Concolic Execution as a General Method of Determining Local Malware Signatures
This is an incremental exploration for antivirus security, highlighting a practical obstacle for attackers and the need for secure obfuscation.
The paper tackled the problem of reverse-engineering malware signature databases using concolic execution, but found that existing tools have severe limitations that prevent this strategy from being realized.
A commonly shared component of antivirus suites is a local database of malware signatures that is used during the static analysis process. Despite possible encryption, heuristic obfuscation, or attempts to hide this database from malicious end-users (or competitors), a currently avoidable eventuality for offline static analysis is a need to use the contents of the database in local computation to detect malicious files. This work serves as a preliminary exploration of the use of concolic execution as a general-case technique for reverse-engineering malware signature database contents: indeed, the existence of a practical technique to such an end would certainly require the use of true (in the sense of provable security) obfuscation in order for malware databases to remain private against capable attackers--a major obstacle given the scarcity of truly practical secure obfuscation constructions. Our work, however, only shows that existing tools (at the time of this report) for concolic execution have severe limitations which prevent the realization of this strategy.