Skip to main content

Distinguished Seminar:  CARDINAL - Similarity Analysis to Defeat Malware Compiler | Glowworm: A Fast Hash for Jam-Resistant Communication

Date:November 7, 2016 
Talk Title:CARDINAL - Similarity Analysis to Defeat Malware Compiler | Glowworm: A Fast Hash for Jam-Resistant Communication
Speaker:Martin Carisle, Director of Academic Affairs and Teaching Professor, INI
Time & Location:12:00pm - 1:00pm
DEC, CIC building, Pittsburgh

Abstract

CARDINAL - Similarity Analysis to Defeat Malware Compiler

Authors of malicious software, or malware, have a plethora of options when deciding how to protect their code from network defenders and malware analysts. For many static analyses, malware authors do not even need sophisticated obfuscation techniques to bypass detection, simply compiling with different flags or with a different compiler will suffice. We propose a new static analysis called CARDINAL that is tolerant of the differences in binaries introduced by compiling the same source code with different flags or with different compilers. We accomplished this goal by finding an invariant between these differences. The effective invariant we found is the number of arguments to a call, or callsite parameter cardinality (CPC). Per function, we concatenate all CPC's together and add the result into a Bloom filter. Signatures constructed in this manner can be quickly compared to each other using a Jaccard index to obtain a similarity score. We empirically tested our algorithm on a large corpus of transformed malware and found that using a threshold value of 0.15 for determining a positive or negative match yielded results with a 11% false negative rate and a 11% false positive rate. Overall, we both demonstrate that CPC's are a telling feature that can increase the efficacy of static malware analyses and point the way forward in static analyses.

Glowworm: A Fast Hash for Jam-Resistant Communication

Jam resistance for omnidirectional wireless networks is an important problem. Existing jam-resistant systems use a secret spreading sequence or secret hop sequence, or some other information that must be kept secret from the jammer. BBC coding is revolutionary in that it achieves jam resistance without any shared secret. BBC requires the use of a hash function that is fast and secure, but “secure” in a different sense than for standard cryptographic hashes. We present a potential hash function: Glowworm. For incremental hashes as used in BBC codes, it can hash a string of arbitrary length in 11 clock cycles. That is not 11 cycles per bit or 11 cycles per byte. That is 11 cycles to hash the entire string, given that the current string being hashed differs from the last in only an addition or deletion of its last bit. An exhaustive security proof has been done for 32 bit Glowworm.

Speaker Bio

Prof. Martin Carlisle is a teaching professor in the Carnegie Mellon University Information Networking Institute and a security researcher in CMU’s CyLab. Previously, he was a computer science professor at the United State Air Force Academy, Director of the Academy Center for Cyberspace Research, and founder and coach of the Air Force Academy Cyber Competition Team. Prof. Carlisle earned a PhD in Computer Science from Princeton University. His research interests include computer security, programming languages and computer science education.

He is the primary author of RAPTOR, an introductory programming environment used in universities and schools around the world.  He founded and coached the Air Force Academy Cyber Competition Team, which advanced four years to the National Collegiate Cyber Defense Competition.  He is an ACM Distinguished Educator, a Colorado Professor of the Year, and a recipient of the Arthur S. Flemming Award for Exceptional Federal Service.