Differential Slicing: Identifying Causal Execution Differences for Security Applications

Differential Slicing: Identifying Causal Execution Differences for Security Applications

A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments....

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Johnson, N. M., Caballero, J., Chen, K. Z., McCamant, S., Poosankam, P., Reynaud, D., Song, D.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Algorithm design and analysis
Argon
Computer crashes
Indexing
Malware
Resource management
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 362
container_issue
container_start_page 347
container_title
container_volume
creator Johnson, N. M.
Caballero, J.
Chen, K. Z.
McCamant, S.
Poosankam, P.
Reynaud, D.
Song, D.
description A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.
doi_str_mv 10.1109/SP.2011.41
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_5958039</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5958039</ieee_id><sourcerecordid>5958039</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-cc885ce3d7887ba25bb5fe7e6257edb4414c3bb166961919f7b89cb10057b93a3</originalsourceid><addsrcrecordid>eNo1js1LAzEQxeMXWGsvXr3kH9iaydck3kpbtVBQqIK3kmQTidS27G7B_e9NUefymPeb9xhCboCNAZi9W72MOQMYSzghI4uGobZKSsbhlAy4QFUBZ3hGrkAqRAYS-TkZADNQ6ZK7JKO2_WRltLYo9YC8z3JKsYnbLrsNXW1yyNuPe7qoj07qy0Kn7tAWNv-O4dDl3Zb-R0Jsado1dFVAk7ueTvb7UuCOR-01uUhu08bRnw7J28P8dfpULZ8fF9PJssqAqqtCMEaFKGo0Br3jynuVIkbNFcbaSwkyCO-h_KvBgk3ojQ0eGFPorXBiSG5_e3OMcb1v8pdr-rWyyjBhxQ9DVVXF</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Differential Slicing: Identifying Causal Execution Differences for Security Applications</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Johnson, N. M. ; Caballero, J. ; Chen, K. Z. ; McCamant, S. ; Poosankam, P. ; Reynaud, D. ; Song, D.</creator><creatorcontrib>Johnson, N. M. ; Caballero, J. ; Chen, K. Z. ; McCamant, S. ; Poosankam, P. ; Reynaud, D. ; Song, D.</creatorcontrib><description>A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.</description><identifier>ISSN: 1081-6011</identifier><identifier>ISBN: 1457701472</identifier><identifier>ISBN: 9781457701474</identifier><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9780769544021</identifier><identifier>EISBN: 0769544029</identifier><identifier>DOI: 10.1109/SP.2011.41</identifier><language>eng</language><publisher>IEEE</publisher><subject>Algorithm design and analysis ; Argon ; Computer crashes ; Indexing ; Malware ; Resource management</subject><ispartof>2011 IEEE Symposium on Security and Privacy, 2011, p.347-362</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5958039$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,796,2058,27925,54758,54920</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5958039$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Johnson, N. M.</creatorcontrib><creatorcontrib>Caballero, J.</creatorcontrib><creatorcontrib>Chen, K. Z.</creatorcontrib><creatorcontrib>McCamant, S.</creatorcontrib><creatorcontrib>Poosankam, P.</creatorcontrib><creatorcontrib>Reynaud, D.</creatorcontrib><creatorcontrib>Song, D.</creatorcontrib><title>Differential Slicing: Identifying Causal Execution Differences for Security Applications</title><title>2011 IEEE Symposium on Security and Privacy</title><addtitle>sp</addtitle><description>A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.