You are hereBlogs / root's blog / Ruxcon 2011

Ruxcon 2011


By root - Posted on 06 November 2011

I will be giving two presentations at Ruxcon this month. Ruxcon is an annual computer security conference here in Australia and is held over the weekend of the 19th and 20th of November in my home town of Melbourne. The Friday before the official Ruxcon conference will be a half day of talks for professional delegates. I will present in both the main conference and the professional delegates day.

The work I'm presenting covers some of my Ph.D research on Clonewise and Malwise. This is the first talk I've given which looks at Clonewise. Clonewise is an opensource project and its results have been used by vendors for documentation and vulnerability fixes. The talk will be given on the Saturday at Ruxcon. The Malwise talk for this year improves the work from last Ruxcon with faster more effective classification. The Malwise talk is only for professional delegates to the conference and given on the Friday, but once over the content will be made available to the general public.

Automated Detection of Software Bugs and Vulnerabilities in Linux

Abstract: Developers sometimes statically link libraries from 3rd party projects, maintain an internal copy of 3rd party software or fork development of an existing 3rd party project. This practice can lead to software vulnerabilities when the embedded code is not kept up to date with upstream sources. As a result, manual techniques have been applied by Linux vendors to track embedded code and identify vulnerabilities. In this talk, Silvio will release an automated solution to identify embedded packages without any prior knowledge of such relationships. This approach identifies similar source files based on file names and content to identify relationships between source packages. Graph theory is used to perform the analysis. Silvio's tool also automates identifying if embedded packages have outstanding vulnerabilities that have not been patched. Using this system, over 30 previously unknown vulnerabilities were identified in Linux distributions. These results are now starting to be used by vendors to track embedded packages.

This work is based on Clonewise.

Faster, More Effective Flowgraph-based Malware Classification

Abstract: Static string signatures in Antivirus don't effectively fingerprint unknown malware variants. One approach which has seen some success is using the structural information of a program's control flow to build a signature. The control flow describes the possible flow of execution a program may take. It is represented by what's known as a directed graph - basically a network diagram of how execution moves from one set of instructions to another. Control flow doesn't change much in variants even if the byte level content changes like in polymorphic and metamorphic malware. A real advantage of using graphs is that we can compare these graphs to show if they are approximately similar. We can quantify how similar two programs are and set a threshold to identify related or mutated malware. I have implemented a system using these ideas to perform malware detection in real-time. The system improves previous work by performing more efficiently and detecting more variants. It replaces the classification system that I presented at Ruxcon 2010 and uses several new ideas that make it better. This presentation discusses how the system works, its implementation, and its evaluation.

This work is based on Malwise.

Looking forward in seeing everyone at the conference. I'm always happy to talk to individuals and vendors about this and other work I've done.