Detection of Malicious Code Using Static Taint Analysis
Abstract
The problem is laid out as follows: DoD uses a lot of software produced by various supply chains. These supply chains can be compromised by an adversary: Network intrusion, Insider threat, Failing to detect malicious code can be very costly, but detection is difficult. An example is SolarWinds incident of 2020. We aim to detect two types of malicious code: Exfiltration of potentially sensitive information and Timebombs / logic bombs, Remote-Access Trojans, etc. In general, calling a potentially sensitive system API call (e.g., starting a new process) in response to a potentially questionable trigger (e.g., on a specific date, in response to incoming network packets, etc.). Our approach has a scope restriction: We will flag code as potentially malicious, but further human analysis is required to determine whether the code is actually malicious. Whether behavior is malicious depends on the what the program is supposed to do. Vulnerabilities like SQL injection are outside the main focus of this project. The goal for our tool is to produce output that concisely and precisely characterizes the potentially malicious behaviors of the codebase, so that a human analyst can quickly and accurately determine whether the behavior is benign or malicious.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2023
- Accession Number
- AD1210357
Entities
People
- William Klieber
Organizations
- Carnegie Mellon University