600 . 643 - Group 2 Report Hiding Code

Though many techniques for finding malicious code have been developed, we found few publicized techniques for creating and hiding malicious code. Traditional malicious code examples include viruses, trojans, and worms, but we define malicious code to be any code that does not behave as the user intended. Our goal is to analyze current methods for the creation and hiding of malicious code and to develop novel programmatic methods for creating malicious code and hiding it. To analyze current methods, we began by searching for existing malicious code hiding tools, but in addition to the paucity of papers on malicious code hiding we found no existing tools. We hypothesize that the lack of code hiding tools is indicative of the nature of this work. Attackers do not want their techniques known, because malicious code detection programs would be adjusted and customized to find those attacks. Though a few articles discuss hiding malicious code in binaries, we limit our work to the source code level. From our research, we found several general categories of code hiding techniques: steganography, plausible deniability, human fallibility, and machine fallibility. Steganography involves hiding malicious code in files other than source code files, while plausible deniability focuses on injecting vulnerabilities that could simply be human error. Human fallibility exploits human expectations and machine fallibility uses known malicious code detection tools to tailor malicious code hiding methods to escape detection. Code interpretation in general is undecidable making the development of good generalized malicious code injection tools extremely challenging. Our tool design began by using the last technique, machine limitations. We examined methods for finding malicious code and developed techniques to escape detection. Our first tool, All Your Stacks Are Belong To Us, aims to subvert ITS4 [7]. It analyzes source code for possible buffer overflow locations, determines the most dense areas of source code (presumably the most difficult areas for humans to analyze/understand), and in those areas minimally change code to produce overflows. The inspiration for our second tool comes from a combination of the results from static analysis tools and the second technique, plausible deniability. These static-analysis tools report unsafe function calls that could produce vulnerabilities. Our second tool, Captain Careless, searches for safe function calls and replaces them with their unsafe counterparts, removes restrictive permission calls, and replaces permission checks with a constant value of 1 meaning success. Lastly, we propose extensions to our tools and an additional method for developing code hiding tools using abstract syntax trees.