Understanding software that does not want to be understood

None — Credit: None


Malware, such as backdoors, rootkits, trojans, viruses and worms, are a bane of our digital lives. New varieties of malicious software are discovered daily.

To develop countermeasures, security analysts must quickly figure out new malware’s internal workings.

My students and I are developing automated tools that make it easier for security analysts to respond rapidly to malware. Our project is called the Lynx project because in some Native American traditions, the lynx has the power to reveal hidden truths — exactly what’s needed to combat malware.

In response to defenses the analysts create, malware writers make their programs more difficult to analyze and understand. Some malware will shape-shift and change as they execute; others hide their logic within innocuous-looking data; and still others use the host computer’s own instructions against it.

Current techniques for analyzing such obfuscated software that doesn’t want to be understood are fairly primitive, and the process is slow and tedious.

We’re working to change that.

To speed up analysis, the Lynx project identifies the malware’s flow of data in its interactions with the world. We then untangle that flow by chipping away at the program’s computations over and over and over again — millions of times — thus scraping away the layers of obfuscation and exposing the software’s inner logic.

Our ultimate goal is significantly accelerating the process of understanding and developing countermeasures to malicious code.