FACULTY CANDIDATE: Jedidiah R. Crandall University of California at Davis Tools and Techniques for Understanding and Defending Real Systems ACES 2.302 Thursday March 8 2007 11:00 a.m.

Contact Name: 
Jenna Whitney
Date: 
Mar 8, 2007 11:00am - 12:00pm

There is a signup schedule for this even

t.

Speaker Name/Affiliation: FACULTY CANDIDATE - Jedidiah R. Crandal

l
University of California at Dav

is

Date/Time: March 8 2007 11:00 a.m. - Noon

Location: AC

ES 2.302

Talk Title: Tools and Techniques for Understanding and Def

ending Real Systems

Talk Abstract:
My research philosophy is to a

pproach security not as a problem to be
solved but as a battle for defe

nders (such as antivirus professionals law enforcement and next-generation
security technology developers) to wage; so my goal is to provide them wi

th the tools they need both as implementations of actual techniques they c

an use and as theory that is firmly grounded in practice and can be applie

d to the situations that they face. This talk will cover two projects I ha

ve worked on: DACODA (DAvis malCODe Analyzer) and Temporal Search.

T

he threat of malware such as worms and botnets to the Internet
infrast

ructure and other parts of the information economy is constantly growing an

d evolving. Where simple worms had once wreaked senseless havoc and vandal

ized hundreds of thousands of systems now large botnets carry out the inst

ructions of organized criminal enterprises - not because the former problem
is solved but because the threat has developed. One promising line of de

fense is network signatures that detect the exploits that worms and botnets
use to spread. While malware writers could use polymorphism and metamorph

ism to change the network signature of their malware they have not done so
except in a very limited fashion probably because defenses are not mature
enough to warrant the effort. Given a lack of significant polymorphic and
metamorphic worms and botnets in the wild how can we assess the ability o

f defenses to protect against polymorphism and metamorphism before those de

fenses are deployed?

DACODA is a full-system implementation of symbo

lic execution for analyzing worm exploits. As a worm exploits a vulnerabil

ity on a victim host such as a buffer overflow there are particular bytes
of the network traffic that cannot be changed without causing the attack t

o fail for example GET HTTP cannot be removed from the Code Red worm explo

it or the attack will not work. We used DACODA as a tool to quantify and s

tudy the limits of polymorphism and metamorphism and develop a theory to un

derstand this threat to signature-based worm defenses. This theory is base

d on the intricacies of 14 real exploits that we analyzed seven of them ac

tual attacks or worms on our Minos/DACODA Internet honeypots.

We hav

e also looked at the problem of responding to malware that has
already s

pread out enough to cause a threat. Temporal search is a
behavior-based
analysis technique using virtual machines where it is
possible to disco

ver that a piece of malware is counting down to some
event in the future
(when it might for example delete all of your files or download new inst

ructions from a public web server) without waiting for the event to occur.

It is based on slight time perturbations symbolic execution predicate inv

ersion and then a weakest precondition analysis to account for quirks in t

he Gregorian calendar (leap years number of days in each month etc.). Ap

plying a prototype of this technique to six real worms taught us a lot abou

t timebomb attacks and behavior-based malware analysis in general.