TY - GEN
T1 - FAROS
T2 - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
AU - Arefi, Meisam Navaki
AU - Alexander, Geoffrey
AU - Rokham, Hooman
AU - Chen, Aokun
AU - Faloutsos, Michalis
AU - Wei, Xuetao
AU - Oliveira, Daniela Seabra
AU - Crandall, Jedidiah R.
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/19
Y1 - 2018/7/19
N2 - In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.
AB - In-memory injection attacks are extremely challenging to reverse engineer because they operate stealthily without leaving artifacts in the system or in any easily observable events from outside of a virtual machine. Because these attacks perform their actions in memory only, current malware analysis solutions cannot expose their behavior. This paper introduces FAROS1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of: (i) whole-system taint analysis; (ii) per security policy-based handling of the challenge of indirect flows via the application of tags of different types, and (iii) the use of tags with fine-grained provenance information. We evaluated FAROS with six advanced in-memory-injecting malware and it flagged the attacks for all samples. We also analyzed FAROS' false positive rate with 90 non-injecting malware samples and 14 benign software from various categories. FAROS presented a very low false positive rate of 2%, which shows its potential towards practical solutions against advanced in-memory-only anti-reverse-engineering attacks.
KW - Dynamic Information Flow Tracking
KW - In memory Injection
KW - Malware Analysis
UR - http://www.scopus.com/inward/record.url?scp=85051089859&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051089859&partnerID=8YFLogxK
U2 - 10.1109/DSN.2018.00034
DO - 10.1109/DSN.2018.00034
M3 - Conference contribution
AN - SCOPUS:85051089859
T3 - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
SP - 231
EP - 242
BT - Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 25 June 2018 through 28 June 2018
ER -