SysCallic

Status: Ongoing

Dynamic malware analysis techniques provide a more concrete view of a malicious executable’s actions than is generally attainable through static analysis. For instance, an analyst can observe not only the target program’s calls to Win32 APIs, but also the actual argument values passed into those calls. The tradeoff, however, is that dynamic analyses have traditionally been limited in their path coverage, i.e., only a fraction of the executable’s total functionality is observed under dynamic analysis. This is because a program may follow different paths through its internal code depending upon configuration, external stimuli, etc. Concolic execution, a portmanteau of concrete and symbolic execution, is a technique used to automatically drive execution along many different reachable paths of a binary executable. Through application of such concolic execution techniques, we will be overcoming the path coverage limitation of traditional dynamic malware analysis. Further, we will be developing techniques to identify relationships between instances of malware based on shared features uncovered with our new concolic-backed dynamic malware analyses.