Developing new ways to analyse malicious software

By Stuart Pallister

SMU Office of Research & Tech Transfer – Singapore Management University researchers believe they have developed a new way of tackling malicious software or malware, which hackers deploy to infect computer systems and steal data.

In an interview with the Office of Research & Tech Transfer, Associate Professor at the School of Computing and Information Systems Ding Xuhua outlined the progress of a 30-month-long research project, which began in 2019 and ended in June this year.  Its purpose was to develop a new execution framework for malware analysis.

“Our project is not to prevent malware from infecting our computer systems or prevent malware from attacking us. It’s a way of analysing malware.”

As the topic is highly technical, Professor Ding uses the analogy of a doctor treating patients to convey the purpose of the project.

“If patients are sick, the doctor tries to find out what’s wrong with them. Maybe it’s due to some sort of inflammation? So how do you find out? We have techniques like CT (computed tomography), MRA (magnetic resonance angiography), or X-ray to carry out a transparent diagnosis. You can see if something is wrong with a particular part of the body. In terms of malware, you can’t do that, especially if it’s running at the kernel level.”

The kernel is at the core of the computer, in its operating system, and malware may be able to infect this. “Our work, in a very broad sense, is to analyse software, especially software running the kernel.” However, he added: “malware may try to prevent us from analysing it and may even be able to tell if it’s being analysed.”

The aim then is to conduct transparent analysis, much in the same way as in the medical profession. Unlike dealing with patients, however, who would be able to describe their symptoms to the doctor, malware analysis requires a somewhat different approach.

“There are two ways of dealing with malware analysis. You can modify the software by adding code to provide information or you can modify the environment, so the malware doesn’t even run on a real CPU (the computer’s central processing unit or control centre).”

The researchers aimed to control specific malware by seeing how it behaved and then change its settings, code or environment. However, when malware is running in the kernel or operating system, this poses additional challenges. “In any computer, the operating system is the big boss. It controls everything.”

“Our goal is not to neutralise the malware. Our goal is to do the diagnosis and analyse its behaviour.”

Addressing the issue

Staying with the healthcare analogy, Professor Ding says they have invented a sort of CT machine for the doctor to use. “Our technique is not about how you’re going to analyse the CT image. That’s the doctor’s business, not the machine’s job.” He went on to say that unlike the CT machine which is passive as it can only take images of the patient which then need to be analysed by a doctor, “our technique allows you to control the target.”

What then was the outcome of the 30-month project?

“We have invented a novel way of analysing malware, regardless of whether it’s in an application or in the kernel to ensure it’s transparent.”

Here Professor Ding uses another analogy – that of a one-way mirror in a police station interview room. “We can monitor the malware and control it from outside but the malware cannot attack us and cannot see us. We can change its data and control flow.”

For example, the malware can be forced to take a specific direction by changing its execution instructions. This may be as simple as controlling its ability to check the time which would effectively disarm a potential time bomb.

Although there are commercial applications stemming from this research, Professor Ding acknowledges kernel debugging is a niche market. He has outlined his research at a Black Hat forum for practitioners and government agencies – “not only academics” – and took part in a workshop in Singapore. “When I explain what we’ve achieved, normally people are very excited because this is a big achievement in terms of research. It’s a hot problem solved. But in terms of commercial applications, it’s not there yet.”

“What we’re providing is a platform. It’s up to others to develop tools to show the actual value.” It’s similar, he says, to the person who invented the steam machine. It was then up to others to develop this into, for example, engines for cars and trains.

The researchers are now looking into other applications, such as virtual machine debugging for cloud-based services. “Let’s say I have a virtual machine with a cloud-based service and my VM crashes. I won’t be able to do troubleshooting and the company may not be interested in helping as it will say I only offer the hardware – the software is your own business. So if you get sick, you’re on your own and no one takes care of you.”

Professor Ding says that if cloud-based services were to provide diagnostic tools which would help users fix their virtual machines, “this may have a bigger impact.” He adds that he and his team are now trying to convince government agencies and others to provide funding for this proposed project, “so cloud providers can offer this facility without doing the actual diagnostic work or VM care.”

Back to Research@SMU November 2022 Issue