Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are ...(commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.
Abstract As IoT devices are being widely used, malicious code is increasingly appearing in Linux environments. Sophisticated Linux malware employs various evasive techniques to deter analysis. The ...embedded trace microcell (ETM) supported by modern Arm CPUs is a suitable hardware tracer for analyzing evasive malware because it is almost artifact-free and has negligible overhead. In this paper, we present an efficient method to automatically find debugger-detection routines using the ETM hardware tracer. The proposed scheme reconstructs the execution flow of the compiled binary code from ETM trace data. In addition, it automatically identifies and patches the debugger-detection routine by comparing two traces (with and without the debugger). The proposed method was implemented using the Ghidra plug-in program, which is one of the most widely used disassemblers. To verify its effectiveness, 15 debugger-detection techniques were investigated in the Arm-Linux environment to determine whether they could be detected. We also confirmed that our implementation works successfully for the popular malicious Mirai malware in Linux. Experiments were further conducted on 423 malware samples collected from the Internet, demonstrating that our implementation works well for real malware samples.
YtvA is a blue light sensor protein composed of an N-terminal LOV (light–oxygen–voltage) domain, a linker helix, and the C-terminal sulfate transporter and anti-σ factor antagonist domain. YtvA is ...believed to act as a positive regulator for light and salt stress responses by regulating the σB transcription factor. Although its biological function has been studied, the reaction dynamics and molecular mechanism underlying the function are not well understood. To improve our understanding of the signaling mechanism, we studied the reaction of the LOV domain (YLOV, amino acids 26–127), the LOV domain with its N-terminal extension (N-YLOV, amino acids 1–127), the LOV domain with its C-terminal linker helix (YLOV-linker, amino acids 26–147), and the YLOV domain with the N-terminal extension and the C-terminal linker helix (N-YLOV-linker, amino acids 1–147) using the transient grating method. The signals of all constructs showed adduct formation, thermal diffusion, and molecular diffusion. YLOV showed no change in the diffusion coefficient (D), while the other three constructs showed a significant decrease in D within ∼70 μs of photoexcitation. This indicates that conformational changes in both the N- and C-terminal helices of the YLOV domain indeed do occur. The time constant in the YtvA derivatives was much faster than the corresponding dynamics of phototropins. Interestingly, an additional reaction was observed as a volume expansion as well as a slight increase in D only when both helices were included. These findings suggest that although the rearrangement of the N- and C-terminal helices occurs independently on the fast time scale, this change induces an additional conformational change only when both helices are present.
In spite of recent remarkable advances in binary code analysis, malware developers are still using complex anti-reversing techniques to make analysis difficult. To protect malware, they use packers, ...which are (commercial) tools that contain various anti-reverse engineering techniques such as code encryption, anti-debugging, and code virtualization. In this paper, we present x64Unpack: a hybrid emulation scheme that makes it easier to analyze packed executable files and automatically unpacks them in 64-bit Windows environments. The most distinguishable feature of x64Unpack compared to other dynamic analysis tools is that x64Unpack and the target program share virtual memory to support both instruction emulation and direct execution. Emulation runs slow but provides detailed information, whereas direct execution of the code chunk runs very fast and can handle complex cases regarding to operating systems or hardware devices. With x64Unpack, we can monitor major API (Application Programming Interface) function calls or conduct fine-grained analysis at the instruction-level. Furthermore, x64Unpack can detect anti-debugging code chunks, dump memory, and unpack the packed files. To verify the effectiveness of x64Unpack, experiments were conducted on the obfuscation tools: UPX 3.95, MPRESS 2.19, Themida 2.4.6, and VMProtect 3.4. Especially, VMProtect and Themida are considered as some of the most complex commercial packers in 64-bit Windows environments. Experimental results show that x64Unpack correctly emulates the packed executable files and successfully produces the unpacked version. Based on this, we provide the detailed analysis results on the obfuscated executable file that was generated by VMProtect 3.4.
Low latency networking is gaining attention to support futuristic network applications like the Tactile Internet with stringent end-to-end latency requirements. In realizing the vision, cut-through ...(CT) switching is believed to be a promising solution to significantly reduce the latency of today's store-and-forward switching, by splitting a packet into smaller chunks called flits and forwarding them concurrently through input and output ports of a switch. Nevertheless, the end-to-end latency performance of CT switching has not been well studied in heterogeneous networks, which hinders its adoption to general-topology networks with heterogeneous links. To fill the gap, this paper proposes an end-to-end latency prediction model in a heterogeneous CT switching network, where the major challenge comes from the fact that a packet's end-to-end latency relies on how and when its flits are forwarded at each switch while each flit is forwarded individually. As a result, traditional packet-based queueing models are not instantly applicable, and thus we construct a method to estimate per-hop queueing delay via M/G/c queueing approximation, based on which we predict end-to-end latency of a packet. Our extensive simulation results show that the proposed model achieves 3.98-6.05% 90th-percentile error in end-to-end latency prediction.
