UNIVERSITY COLLEGE LONDON
EXAMINATION FOR INTERNAL STUDENTS
MODULE CODE
ASSESSMENT P A TTERN
Copyright By PowCoder代写 加微信 powcoder
MODULE NAME LEVEL:
TIME ALLOWED
COMP0060A7UA; COMP0060A7PA
Undergraduate Masters; Postgraduate 01 May 2019
2 hrs 30 mins
This paper is suitable for candidates who attended classes for this module in the following academic year(s):
Y ear 2018-19
EXAMINATION PAPER CANNOT BE REMOVED FROM THE EXAM HALL. PLACE EXAM PAPER AND ALL COMPLETED SCRIPTS INSIDE THE EXAMINATION ENVELOPE
Hall Instructions Standard Calculators N Non-Standard N Calculators
Malware, COMP0060 (A7U,A7P) Main Summer Exam Period, 2018-19
Suitable for Cohorts: 2018/19, 2017/18
This paper consists of FOUR questions worth a total of 100 marks. Answer ALL FOUR ques- tions. This paper is suitable for resit students.
Marks for each part of each question are indicated in square brackets. Calculators are NOT permitted.
COMP0060 1 TURNOVER
a. Explain what a keyword tree is and what it is used for.
2 CONTINUED
b. Draw a keyword tree for the keywords “may”, “exam”, “timer”, “holiday”, “day- time”. Include failure links.
c. You have created a keyword tree for keywords that appear in known malicious soft- ware and another keyword tree for keywords that appear in known benign software.
How can you use the two trees to classify an unknown software?
d. How can a malware author evade the classification described in the previous ques- tion, when
1. the author knows the keywords in both trees.
2. the author does not know the keyword in the trees.
e. Now consider the 1260 Virus.
1. Describe two operations that make the 1260 Virus Decryptor polymorphic.
11. Describe how you would use the keyword tree approach to detect instances of the 1260 Virus. Discuss how you would extract keywords by using disassembly and which keywords the tree(s) would contain. How many keywords of the keyword tree(s) need to be matched?
m. Whyarethetwooperationsfromquestion(i)noteffectiveagainstyourkeyword tree based detection approach?
[Total for Question 1: 25 marks]
Consider malware that is packed or encrypted.
3 TURNOVER
1. How is a dynamic defence predicate useful to the writer of packed malware? [2 marks]
11. Describe both a simple dynamic defence predicate scheme and a data based dynamic defence predicate scheme and illustrate them using example control flow graphs.
m. Define a transition point for a packed malware execution trace and informally explain how a transition point may be used to create a dynamic unpacker for packed malware, P.
Consider the formal definition below of the soundness of a malware detector, that uses an obfuscation reversing abstraction, a 0 , with respect to an obfuscation 0.
A semantic malware detector on a 0 is sound for O if and only if:
1. Give the definition of the Normalised Compression Distance and explain its relationship to Kolmogorov Complexity
11. What is the main idea in the argument that Kolmogorov complexity is indepen- dent of any specific description language and what is the practical consequence of this?
[2 marks] [Total for Question 2: 25 marks]
::llabr[P]] E ift)(lab[P]]) : }
=;, O(M) y p
ao o ae(‘T[M]]) ~ ao o ae o ar(‘T[[P]])
where labr[[P]] is a subset set of the set of labels occurring in the semantics of pro- gram P; ‘T[[M]] is the set of all traces produced by a malware, M; and ‘T[[P]] is the set of all traces produced by P.
1. Explain the idea behind an obfuscation reversing abstraction, a 0 : &a(X*) —-+ A for suitable abstract domain A.
11. Explain the definition of soundness in your own words.
3. This question is about constructing abstract interpretations of programs. All question parts relate to the following code fragment, call it F , with identified program points.
pO: X = O;
pl: while ( y < 0 )
p2: y y + 7; p3: X = X * y;
where x and y are oftype Int.
a. It is known that the malware payload is triggered by a positive integer value (a timer). Define a Galois connection suitable for analysing the property positive/non- positive for the two numeric data variables in program fragment F. Let pas be the property that number is positive, npos that it is not. Formally describe the con- crete and abstract lattices and the concretisation and abstraction maps between them. Make sure you give the type of each map and its complete definition.
COMP0060 4 CONTINUED
[Question 3 cont. on next page]
[Question 3 cont.]
b. Given the following concrete transfer functions for F, use your Galois connection
to soundly define the corresponding abstract transfer functions. (N. B. (u, v) stands for (x = u,y = v) and concrete traces containing _l_ cannot occur.)
1. Jo : Po ----+ PI
3. fir:Po----+P2
4. h :P2 ----+ p3
5. h :p3 ----+ Po
Jo((u,v))= (0,v)
(u,v), ifv>0 _1_, otherwise
(u,v), ifv:s;0 l_, otherwise
h((u,v))= (u,v+7)
h ((u,v)) = (u x v,v)
c. For each program point in F give the flow equations that calculate the abstract value that attaches to that point in terms of the abstract values at each immediate prede- cessor point and the abstract transfer functions between the points. Assume that any values for x and y may occur in the initial state at p 0.
d. Briefly describe how to automate the complete analysis using the flow equations. Does informal inspection of the program tell you whether either variable can be ruled out as a trigger?
[3 marks] [Total for Question 3: 25 marks]
COMPOO6O 5 TURNOVER
[10 marks]
4. a. Recall the definition of syntactic obfuscation that Dr. Barr presented in lecture.
6 END OF PAPER
Formally state this definition.
Devise a defence against Sharif et al. ‘s interpreter finding technique.
Explain why its semantics constraint does not use standard, referential equality. [3 marks]
Define multiset intersection.
Define an intersection operator for sequences.
How might one use an intersection operator over sequences in the context of malware detection?
c. In lecture, you learned about a technique by Sharif et al. for detecting and automat- ically reverse engineering malware that uses a polymorphic virtual machine to hide itself.
i. Explain how Sharif et al. ‘s technique works.
[Total for Question 4: 25 marks]
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com