As seen by the proliferation of commercial-grade malware, attacking networked applications is a profitable enterprise. There are two advantages malware authors currently have against us. The first advantage is that because users run a diverse set of applications on their systems, anti-virus and anti-malware programs must exhaustively search for specific malware instances across all pieces of software on a system. Malware easily thwarts this through the use of polymorphism, metamorphism, obfuscation, and cryptographic packing, placing a financial burden on anti-malware vendors and a performance burden on their users. The second advantage malware authors enjoy is that while there are a lot of applications to attack, each software target is static across many client machines. As a result, malware authors only need to reverse and exploit a single instance of an application in order to compromise thousands of machines. This project examines two novel approaches for reversing the advantages held by malware authors. The first approach explores a white-listed execution model that extends integrity-checks beyond the operating system and into the running application in an on-line manner. The second approach explores the on-line, run-time transformation of applications in order to force a malware adversary to reverse and exploit a new application for each new client it wishes to compromise. Finally, the project aims to demonstrate the impact these techniques have on the cost of developing malware.

Project Report

The goal of the project "Increasing the Cost of Malware" was to take the same techniques malware authors have been using against us for decades and to apply them towards securing systems instead. Specifically, the key observation is that malware has been using polymorphism and metamorphism to increase the cost of defending against attacks. Such techniques break signature detection schemes and require security analysts to repeatedly perform painstaking reverse engineering analysis. The aim of the project was to use polymorphism and metamorphism to protect legitimate software. Intellectual merit: Our work applied metamorphism and polymorphism directly to the problem of automated web attacks. CAPTCHAs and proof-of-work have been commonly used to protect against such attacks. The main research product of this project was MetaCAPTCHA (www.metacaptcha.com): a system that metamorphically delivers a variety of challenges to adversaries before allowing them access to a service. To our knowledge, this is the first, metamorphic system for delivering CAPTCHAs and proof-of-work challenges. We are now applying our techniques to a new domain: security education. Specifically, we are building metamorphic capture-the-flag exercises that can be used to offer computer security courses in a more effective manner. Broader impact: We developed an deployed a version of our service. A demo of how it works is here: www.youtube.com/watch?v=9pY2E4w9C1c The code behind the service is freely available and is described in a recent publication. The research grant has allowed us to continue our successful undergraduate and high-school internship program. Over the course of the grant, we have mentored 6 high-school students and 3 undergraduate students in techniques for identifying and thwarting malware. By exposing these students early on in their careers, we have hopefully shifted their awareness towards this critical area of need.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Application #
1017034
Program Officer
Sol Greenspan
Project Start
Project End
Budget Start
2010-09-01
Budget End
2014-08-31
Support Year
Fiscal Year
2010
Total Cost
$498,440
Indirect Cost
Name
Portland State University
Department
Type
DUNS #
City
Portland
State
OR
Country
United States
Zip Code
97207