University of Birmingham > Talks@bham > Computer Security Seminars > BackScan: Backdoor Detection via Functionality Profiling

BackScan: Backdoor Detection via Functionality Profiling

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Gurchetan Grewal.

This paper presents a hybrid approach to detect anomalous executables—potentially containing additional functionality backdoors—within the firmware of consumer off-the-shelf (COTS) embedded devices. A classifier derived from supervised learning is used to infer what kind of functionality a given executable has. This is then used to drive targeted static analysis passes which ascertain whether this executable conforms to its expected functionality profile. We have developed a new domain specific language, called Binary Functionality Description Language (BFDL), which encodes the static analysis passes to define different said functionality profiles. Finally, for firmware that contains anomalous executables, we build a profile by statically enumerating the possible services running on the corresponding device in order to check whether the anomalous executable is actually being executed. BackScan achieves an excellent classification of executable categories with virtually zero false positives for common services. Additionally, it identifies various new and existing backdoors within firmware from different vendors. It also manages to pinpoint specific areas within the firmware which exhibit suspicious behaviour such that it can be further analysed by an expert.

This talk is part of the Computer Security Seminars series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.

 

Talks@bham, University of Birmingham. Contact Us | Help and Documentation | Privacy and Publicity.
talks@bham is based on talks.cam from the University of Cambridge.