[TYPES/announce] Fully funded PhD position at Inria Rennes - Bretagne Atlantique on malware analysis

Mon Jun 6 08:21:31 EDT 2016

Dear colleagues,

  We have opened a fully-funded PhD position at Inria Rennes (France). I
would be very grateful if you could distribute it to potentially interested
students and parties. I also apologize in advance for the potential
cross-posting.

Thank you,

Fabrizio

------------

The TAMIS team (https://team.inria.fr/tamis) at Inria Rennes - Bretagne
Atlantique is looking for a talented Ph.D. candidate to work on malware
analysis.

The candidate will develop new techniques and tools for the extraction of
representative semantic signatures from obfuscated malware binaries. The
candidate will improve and implement deobfuscation techniques to
efficiently extract semantic signatures from malware, in the context of a
new experimental approach for malware analysis and collaborating with
national and international teams from both academia and industry.

Malware analysis aims to understand the behavior of malware binaries to be
able to detect and reverse infection. Since each malware has a wide range
of variants, classification of a given binary as a variant of known malware
is an important step to neutralizing malware[1,2,3].

The objective of the project is to develop a tool that executes malware
binaries in a realistic virtualized environment able to defeat
counter-virtualization techniques while simulating a large number of
architectures. This tool should execute the malware concretely and
symbolically as necessary and fingerprint its behavior. The fingerprint
will be compared against a database of known malware fingerprints to
classify the analyzed malware binary.

However, malware compilation chains implement obfuscation mechanisms and
cryptographically-enhanced control flow flattening to hinder the analysts'
efforts to classify malware and understand their behavior [4]. Obfuscation
interferes with any attempt to reconstruct the malware's infective behavior
and its control flow, and consequently precludes malware classification.

We have recently shown [5] how Reed-Muller expansion synthesis algorithms
[6,7,8] can be employed as a generalized technique to simplify and
deobfuscate functions and conditionals by considering them as black-box
oracles and reconstructing their input-output behavior by interrogating
them. Synthesis allows us to defeat various direct code obfuscation
techniques. In particular, when combined with our concrete and symbolic
execution approach it allows us to simplify complex or obfuscated parts of
the code and obtain a clear view of the malware's behavior.

The ideal candidate for this position will have a solid educational
background, strong work ethic, ability to work independently as well as an
effective team member, experience in developing efficient software tools
and an interest in information security. Expertise in reverse engineering,
symbolic execution and program semantics will be considered positively for
the selection process.

The TAMIS team is the largest security-oriented team at Inria, with
competence spanning the whole field of security, from hardware to protocols
and industry standards.

Candidates are invited to send their application to fabrizio.biondi at inria.fr
and axel.legay at inria.fr . Please include a CV, a short motivation letter
and contact information for 2 referees.

Best regards,

Fabrizio

[1] J.O. Kephart and W.C. Arnold: "Automatic Extraction of Computer Virus
Signatures". Proc. Int'l Conf. Fourth Virus Bull., pp. 178-184, 1994.

[2] S. Cesare and Y. Xiang: "Classification of Malware Using Structured
Control Flow". Proc. Eighth Australasian Symp. Parallel and Distributed
Computing (AusPDC '10), 2010.

[3] S. Cesare and Y. Xiang, Wanlei Zhou: "Control Flow-Based Malware
Variant Detection". IEEE Trans. Dependable Sec. Comput. 11(4): 307-317
(2014)

[4] C. Wang: "A Security Architecture for survivability Mechanisms". Phd
thesis, Department of Computer Science, University of Virginia (October
2000)

[5] F. Biondi, S. Josse, and A. Legay: "Comparative Evaluation of the
Effectiveness of Constraint Solvers against Opaque Conditionals". Proc.
IEEE S&P (poster session), 2015.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.seas.upenn.edu/pipermail/types-announce/attachments/20160606/63231eac/attachment.html>