Projects
Here is a list of projects conducted for courses I take at UC Davis.
Automated Execution Path Exploration for Dynamic Detection of Evasive Malware
This is a course project conducted with Fangqi Sun for the Computer Security class (ECS 235A).
Abstract: Evasive malware is defined as malicious software whose behavior is only triggered under certain circumstances. Carrying out manual malware analysis is both tedious and undesirable given the large number of newly emerged malware samples every day. Various malware analysis techniques have been proposed to automatically detect malicious behavior of malware. However, static analysis techniques cannot handle binary code samples properly and most dynamic analysis techniques only explore single execution paths which leads to false negatives. In this paper, we propose a dynamic analysis technique to detect evasive malware by automatically exploring multiple execution paths. We run malware samples in a virtual environment and observe system calls invoked by those sample programs to detect malicious behavior.
Dynamic Detection of Windows Rootkits
This is a course project conducted for the Programming Language class (ECS 240).
Abstract: Stealth rootkits hiding themselves on the victim systems are becoming a major threat to computer systems. They are usually evasive as they use sophisticated stealth techniques to conceal files, processes, and other activities, making it extremely challenging to detect their presence in the system. Due to the popularity among enterprise and consumers, the Microsoft Windows operating systems have become an attractive target of rootkit authors. However, current detection techniques are mostly system-specific, and ineffective for unknown rootkits. In this paper, we present an effective technique to detect rootkits by identifying hidden objects. We propose a cross-view based approach, which dynamically maintains a separate process running in the system. Our approach does not rely on any system-specific data structures, and thus can work in different system versions. Besides, it does not focus on dealing with any specific hiding technique, therefore, it is able to detect unknown rootkits. We have developed a prototype, XView, and conducted experiments using some rootkit samples. The evaluation result shows that XView is able to identify the process hiding behaviors of all samples, and provide additional information for hidden processes.
A Security Architecture for Protecting Sensitive Information in Memory
This is a course project conducted with Fangqi Sun for the Computer Architecture class (ECS 201A).
Abstract: Information security has become increasingly important in the information age. Among all the security issues is the leakage of sensitive information that poses a great threat to Internet security. This paper presents a security architecture to protect sensitive information in memory against possible attacks by preventing the misuse of information and ensuring the integrity of program control flow. Based on previous work, our approach takes the advantage of software fault isolation technique, and is therefore sound against runtime attacks. Evaluation using several popular network applications on a full system emulator demonstrates that the security architecture has little performance impact and incurs low runtime overhead.
Static Analysis for Detecting Cross-Site Scripting in Java Servlets
This is a course project conducted with Fangqi Sun for the Computer Security class (ECS 235B).
Abstract: Cross-Site Scripting (XSS) is one of the most prevalent website vulnerabilities accompanied by the evolution of Javascript malware. In this paper, we present an approach to statically analyze Java servlets to find XSS vulnerabilities caused by weak or lack of input validation. We statically analyzed string values to distinguish trusted substring values from untrusted substring values. The results of our analysis can be used to prevent untrusted scripts from being executed in generated web pages.
Click here for a list of my previous projects done quite a while ago.