Concolic Execution as a General Method of Determining Local Malware Signatures

TL;DR

This paper investigates using concolic execution to reverse-engineer malware signature databases but finds current tools are too limited for practical implementation, highlighting challenges in malware privacy preservation.

Contribution

It explores the potential of concolic execution for malware signature extraction and evaluates the limitations of existing tools in this context.

Findings

Current concolic execution tools are inadequate for reverse-engineering malware signatures.

Obfuscation alone may not suffice to protect malware databases against such analysis.

Practical secure obfuscation remains a major challenge for malware privacy.

Abstract

A commonly shared component of antivirus suites is a local database of malware signatures that is used during the static analysis process. Despite possible encryption, heuristic obfuscation, or attempts to hide this database from malicious end-users (or competitors), a currently avoidable eventuality for offline static analysis is a need to use the contents of the database in local computation to detect malicious files. This work serves as a preliminary exploration of the use of concolic execution as a general-case technique for reverse-engineering malware signature database contents: indeed, the existence of a practical technique to such an end would certainly require the use of true (in the sense of provable security) obfuscation in order for malware databases to remain private against capable attackers--a major obstacle given the scarcity of truly practical secure obfuscation constructions. Our work, however, only shows that existing tools (at the time of this report) for concolic execution have severe limitations which prevent the realization of this strategy.