Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are ...(commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.
Full text
Available for:
IZUM, KILJ, NUK, PILJ, PNG, SAZU, UL, UM, UPUK
Abstract As IoT devices are being widely used, malicious code is increasingly appearing in Linux environments. Sophisticated Linux malware employs various evasive techniques to deter analysis. The ...embedded trace microcell (ETM) supported by modern Arm CPUs is a suitable hardware tracer for analyzing evasive malware because it is almost artifact-free and has negligible overhead. In this paper, we present an efficient method to automatically find debugger-detection routines using the ETM hardware tracer. The proposed scheme reconstructs the execution flow of the compiled binary code from ETM trace data. In addition, it automatically identifies and patches the debugger-detection routine by comparing two traces (with and without the debugger). The proposed method was implemented using the Ghidra plug-in program, which is one of the most widely used disassemblers. To verify its effectiveness, 15 debugger-detection techniques were investigated in the Arm-Linux environment to determine whether they could be detected. We also confirmed that our implementation works successfully for the popular malicious Mirai malware in Linux. Experiments were further conducted on 423 malware samples collected from the Internet, demonstrating that our implementation works well for real malware samples.
Full text
Available for:
IZUM, KILJ, NUK, PILJ, PNG, SAZU, UL, UM, UPUK
YtvA is a blue light sensor protein composed of an N-terminal LOV (light–oxygen–voltage) domain, a linker helix, and the C-terminal sulfate transporter and anti-σ factor antagonist domain. YtvA is ...believed to act as a positive regulator for light and salt stress responses by regulating the σB transcription factor. Although its biological function has been studied, the reaction dynamics and molecular mechanism underlying the function are not well understood. To improve our understanding of the signaling mechanism, we studied the reaction of the LOV domain (YLOV, amino acids 26–127), the LOV domain with its N-terminal extension (N-YLOV, amino acids 1–127), the LOV domain with its C-terminal linker helix (YLOV-linker, amino acids 26–147), and the YLOV domain with the N-terminal extension and the C-terminal linker helix (N-YLOV-linker, amino acids 1–147) using the transient grating method. The signals of all constructs showed adduct formation, thermal diffusion, and molecular diffusion. YLOV showed no change in the diffusion coefficient (D), while the other three constructs showed a significant decrease in D within ∼70 μs of photoexcitation. This indicates that conformational changes in both the N- and C-terminal helices of the YLOV domain indeed do occur. The time constant in the YtvA derivatives was much faster than the corresponding dynamics of phototropins. Interestingly, an additional reaction was observed as a volume expansion as well as a slight increase in D only when both helices were included. These findings suggest that although the rearrangement of the N- and C-terminal helices occurs independently on the fast time scale, this change induces an additional conformational change only when both helices are present.
Full text
Available for:
IJS, KILJ, NUK, PNG, UL, UM
In spite of recent remarkable advances in binary code analysis, malware developers are still using complex anti-reversing techniques to make analysis difficult. To protect malware, they use packers, ...which are (commercial) tools that contain various anti-reverse engineering techniques such as code encryption, anti-debugging, and code virtualization. In this paper, we present x64Unpack: a hybrid emulation scheme that makes it easier to analyze packed executable files and automatically unpacks them in 64-bit Windows environments. The most distinguishable feature of x64Unpack compared to other dynamic analysis tools is that x64Unpack and the target program share virtual memory to support both instruction emulation and direct execution. Emulation runs slow but provides detailed information, whereas direct execution of the code chunk runs very fast and can handle complex cases regarding to operating systems or hardware devices. With x64Unpack, we can monitor major API (Application Programming Interface) function calls or conduct fine-grained analysis at the instruction-level. Furthermore, x64Unpack can detect anti-debugging code chunks, dump memory, and unpack the packed files. To verify the effectiveness of x64Unpack, experiments were conducted on the obfuscation tools: UPX 3.95, MPRESS 2.19, Themida 2.4.6, and VMProtect 3.4. Especially, VMProtect and Themida are considered as some of the most complex commercial packers in 64-bit Windows environments. Experimental results show that x64Unpack correctly emulates the packed executable files and successfully produces the unpacked version. Based on this, we provide the detailed analysis results on the obfuscated executable file that was generated by VMProtect 3.4.
