Use this URL to cite or link to this record in EThOS: https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.786214
Title: Automated analysis of system-wide malware propagation
Author: Korczynski, David
ISNI:       0000 0004 7971 681X
Awarding Body: University of Oxford
Current Institution: University of Oxford
Date of Award: 2019
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Abstract:
In contrast to most benign applications, malware infects its host system. It does so via system-wide execution by injecting code into otherwise benign applications, executing via code-reuse attacks, dynamically generating code and much more. These unconventional, albeit perfectly valid, execution paradigms are used for evasion and obfuscation tactics and pose significant problems to automatic malware analysis environments. In this thesis, we investigate the problem of system-wide malware execution. We focus on building general and precise techniques to analyse malware that execute throughout the entire system. To demonstrate our techniques, we implement them as part of a malware analysis system called Minerva. We use Minerva to perform extensive empirical studies based on synthetic benchmarks that explore corner-case behaviours as well as real-world malware samples collected from the wild. The core idea behind our techniques is to analyse system-wide malware execution with a bottom-up approach. To this end, we develop a fundamental technique for capturing the system-wide execution trace of a given malware sample that is independent of the techniques malware use to propagate through the system. We then incrementally build abstractions upon this trace to identify code injections, malware droppers, code-reuse attacks, packed malware and more. In the final part of our thesis, we extend Minerva with several capabilities to perform large-scale studies. We use these features to characterise system-wide malware propagation at large and extract many interesting high-level views on malware based on our precise and general analysis.
Supervisor: Roscoe, Bill ; O'Halloran, Colin Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.786214  DOI: Not available
Share: