Building Capability to Defend Against Malware
Malicious code, or malware, is a piece of software that runs without the user's explicit consent and maybe without the user's knowledge. Historically, malware has caused nuisance-type results, such as delivering unwanted content. In the last decade or so, more malware has focused on committing crime, such as stealing an identity or taking control of a computer.
For malware analysts, a significant challenge derives from the fact that malware rarely has source code available. Analysts must grapple with sophisticated data structures exclusively at the machine code level.
To help analyze malware, CERT researchers at the SEI are developing a suite of binary static program analysis tools based on a framework called Pharos. This framework is built on top of the Lawrence Livermore National Laboratory (LLNL) ROSE compiler infrastructure. The Pharos tool suite includes many extensions to the binary analysis features of ROSE that the SEI has jointly developed with LLNL. The Pharos tools use static analysis techniques, such as control flow analysis and dataflow analysis, to reason about the behavior of data structures in binary files.
In 2014, the SEI's CERT Division completed research to eliminate bottlenecks in the process of deriving actionable insights by automating tasks and providing more semantically rich abstractions used by a malware analyst.