Software protections are used benignly for protecting assets and maliciously for hiding malware. Attacks thereon are executed maliciously for attacking assets and benignly for analyzing malware. It is commonly accepted that protection strength is determined by three aspects: potency, resilience, and stealth. Whereas potency has received quite some attention and many complexity metrics have been proposed to measure it, resilience and stealth have received very little attention, and no good qualitative evaluation methodologies exist for those aspects, let alone quantitative ones or predictive models that enable protection tool users or malware analysis tool users to choose the best protection combinations resp. the best malware analysis approaches.
Our central hypothesis is that predictive, quantitative models of resilience and stealth can be built for both of the above protection usage and attack scenarios, even though those scenarios feature different boundary conditions: few resources and little time when millions of potential malware samples have to be analyzed daily, but significant resources and time when valuable software assets are attacked in the lab of a cybercriminal organization.
This project will be the first to systematically and holistically address resilience and stealth of a range of protection techniques, incl. obfuscations but also other anti-reverse-engineering and anti-tampering techniques. These aspects need to be addressed together: Resilience is typically better when protections remain stealthy, and stealth is harder to break when stealth-enhancing protections are more resilient.
With adaptations to recent de-obfuscation techniques that are based on fundamental software features such as invariance and semantic relevance, and with novel analysis techniques, we will develop quantitative models to predict how easy and successful automated and manual attacks can be in identifying, undoing, and circumventing used software protections and injected malware. In other words, to evaluate the stealth and resilience of protections and malware.
Our innovation will facilitate decision support systems for software protections, and much improved malware analysis toolboxes.
To collect enough samples to build the models, we will be the first to execute controlled experiments of attack steps focusing on resilience and stealth, with students and professional penetration testers.
Methods to be used include, but are not limited to:
- Literature survey with qualitative analysis (e.g., open coding).
- Controlled experiments with qualitative and quantitative analyses.
- Machine learning to build predictive models.
- Evaluations of state-of-the-art attack tools deployed on state-of-the-art protections applied to real-world use cases and hundreds of thousands malware samples.