TY - GEN
T1 - FAROS
T2 - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
AU - Arefi, Meisam Navaki
AU - Alexander, Geoffrey
AU - Rokham, Hooman
AU - Chen, Aokun
AU - Faloutsos, Michalis
AU - Wei, Xuetao
AU - Oliveira, Daniela Seabra
AU - Crandall, Jedidiah R.
N1 - Funding Information:
ACKNOWLEDGMENTS We would like to thank our shepherd Etienne Riviere for guidance in writing the final version of the paper and to the DSN 2018 anonymous reviewers for valuable feedback. This research has been supported by DARPA Trusted Computing Project (Grant No. FA8650-15-C-7565)and the U.S. National Science Foundation (Grant Nos. #1518523, #1518878).
Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/19
Y1 - 2018/7/19
N2 - In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.
AB - In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.
KW - Dynamic Information Flow Tracking
KW - In memory Injection
KW - Malware Analysis
UR - http://www.scopus.com/inward/record.url?scp=85051089859&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051089859&partnerID=8YFLogxK
U2 - 10.1109/DSN.2018.00034
DO - 10.1109/DSN.2018.00034
M3 - Conference contribution
AN - SCOPUS:85051089859
T3 - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
SP - 231
EP - 242
BT - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 25 June 2018 through 28 June 2018
ER -