With the advent of highly sophisticated cyber-physical malware (CPM), a cyber-attack can cripple critical services. In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and limitless application-specific possibilities for designing malicious payloads. This talk will be about our work on two DARPA programs that called for novel software analysis technologies to address such open-ended CPM.
In detecting sophisticated CPM, the tasks are: developing plausible hypotheses for malware trigger and malicious payload, analyzing software to gather evidence-based on CPM hypotheses, and verifying software to prove or refute a hypothesis based on the gathered evidence. We shall discuss and demonstrate effective technology to support these tasks. Detecting sophisticated CPM calls for an “intelligence amplifying” (IA) technology that enables humans to understand complex software and apply that understanding to quickly build or refine software analyzers and verifiers to hypothesize and verify malware.
We will elaborate on two key elements of the IA technology: (1) eXtensible Common Software Graph (XCSG) and (2) XCSG-based embedded domain-specific language (eDSL) to analyze, verify, and transform software. XCSG, designed with the fundamental notion of sets and relations in mathematics, is an abstraction layer that sits above high-level programming languages and serves as a unifying framework to study software written in different languages. XCSG has enabled us to design the eDSL that drastically simplifies the task of writing software analyzers, verifiers, and transformers.
We shall demonstrate powerful programs to analyze C or Java software – programs that can be written in minutes with eDSL but would otherwise take days and thousands of lines of code to write. We will summarize our performance on 53 applications posed as challenges by DARPA on the Space/Time Analysis for Cybersecurity (STAC) program. We will present a case study to showcase how a complex vulnerability is hypothesized and verified.
Venue: 13th Central Area Networking and Security (CANSec) Workshop, Ames, Iowa, USA, 26th October 2019
Author: Payas Awadhutkar