Distributions
Simple Bugs and Vulnerabilities in Linux DistributionsSimple Bugs and Vulnerabilities in Linux Distributions
Simple Bugs and Vulnerabilities in Linux Distributions
Silvio Cesare
 
Fast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of MalwareFast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of Malware
Silvio Cesare
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
Silvio Cesare
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 

Más de Silvio Cesare (16)

A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
 
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERSA WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
A WHIRLWIND TOUR OF ACADEMIC TECHNIQUES FOR REAL-WORLD SECURITY RESEARCHERS
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
 
Detecting Bugs in Binaries Using Decompilation and Data Flow Analysis
Detecting Bugs in Binaries Using Decompilation and Data Flow AnalysisDetecting Bugs in Binaries Using Decompilation and Data Flow Analysis
Detecting Bugs in Binaries Using Decompilation and Data Flow Analysis
 
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
Clonewise - Automatically Detecting Package Clones and Inferring Security Vu...
 
Wire - A Formal Intermediate Language for Binary Analysis
Wire - A Formal Intermediate Language for Binary AnalysisWire - A Formal Intermediate Language for Binary Analysis
Wire - A Formal Intermediate Language for Binary Analysis
 
Effective flowgraph-based malware variant detection
Effective flowgraph-based malware variant detectionEffective flowgraph-based malware variant detection
Effective flowgraph-based malware variant detection
 
Faster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware ClassificationFaster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware Classification
 
Automated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in LinuxAutomated Detection of Software Bugs and Vulnerabilities in Linux
Automated Detection of Software Bugs and Vulnerabilities in Linux
 
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
Malware Variant Detection Using Similarity Search over Sets of Control Flow G...
 
Simple Bugs and Vulnerabilities in Linux Distributions
Simple Bugs and Vulnerabilities in Linux DistributionsSimple Bugs and Vulnerabilities in Linux Distributions
Simple Bugs and Vulnerabilities in Linux Distributions
 
Fast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of MalwareFast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of Malware
 
Malware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowMalware Classification Using Structured Control Flow
Malware Classification Using Structured Control Flow
 
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
A Fast Flowgraph Based Classification System for Packed and Polymorphic Malwa...
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 

Simseer and Bugwise - Web Services for Binary-level Software Similarity and Defect Detection

