TUM Logo

Extracting ICS Models From Malware Via Concolic Analysis

Extracting ICS Models From Malware Via Concolic Analysis

Supervisor(s): Fabian Franzen
Status: finished
Topic: Others
Author: Fabian Kilger
Submission: 2020-07-15
Type of Thesis: Masterthesis

Description

While there has been significant progress in automated malware analysis, the focus of prior work has been mostly on programs written in C/C++. Advanced malware such as the Triton malware, however, also employ Python which imposes additional challenges to the automated malware analysis. Motivated by this example, we designand implement a concolic execution framework that is capable of extracting models of the targeted industrial control systems(ICS) based on the Python malware’s communication with the system. Our approach first transforms the Python malware to C and then utilizes a symbolic execution engine to analyze the resulting C code. We prove the functionality of our framework on a set of test programs and evaluate it on two ICS-related samples including the Triton malware. Finally, we discuss how the results of our analysis can be used to identify potentially targeted ICS of a Python malware.