</description><subject>Algorithm design and analysis</subject><subject>Argon</subject><subject>Computer crashes</subject><subject>Indexing</subject><subject>Malware</subject><subject>Resource management</subject><issn>1081-6011</issn><issn>2375-1207</issn><isbn>1457701472</isbn><isbn>9781457701474</isbn><isbn>9780769544021</isbn><isbn>0769544029</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2011</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNo1js1LAzEQxeMXWGsvXr3kH9iaydck3kpbtVBQqIK3kmQTidS27G7B_e9NUefymPeb9xhCboCNAZi9W72MOQMYSzghI4uGobZKSsbhlAy4QFUBZ3hGrkAqRAYS-TkZADNQ6ZK7JKO2_WRltLYo9YC8z3JKsYnbLrsNXW1yyNuPe7qoj07qy0Kn7tAWNv-O4dDl3Zb-R0Jsado1dFVAk7ueTvb7UuCOR-01uUhu08bRnw7J28P8dfpULZ8fF9PJssqAqqtCMEaFKGo0Br3jynuVIkbNFcbaSwkyCO-h_KvBgk3ojQ0eGFPorXBiSG5_e3OMcb1v8pdr-rWyyjBhxQ9DVVXF</recordid><startdate>201105</startdate><enddate>201105</enddate><creator>Johnson, N. M.</creator><creator>Caballero, J.</creator><creator>Chen, K. Z.</creator><creator>McCamant, S.</creator><creator>Poosankam, P.</creator><creator>Reynaud, D.</creator><creator>Song, D.</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>201105</creationdate><title>Differential Slicing: Identifying Causal Execution Differences for Security Applications</title><author>Johnson, N. M. ; Caballero, J. ; Chen, K. Z. ; McCamant, S. ; Poosankam, P. ; Reynaud, D. ; Song, D.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-cc885ce3d7887ba25bb5fe7e6257edb4414c3bb166961919f7b89cb10057b93a3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2011</creationdate><topic>Algorithm design and analysis</topic><topic>Argon</topic><topic>Computer crashes</topic><topic>Indexing</topic><topic>Malware</topic><topic>Resource management</topic><toplevel>online_resources</toplevel><creatorcontrib>Johnson, N. M.</creatorcontrib><creatorcontrib>Caballero, J.</creatorcontrib><creatorcontrib>Chen, K. Z.</creatorcontrib><creatorcontrib>McCamant, S.</creatorcontrib><creatorcontrib>Poosankam, P.</creatorcontrib><creatorcontrib>Reynaud, D.</creatorcontrib><creatorcontrib>Song, D.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Johnson, N. M.</au><au>Caballero, J.</au><au>Chen, K. Z.</au><au>McCamant, S.</au><au>Poosankam, P.</au><au>Reynaud, D.</au><au>Song, D.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Differential Slicing: Identifying Causal Execution Differences for Security Applications</atitle><btitle>2011 IEEE Symposium on Security and Privacy</btitle><stitle>sp</stitle><date>2011-05</date><risdate>2011</risdate><spage>347</spage><epage>362</epage><pages>347-362</pages><issn>1081-6011</issn><eissn>2375-1207</eissn><isbn>1457701472</isbn><isbn>9781457701474</isbn><eisbn>9780769544021</eisbn><eisbn>0769544029</eisbn><abstract>A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.</abstract><pub>IEEE</pub><doi>10.1109/SP.2011.41</doi><tpages>16</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1081-6011
ispartof 2011 IEEE Symposium on Security and Privacy, 2011, p.347-362
issn 1081-6011
2375-1207
language eng
recordid cdi_ieee_primary_5958039
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Algorithm design and analysis
Argon
Computer crashes
Indexing
Malware
Resource management
title Differential Slicing: Identifying Causal Execution Differences for Security Applications
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-28T23%3A33%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Differential%20Slicing:%20Identifying%20Causal%20Execution%20Differences%20for%20Security%20Applications&rft.btitle=2011%20IEEE%20Symposium%20on%20Security%20and%20Privacy&rft.au=Johnson,%20N.%20M.&rft.date=2011-05&rft.spage=347&rft.epage=362&rft.pages=347-362&rft.issn=1081-6011&rft.eissn=2375-1207&rft.isbn=1457701472&rft.isbn_list=9781457701474&rft_id=info:doi/10.1109/SP.2011.41&rft_dat=%3Cieee_6IE%3E5958039%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9780769544021&rft.eisbn_list=0769544029&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=5958039&rfr_iscdi=true