Achieving low end-to-end latency with high reliability is one of the key objectives for future mission-critical applications, like the Tactile Internet and real-time interactive Virtual/Augmented ...Reality (VR/AR). To serve the purpose, cut-through (CT) switching is a promising approach to significantly reduce the transmission delay of store-and-forward switching, via flit-ization of a packet and concurrent forwarding of the flits belonging to the same packet. CT switching, however, has been applied only to well-controlled scenarios like network-on-chip and data center networks, and hence flit scheduling in heterogeneous environments (e.g., the Internet and wide area network) has been given little attention. This paper tries to fill the gap to facilitate the adoption of CT switching in the general-purpose data networks. In particular, we first introduce a packet discarding technique that sheds the packet expected to violate its delay requirement and then propose two flit scheduling algorithms, f EDF (flit-based Earliest Deadline First) and f SPF (flit-based Shortest Processing-time First), aiming at enhancing both reliability and end-to-end latency. Considering packet delivery ratio (PDR) as a reliability metric, we performed extensive simulations to show that the proposed scheduling algorithms can enhance PDR by up to 30.11% (when the delay requirement is 7 ms) and the average end-to-end latency by up to 13.86% (when the delay requirement is 10 ms), against first-in first-out (FIFO) scheduling.
A software birthmark is the inherent characteristics of a program extracted from the program itself. By comparing birthmarks, we can detect whether a program is a copy of another program or not. We ...propose a static API birthmark for Windows executables that utilizes sets of API calls identified by a disassembler statically. By comparing 49 Windows executables, we show that our birthmark can distinguish similar programs and detect copies. By comparing binaries generated by various compilers, we also demonstrate that our birthmark is resilient. We compare our birthmark with a previous Windows dynamic birthmark to show that it is more appropriate for GUI applications.
A software birthmark refers to the inherent characteristics of a program that can be used to identify the program. In this paper, a method for detecting the theft of Java programs through a static ...software birthmark is proposed that is based on the control flow information. The control flow information shows the structural characteristics and the possible behaviors during the execution of program. Flow paths (FP) and behaviors in Java programs are formally described here, and a set of behaviors of FPs is used as a software birthmark. The similarity is calculated by matching the pairs of similar behaviors from two birthmarks. Experiments centered on the proposed birthmark with respect to precision and recall. The performance was evaluated by analyzing the
F-measure curves. The experimental results show that the proposed birthmark is a more effective measure compared to earlier approaches for detecting copied programs, even in cases where such programs are aggressively modified.
YtvA from Bacillus subtilis is a sensor protein that responds to blue light stress and regulates the activity of transcription factor σB. It is composed of the N-terminal LOV (light–oxygen–voltage) ...domain, the C-terminal STAS (sulfate transporter and anti-sigma factor antagonist) domain, and a linker region connecting them. In this study, the photoreaction and kinetics of full-length YtvA and the intermolecular interaction with a downstream protein, RsbRA, were revealed by the transient grating method. Although N-YLOV-linker, which is composed of the LOV domain of YtvA with helices A′α and Jα, exhibits a diffusion change due to the rotational motion of the helices, the YtvA dimer does not show the diffusion change. This result suggests that the STAS domain inhibits the rotational movement of helices A′α and Jα. We found that the YtvA dimer formed a heterotetramer with the RsbRA dimer probably via the interaction between the STAS domains, and we showed the diffusion change upon blue light illumination with a time constant faster than 70 μs. This result suggests a conformational change of the STAS domains; i.e., the interface between the STAS domains of the proteins changes to enhance the friction with water by the rotation structural change of helices A′α and Jα of YtvA.
Park, K.S.; Kim, J.; Kim, T., and Choi, S., 2023. What are the future extreme risks in the ocean and fisheries sector? In: Lee, J.L.; Lee, H.; Min, B.I.; Chang, J.-I.; Cho, G.T.; Yoon, J.-S., and ...Lee, J. (eds.), Multidisciplinary Approaches to Coastal and Marine Management. Journal of Coastal Research, Special Issue No. 116, pp. 388-392. Charlotte (North Carolina), ISSN 0749-0208. As modern society becomes increasingly complex, extreme risks—or so-called X-events—are occurring more and more frequently, with increased ripple effects. A great variety of risks, such as the 9/11 terrorist attacks, the global financial crisis, the Fukushima nuclear disaster, and the COVID-19 pandemic, can occur anytime and anywhere. As such, international organizations and governments strive to preemptively discover risks, measure their impact, and strengthen resilience. However, research on risks confronting the ocean and fisheries sector has been insufficient. Research that relies solely on the patterns of past risks inevitably misses the possibility of discovering new future risks and comprehending their ripple effects alongside co-occurrent multiple risks. This study proposes a framework for discovering possible future risks in the ocean and fisheries based on their possibility of occurrence, ripple effect, and resilience. For this purpose, a vast amount of data is collected from academic journals and online social media and analyzed using topic modeling, followed by expert interviews and a survey of the public. Four main sub-sectors of the ocean and fisheries sector are analyzed: marine, fisheries, shipping logistics, and ports. Risks related to the marine environment and marine-caused natural disasters are rated highly in the marine sector. In fisheries, the radioactive contamination of aquatic products ranks first. In shipping and logistics, issues like global competition over the logistics supply chain and logistics paralysis due to natural disasters are of primary concern. In the port sub-sector, issues like the competition between ports and the negative effects of digitalization on job loss and cyber security top the list. The most significant risk in the ocean and fisheries sector as a whole is the “acceleration of global warming,” followed by the “occurrence of super typhoons” and “increase in marine plastic waste.”
PDF
