SBIR-STTR Award

This effort will develop a capability for automated modification of binary code based on canonical algorithm patterns of control flows. Since these methods are based on control flow, they are OS and language independent. The methods offer a path towards building operating systems that are self-repairing and can immunized against malicious behavior. This effort will develop methods to automate insertion of safeguarding breakpoints at potentially malicious code points. When a breakpoint is hit, several options will be automatically made available to computer security network analysts. Algorithm information will be extracted form the breakpoint area of the code and displayed in a syntax-neutral flow graph. The flow graph will offer a real-time visual debugger that can be stepped and interpreted in a `safe' mode to determine methods of attack used by malicious code, contain the code, log its behavior, etc. This will enable both real-time and offline responses to be developed as well as advanced forensics and behavior analysis of malicious binary code. It will develop a technology that can modify and contain bad code in COTS products prior to running within a trusted and secure system

This effort is based on the outcome of a successful Phase I project that demonstrated the feasibility of generating logic pattern-based, OS-platform-independent, signatures for malicious program logic and detecting its presence within much larger binary modules. The detection (and localization) of a logic-based signature within a binary executable represents a significant advancement in automated code analysis. It also offers a new capability to test the hardness or vulnerability of protected software modules (e.g. test logic obfuscation hardness, vulnerability to exploitation, etc.). The approach taken involves the development of canonical signatures based on essential logic patterns required for a (malicious) function to occur. When logic patterns of certain malicious codes are extracted it is also possible to relate logic signatures to specific exploitive behaviors. This results in an OS/language/hardware independent signature for malicious exploits, strategies and tactics. We can then extract the logic structure from an arbitrary binary and scan it for specific malicious logic. Scanning a binary module requires disassembling and recovering features of the logical implementation (hence, it can potentially violate some software licensing agreements). A Phase II development will support information assurance within MDA’s Computer Network Operations and directly support program objectives for the Common Operating Environment (COE).

Keywords:
SECURITY ASSURANCE, INFORMATION ASSURANCE, COMMON OPERATING ENVIRONMENT, MALWARE, MALCODE, MALICIOUS CODE, DETECTION, DISCRIMINATION