More Web Proxy on the site http://driver.im/

research-article

Can we certify systems for freedom from malware

Authors:

N. V. Narendra Kumar,

R. K. ShyamasundarAuthors Info & Claims

ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2

Pages 175 - 178

https://doi.org/10.1145/1810295.1810323

Published: 01 May 2010 Publication History

Abstract

Malicious code is any code that has been modified with the intention of harming its usage or the user. Typical categories of malicious code include Trojan Horses, viruses, worms etc. With the growth in complexity of computing systems, detection of malicious code is becoming horrendously complex. For security of embedded devices it is important to ensure the integrity of software running in it. The general virus detection is undecidable. However, in the case of embedded systems or personal systems, the software and hardware configurations are known a priori. We are experimenting to see whether we can certify such systems for malware freedom. Most of the current efforts on malware detection rely heavily on detection of syntactic patterns. Malware writers are resorting to simple syntactic transformations (which preserve the program semantics) such as various compiler optimizations and program obfuscation techniques to evade detection. Our work is based on semantic behaviour of programs. We are working towards developing a model of the behaviour of a program executing in an environment. Our approach to detect tampering is based on benchmarking the behaviour of a program executing in an environment, and then matching the observed behaviour of the program in a similar environment with the benchmark (a la translation validation in a sense or bisimulation that is widely used in model checking). Since execution behaviour remains the same in majority of obfuscations, our approach is resilient to such exploits. We have performed several experiments in this direction and obtained encouraging results. Differences between the benchmarked behaviour and the observed behaviour quantifies the damage due to a virus. This enables us to arrive at refined notions of "harm" done by a virus and appropriate measures for protection.

References

[1]

L. M. Adleman. An abstract theory of computer viruses. In S. Goldwasser, editor, CRYPTO, volume 403 of Lecture Notes in Computer Science, pages 354--374. Springer, 1988.

Digital Library

[2]

M. Burgess. Computer immunology. In LISA '98: Proceedings of the 12th USENIX conference on System administration, pages 283--298, Berkeley, CA, USA, 1998. USENIX Association.

Digital Library

[3]

L. Cardelli and A. D. Gordon. Mobile ambients. Theor. Comput. Sci., 240(1):177--213, 2000.

Digital Library

[4]

M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 12--12, Berkeley, CA, USA, 2003. USENIX Association.

Digital Library

[5]

M. Christodorescu and S. Jha. Testing malware detectors. In ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, pages 34--44, New York, NY, USA, 2004. ACM.

Digital Library

[6]

M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In I. Crnkovic and A. Bertolino, editors, ESEC/SIGSOFT FSE, pages 5--14. ACM, 2007.

Digital Library

[7]

M. Christodorescu, S. Jha, S. A. Seshia, D. X. Song, and R. E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, pages 32--46. IEEE Computer Society, 2005.

Digital Library

[8]

F. Cohen. Computer viruses: theory and experiments. Comput. Secur., 6(1):22--35, 1987.

Digital Library

[9]

E. Filiol. Formalisation and implementation aspects of k-ary (malicious) codes. Journal in Computer Virology, 3(2):75--86, 2007.

[10]

I. X. Force Threat Reports. IBM Internet Security Systems X-Force 2009 mid-year trend and risk report. http://www-935.ibm.com/services/us/iss/xforce/trendreports/.

[11]

G. Jacob, E. Filiol, and H. Debar. Malware as interaction machines: a new framework for behavior modelling. Journal in Computer Virology, 4(3):235--250, 2008.

[12]

J. Ligatti, L. Bauer, and D. Walker. Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Sec., 4(1--2):2--16, 2005.

Digital Library

[13]

G. C. Necula. Proof-carrying code. In POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 106--119, New York, NY, USA, 1997. ACM.

Digital Library

[14]

N. V. Narendra Kumar, H. Shah, and R. K. Shyamasundar. Benchmarking program behaviour for detecting malware infection. In 19th EICAR Annual Conference, 2010.

[15]

A. Pnueli, M. Siegel, and E. Singerman. Translation validation. In TACAS 1998, volume 1384 of LNCS, pages 151--166. Springer, 1998.

Digital Library

[16]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. K. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In A. Herbert and K. P. Birman, editors, SOSP, pages 1--16. ACM, 2005.

Digital Library

[17]

A. Seshadri, A. Perrig, L. van Doorn, and P. K. Khosla. Swatt: Software-based attestation for embedded devices. In IEEE Symposium on Security and Privacy, pages 272--. IEEE Computer Society, 2004.

[18]

P. K. Singh and A. Lakhotia. Analysis and detection of computer viruses and worms: an annotated bibliography. SIGPLAN Not., 37(2):29--35, 2002.

Digital Library

[19]

A. Zeller. Debugging debugging: acm sigsoft impact paper award keynote. In ESEC/FSE '09: Proceedings of the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, pages 263--264, New York, NY, USA, 2009. ACM.

Digital Library

Cited By

Hee KHo C(2014)Design of Application Layer Services for Security Automation via a Web Service ApproachJournal of Advances in Computer Networks10.7763/JACN.2014.V2.862:1(76-84)Online publication date: 2014
https://doi.org/10.7763/JACN.2014.V2.86
Shyamasundar RElçi AGaur MOrgun MMakarevich O(2013)Security and protection of SCADAProceedings of the 6th International Conference on Security of Information and Networks10.1145/2523514.2523595(20-27)Online publication date: 26-Nov-2013
https://dl.acm.org/doi/10.1145/2523514.2523595

Can we certify systems for freedom from malware
1. Security and privacy
  1. Systems security

Recommendations

The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Enhancing malware detection: clients deserve more protection

Sophisticated malware is designed to spread over the network and infect as many connected client machines as possible before being detected. Network security engineers have always been challenged to detect and track down such malware before infecting ...
Malware Analysis: Tools and Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Malicious code is a serious issue which regularly threatens the security of computer systems and act as a challenging task for cyber security& Information security personals. Malicious code is named differently according to their specification such as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2

May 2010

554 pages

ISBN:9781605587196

DOI:10.1145/1810295

General Chairs:
Jeff Kramer
Imperial College, London, UK
,
Judith Bishop
Microsoft Research, Redmond
,
Program Chairs:
Prem Devanbu
University of California at Davis
,
Sebastian Uchitel
University of Buenos Aires, Argentina and Imperial College London, UK

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ICSE '10

Sponsor:

SIGSOFT

ICSE '10: 32nd International Conference on Software Engineering

May 1 - 8, 2010

Cape Town, South Africa

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
394
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hee KHo C(2014)Design of Application Layer Services for Security Automation via a Web Service ApproachJournal of Advances in Computer Networks10.7763/JACN.2014.V2.862:1(76-84)Online publication date: 2014
https://doi.org/10.7763/JACN.2014.V2.86
Shyamasundar RElçi AGaur MOrgun MMakarevich O(2013)Security and protection of SCADAProceedings of the 6th International Conference on Security of Information and Networks10.1145/2523514.2523595(20-27)Online publication date: 26-Nov-2013
https://dl.acm.org/doi/10.1145/2523514.2523595

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents