Code on demand

Abstract: Recent malware instances execute completely in the kernel as drivers; they do not contain any user-level malicious processes. This design evades the system call monitoring used by many software security solutions, including malware analyzers and host-based intrusion detectors that track only user-level processes. To trace the behavior of kernel malware instances, we design and implement a hypervisor-based system called Gateway that monitors kernel APIs invoked by drivers. Gateway creates a hardened, non-bypassable monitoring interface by isolating drivers in an address space separate from the kernel. To overcome the performance degradation introduced by switches between these separate address spaces, our design rewrites binary kernel and driver code at runtime and generates new code on demand to optimize the address space transition speed. Our experimental measurements show performance overheads of 10% or better, with many overheads less than 1%. Our security evaluation shows that Gateway is able to monitor all kernel APIs invoked by malicious drivers across its non-bypassable interface.

Abstract: Run-time packing is a technique employed by malware authors in order to conceal e.g., encrypt malicious code and recover it at run-time. In particular, some run-time packers only decrypt individual regions of code on demand, re-encrypting them again when they are not running. This technique is known as shifting decode frames and it can greatly complicate malware analysis. The first solution that comes to mind to analyze these samples is to apply multi-path exploration to trigger the unpacking of all the code regions. Unfortunately, multi-path exploration is known to have several limitations, such as its limited scalability for the analysis of real-world binaries. In this paper, we propose a set of domain-specific optimizations and heuristics to guide multi-path exploration and improve its efficiency and reliability for unpacking binaries protected with shifting decode frames.

Abstract: Recent advances in Web technology, especially real-time 3D content using WebGL, require an efficient way to transfer binary data. Images, audio and video have respective HTML tags and accompanying data formats that transparently handle binary transmission and decompression. 3D data, on the other hand, has to be handled explicitly by the client application. In contrast to images, audio and video, 3D data is inhomogeneous and neither common formats nor compression algorithms have been established for the Web.Despite the many existing formats for binary transmission of 3D data none has been able to provide a general binary format for all kinds of 3D data including meshes, textures, animations, and materials. Existing formats are domain-specific and fixed on a certain set of input data and thus too specific to handle other types of data.Blast is a general container format for structured binary transmission on the Web that can be used for all types of 3D scene data. Instead of defining a fixed set of encodings and compression algorithms Blast exploits the code on demand paradigm to provide a simple yet powerful encoder-agnostic basis to leverage existing domain-specific solutions and compression techniques. Because streaming is of primary importance for a good user experience Blast is designed on the basis of self-contained chunks to enable JavaScript clients to utilize Web Workers for parallel decoding and to provide early feedback to the user.

Abstract: Domain-specific generators will increasingly rely on graphical specification languages-applets-for declarative specifications of target applications. Applets will provide front-ends to generators and related tools to produce customized code on demand. Critical to the success of this approach will be domain-specific design wizards, tools that guide users in their selection of components for constructing particular applications. In this paper, we present the P3 ContainerStore applet, its generator and design wizard.