BackScan: Backdoor Detection via Functionality Profiling

Add to your list(s) Download to your calendar using vCal

• Sam Thomas (University of Birmingham)
• Thursday 17 September 2015, 11:00-12:00
• Room 245, School of Computer Science.

If you have a question about this talk, please contact Gurchetan Grewal.

This paper presents a hybrid approach to detect anomalous executables—potentially containing additional functionality backdoors—within the firmware of consumer off-the-shelf (COTS) embedded devices. A classifier derived from supervised learning is used to infer what kind of functionality a given executable has. This is then used to drive targeted static analysis passes which ascertain whether this executable conforms to its expected functionality profile. We have developed a new domain specific language, called Binary Functionality Description Language (BFDL), which encodes the static analysis passes to define different said functionality profiles. Finally, for firmware that contains anomalous executables, we build a profile by statically enumerating the possible services running on the corresponding device in order to check whether the anomalous executable is actually being executed. BackScan achieves an excellent classification of executable categories with virtually zero false positives for common services. Additionally, it identifies various new and existing backdoors within firmware from different vendors. It also manages to pinpoint specific areas within the firmware which exhibit suspicious behaviour such that it can be further analysed by an expert.

This talk is part of the Computer Security Seminars series.

This talk is included in these lists:

• Computer Science Departmental Series
• Computer Science Distinguished Seminars
• Computer Security Seminars
• Room 245, School of Computer Science
• computer sience

Note that ex-directory lists are not shown.