Abstract
Malware needs to execute on a target machine while simultaneously keeping its payload confidential from a malware analyst. Standard encryption can be used to ensure the confidentiality, but it does not address the problem of hiding the key. Any analyst can find the decryption key if it is stored in the malware or derived in plain view. One approach is to derive the key from a part of the environment which changes when the analyst is present. Such malware derives a key from the environment and encrypts its true functionality under this key. In this paper, we present a formal framework for environmental authentication. We formalize the interaction between malware and analyst in three settings: (1) blind: in which the analyst does not have access to the target environment, (2) basic: where the analyst can load a single analysis toolkit on an effected target, and (3) resettable: where the analyst can create multiple copies of an infected environment. We show necessary and sufficient conditions for malware security in the blind and basic games and show that even under mild conditions, the analyst can always win in the resettable scenario.
Author supplied keywords
Cite
CITATION STYLE
Blackthorne, J., Kaiser, B., Fuller, B., & Yener, B. (2019). Environmental authentication in Malware. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 11368 LNCS, pp. 381–400). Springer Verlag. https://doi.org/10.1007/978-3-030-25283-0_20
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
