university of London
Title: Automated Analysis and Detection of Malicious Code
With close to 400’000 unique new malicious programs appearing every single day, and wave after wave of trojans and ransomware affecting users and businesses, it is clear that our malware defenses have to become smarter, faster, and highly automated. This lecture will discuss different approaches to the detection and analysis of malicious code. In particular, we will focus on recent developments towards applying techniques from formal methods, including model checking and abstract interpretation. As expected, there are many challenges to be overcome, mainly because traditional formal methods do not assume the software developer to be your opponent.
The lecture presents novel ways to overcome these challenges, e.g., how one can specify malicious behavior to make malware signatures match large classes of malware instead of single specimens. Checking such specifications on real malware requires to address the additional problems of analyzing untrusted low-level code for control flow graph reconstruction and deobfuscation. To address both, we will review the integrated approach to disassembly, control flow reconstruction, and static analysis taken by the Jakstab abstract interpretation framework for binaries.
Johannes Kinder is a Senior Lecturer (Associate Professor) in the Department of Computer Science at Royal Holloway, University of London. His research focuses on assessing and improving the reliability and security of software, in particular with the help of automated tools. This requires him to cross back and forth between the fields of programming languages, software engineering, and systems security. His principal interests lie in program analysis for real-world systems, runtime monitoring and instrumentation, and specification and detection of malware. Johannes holds a doctorate in computer science from TU Darmstadt, a Diplom degree from TU Munich, Germany, and he completed a postdoc at EPFL in Lausanne, Switzerland.