Low latency networking is gaining attention to support futuristic network applications like the Tactile Internet with stringent end-to-end latency requirements. In realizing the vision, cut-through ...(CT) switching is believed to be a promising solution to significantly reduce the latency of today's store-and-forward switching, by splitting a packet into smaller chunks called flits and forwarding them concurrently through input and output ports of a switch. Nevertheless, the end-to-end latency performance of CT switching has not been well studied in heterogeneous networks, which hinders its adoption to general-topology networks with heterogeneous links. To fill the gap, this paper proposes an end-to-end latency prediction model in a heterogeneous CT switching network, where the major challenge comes from the fact that a packet's end-to-end latency relies on how and when its flits are forwarded at each switch while each flit is forwarded individually. As a result, traditional packet-based queueing models are not instantly applicable, and thus we construct a method to estimate per-hop queueing delay via M/G/c queueing approximation, based on which we predict end-to-end latency of a packet. Our extensive simulation results show that the proposed model achieves 3.98-6.05% 90th-percentile error in end-to-end latency prediction.
Achieving low end-to-end latency with high reliability is one of the key objectives for future mission-critical applications, like the Tactile Internet and real-time interactive Virtual/Augmented ...Reality (VR/AR). To serve the purpose, cut-through (CT) switching is a promising approach to significantly reduce the transmission delay of store-and-forward switching, via flit-ization of a packet and concurrent forwarding of the flits belonging to the same packet. CT switching, however, has been applied only to well-controlled scenarios like network-on-chip and data center networks, and hence flit scheduling in heterogeneous environments (e.g., the Internet and wide area network) has been given little attention. This paper tries to fill the gap to facilitate the adoption of CT switching in the general-purpose data networks. In particular, we first introduce a packet discarding technique that sheds the packet expected to violate its delay requirement and then propose two flit scheduling algorithms, f EDF (flit-based Earliest Deadline First) and f SPF (flit-based Shortest Processing-time First), aiming at enhancing both reliability and end-to-end latency. Considering packet delivery ratio (PDR) as a reliability metric, we performed extensive simulations to show that the proposed scheduling algorithms can enhance PDR by up to 30.11% (when the delay requirement is 7 ms) and the average end-to-end latency by up to 13.86% (when the delay requirement is 10 ms), against first-in first-out (FIFO) scheduling.
A software birthmark is the inherent characteristics of a program extracted from the program itself. By comparing birthmarks, we can detect whether a program is a copy of another program or not. We ...propose a static API birthmark for Windows executables that utilizes sets of API calls identified by a disassembler statically. By comparing 49 Windows executables, we show that our birthmark can distinguish similar programs and detect copies. By comparing binaries generated by various compilers, we also demonstrate that our birthmark is resilient. We compare our birthmark with a previous Windows dynamic birthmark to show that it is more appropriate for GUI applications.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
A software birthmark refers to the inherent characteristics of a program that can be used to identify the program. In this paper, a method for detecting the theft of Java programs through a static ...software birthmark is proposed that is based on the control flow information. The control flow information shows the structural characteristics and the possible behaviors during the execution of program. Flow paths (FP) and behaviors in Java programs are formally described here, and a set of behaviors of FPs is used as a software birthmark. The similarity is calculated by matching the pairs of similar behaviors from two birthmarks. Experiments centered on the proposed birthmark with respect to precision and recall. The performance was evaluated by analyzing the
F-measure curves. The experimental results show that the proposed birthmark is a more effective measure compared to earlier approaches for detecting copied programs, even in cases where such programs are aggressively modified.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Software birthmark is the inherent program characteristics that can identify a program. In this paper, we propose a static API trace birthmark to detect Java theft. Because the API traces can reflect ...the behavior of a program, our birthmark is more resilient than the existing static birthmarks. Because the API traces are extracted by static analysis, they can be applied to library programs which earlier dynamic birthmarks cannot handle properly. We evaluate the proposed birthmark in terms of credibility and resilience. Experimental results show that our birthmark can detect common library modules of two packages while other birthmarks fail to detect.
YtvA from Bacillus subtilis is a sensor protein that responds to blue light stress and regulates the activity of transcription factor σB. It is composed of the N-terminal LOV (light–oxygen–voltage) ...domain, the C-terminal STAS (sulfate transporter and anti-sigma factor antagonist) domain, and a linker region connecting them. In this study, the photoreaction and kinetics of full-length YtvA and the intermolecular interaction with a downstream protein, RsbRA, were revealed by the transient grating method. Although N-YLOV-linker, which is composed of the LOV domain of YtvA with helices A′α and Jα, exhibits a diffusion change due to the rotational motion of the helices, the YtvA dimer does not show the diffusion change. This result suggests that the STAS domain inhibits the rotational movement of helices A′α and Jα. We found that the YtvA dimer formed a heterotetramer with the RsbRA dimer probably via the interaction between the STAS domains, and we showed the diffusion change upon blue light illumination with a time constant faster than 70 μs. This result suggests a conformational change of the STAS domains; i.e., the interface between the STAS domains of the proteins changes to enhance the friction with water by the rotation structural change of helices A′α and Jα of YtvA.
Full text
Available for:
IJS, KILJ, NUK, PNG, UL, UM