  • 1. Simseer and Bugwise Web Services for Binary-level Software Similarity and Defect Detection SILVIO CESARE AND YANG XIANG DEAKIN UNIVERSITY
  • 2. Introduction  Defect detection  Finds software bugs  E.g., buffer overflows, divide-by-zeros, use-after-frees  Malware variant detection  Discover obfuscated, evolved, mutated copies of malware  Software theft detection  Discover illegitimate copies of software  Plagiarism detection  Discover unauthorized copying of software code.  E.g., student assignments.
  • 3. Motivation  Defect detection  External Auditing  Verification of compilation and linkage  Malware variant detection  Increase predictive power of signatures  Most new malware are variants of existing malware  Software theft detection  Protection of intellectual property  Automated detection reduces costs of investigation  Plagiarism detection  Provide a deterrent through automated detection  Manual approach not scalable
  • 4. Innovation  This research makes the following contributions:  We propose an online web service, Bugwise, to perform binary-level defect detection.  We propose an online web service, Simseer, to address malware variant detection, software theft detection and plagiarism detection.  We use state-of-the-art algorithms in novel applications.  We implement and make our services public
  • 5. Related Work  Defect detection  Formal methods, program analysis, abstract interpretation, data flow analysis.  Software similarity  Features make a birthmark (fingerprint)  Similarity function comparing birthmarks (euclidean distance, cosine similarity etc).  Birthmarks  Vectors, strings, sets, trees, graphs etc.  Byte-level content, instructions, basic blocks, control flow, API calls etc.  Our system uses control flow.
  • 6. Our Approach  Bugwise and Simseer use a unified backend from our previous work – Malwise.  We implement two web services using cloud-based virtual private servers.  Simseer  Uses control flow as a feature to generate a signature (birthmark).  Bugwise  Combines decompilation with traditional data flow analysis to detect several bug classes.
  • 7. Web Services Workflow Web Frontend Scan Server Script SSH Tunnel Scheduler Script Evolutionary SSH Tunnel (Simseer) Malwise Tree Creation Store and Display SSH Tunnel (Bugwise) Results
  • 8. The Web Frontend  Accepts submission of archives and executables.  Implemented with server side PHP programming language.  PHP launches script to process submitted binary.  Script performs validation.  E.g., Filenames have no special characters.  Launches C++ network client to submit binary to scan server.
  • 10. The Scheduling Work Queue  Listens to TCP port on scan server.  Connects to web frontend via SSH tunnel.  Accepts binaries from web frontend.  Queues jobs so that only 1 is running at any time.  Launches Simseer or Bugwise script to process binary.
  • 11. Malwise Backend  Malwise is a native C++ application of ~100,000 LOC.  Plugin-based modular system.  Simseer and Bugwise differ by their configuration and plugins.  Configuation specified in XML.
  • 12. The Simseer Backend  Performs unpacking to remove malware obfsucation.  Decompiles the control flow.  1st pass generates signatures.  2nd pass shows similarity between signatures.
  • 13. The Bugwise Backend  Performs decompilation of local variables.  Performs compiler-style optimisations (dead code elimiation, copy propagation, constant folding etc).  Performs data flow analysis (reaching defintions, upwards exposed uses etc).  Detects double frees (deallocating the same memory twice) using the data flow analysis results.
  • 14. Configuration - Simseer (l), Bugwise (r) <ModuleGroup> <ModuleGroup> <Name>Scan</Name> <Name>Scan</Name> <Run>Code Optimsation 1</Run> <Run>Packer Detection Using Entropy</Run> <Run>Linux Arch</Run> <Run>Unpacker Using Application Level Emulation</Run> <Run>Pre Decompiler Data Flow Analysis</Run> <Run>Structuring</Run> <Run>X86 Decompiler Data Flow Analysis</Run> <Run>NGram Structuring</Run> <Run>Decompiler Data Flow Analysis</Run> </ModuleGroup> <Run>Code Optimsation 2</Run> <Run>IRDataFlowAnalysis</Run> <Run>Double Free Detection</Run> </ModuleGroup>
  • 15. Simseer Evolutionary Tree Visualization  Phylogenetic tree – e.g. tree of life.  The closer nodes are in the tree, the more similar those nodes are.  Simseer backend generates distance/similarity matrix.  PHYLIP software package takes matrix and generates tree.  Tree is rendered to an image.
  • 17. Results Processing  Parse XML output from Malwise  PHP parser  Simseer  Display evolutionary tree and similarity matrix  Bugwise  Display table showing address of double frees
  • 18. Efficiency of Malwise as a Web Services  Does a web service incur much overhead compared to command line usage?  Test case is 9 samples submitted to Simseer.  Python script sends samples and waits for results.  We compare the times of command line versus the web service.  Mean overhead is 0.64 seconds.
  • 19. Processing times Simseer Web Service (l), Malwise Command Line (r)
  • 20. Availability  http://www.FooCodeChu.Com  Rate limiting of submissions.  Limit of sample sizes and the number of samples in archives.  We intend to relax these restrictions as we migrate to more scalable infrastructure.
  • 21. Future Work  Enterprise messaging to perform load balancing and queuing?  More options to scans to exploit Malwise plugin system.  Any-time clustering to cluster new samples incrementally in real-time?  Bug detection could be developed as bug management system.
  • 22. Conclusion  We make available new services for bug detection and software similarity.  Our backend Malwise is versatile and allows plugins to implement these services.  Bugwise has found real bugs in Linux.  The web service overhead is minimal.  We believe web services in these applications will have future growth.