报告题目：Auto-constructing Malware Behavior Profilers
报告人：谢修平教授 Shiuhpyng Winston Shieh, FIEEE, ACMDS，Distinguished Professor, CS Dept., NCTU
Modern malware analysis systems rely on the virtual machine (VM) technology to build a sandbox environment. Benefited by the VM isolation security, an analyzer deployed in the host system can be concealed to the test sample executed in the guest system. These VM-based analysis systems usually implement probes to monitor the events and the state of the guest system to profile the runtime behavior (e.g. file system/memory access) of a test sample. The most important function of a probe is to carve the information of interest out of the memory on the guest system when it is triggered by a specific event. However, it is challenging to implement such a probe if the guest system is installed on a closed-source operating system (OS), such as Windows. The data-of-interest can be accommodated in opaque, undocumented data structures unbeknownst to the security analysts. Furthermore, the location of the binary code handling the specific event mentioned above cannot be efficiently identified without the source code. Consequently, seeking the suitable place in million lines of code to insert the probe for event monitoring becomes extremely difficult. Conventionally, implementing probes in a closed-source OS needs to manually reverse-engineering the undocumented code/data structures in the kernel binary image. This work is labor intensive and requires significant human effort. Furthermore, the reverse-engineering result is often non-reusable for different OS versions as well as kernel updates due to the rapid change of these structures. ProbeBuilder automates the process to inference these undocumented kernel code/data structures and efficiently narrows thousands of choices for kernel-level probes down to dozens. In this way, the effort to construct a probe can be greatly reduced. This allows analysts to quickly implement probes, thereby facilitating rapid development/update of inspection tools for different operating systems.
Prof. Shiuhpyng Winston Shieh received his M.S. and Ph.D. degrees from the University of Maryland, College Park, respectively. He is a Distinguished Professor of Computer Science Department and the Director of Taiwan Information Security Center at National Chiao Tung University (NCTU). He has served as the chair of the Department of Computer Science, NCTU, and President of Chinese Cryptology and Information Security Association (CCISA). Being actively involved in IEEE, he has served as EIC of IEEE Reliability Magazine, EIC of RS Newsletter, Reliability Society VP Tech, Editor of IEEE Trans. on Reliability and IEEE Trans. on Dependable and Secure Computing. Dr. Shieh has also served as ACM SIGSAC Awards Committee member, Associate Editor of ACM Trans on Information and System Security, Journal of Computer Security, Journal of Information Science and Engineering, Journal of Computers, and the guest editor of IEEE Internet Computing, respectively. Furthermore, he has been on the organizing committees of many conferences, such as the founding Steering Committee Chair and Program Chair of ACM Symposium on Information, Computer and Communications Security (AsiaCCS), founding Steering Committee Chair of IEEE Conference on Dependable and Secure Computing, Program Chair of IEEE Conference on Security and Reliability. Along with Virgil Gligor of Carnegie Mellon University, he invented the first US patent in intrusion detection, and has published 200 technical papers, patents, and books. He is an IEEE Fellow, ACM Distinguished Scientist, and Distinguished Professor of Chinese Institute of Electrical Engineers. Recently, He received IEEE Reliability Society Engineer of The Year Award and NCTU Distinguished Teaching Award. His research interests include system penetration and protection, malware behavior analysis, network and system security. Contact him at email@example.com.