Makoto Iwamura’s research while affiliated with NTT DATA Corporation and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (24)


Fig. 1 Stolen Code.
Fig. 2 Copied API obfuscation.
Table 2 Results of disk forensics integration experiment.
Taint-assisted IAT Reconstruction against Position Obfuscation
  • Article
  • Full-text available

December 2018

·

47 Reads

·

2 Citations

Journal of Information Processing

·

Makoto Iwamura

·

Jun Miyoshi

Windows Application Programming Interface (API) is an important data source for analysts to effectively understand the functions of malware. Due to this, malware authors are likely to hide the imported APIs in their malware by taking advantage of various obfuscation techniques. In this paper, we first build a formal model of the Import Address Table (IAT) reconstruction procedure to keep our description independent of specific implementations and then formally point out that the current IAT reconstruction is vulnerable to position obfuscation techniques, which are anti-analysis techniques obfuscating the positions of loaded APIs or Dynamic Link Libraries (DLLs). Next, we introduce an approach for API name resolution, which is an essential step in IAT reconstruction, on the basis of taint analysis to defeat position obfuscation techniques. The key idea of our approach is that we first define taint tags, each of which has a unique value for each API, apply the taint of the API to each of its instructions, track the movement of the API instructions by propagating the tags, and then resolve API names from the propagated tags for IAT reconstruction after acquiring a memory dump of the process under analysis. Finally, we experimentally demonstrate that a system in which our proposed API name resolution has been implemented enables us to correctly identify imported APIs even when malware authors apply various position obfuscation techniques to their malware.

Download

Fig. 1 Three patterns of API redirection. The top is the case of a normal Windows executable before applying API redirection. (a) Pattern in which the reference of the call instruction is modified, (b) that in which the entry of the IAT is modified, and (c) that in which API redirection is conducted with stolen code.
Fig. 2 How Stealth Loader works and its components. (a) The file layout of an executable before Stealth Loader is embedded, (b) that after Stealth Loader is embedded and the components of Stealth Loader are also described, and (c) the process memory layout after Bootstrap resolves the dependencies of an executable and stealth-loaded DLLs.
Stealth Loader: Trace-free Program Loading for Analysis Evasion

September 2018

·

85 Reads

·

2 Citations

Journal of Information Processing

·

Eitaro Shioji

·

Yuto Otsuki

·

[...]

·

Jun Miyoshi

Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show the limit of existing API de-obfuscation techniques. To do that, we first analyzed existing API [de]obfuscation techniques and clarified that an attack vector commonly exists in these techniques; then, we present Stealth Loader, which is a program loader to bypass all existing API de-obfuscation techniques. The core idea of Stealth Loader is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrated the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools. The results indicate that among other obfuscation tools, only Stealth Loader is able to successfully bypass all analysis tools.


Building stack traces from memory dump of Windows x64

March 2018

·

1,497 Reads

·

14 Citations

Digital Investigation

Stack traces play an important role in memory forensics as well as program debugging. This is because stack traces provide a history of executed code in a malware-infected host and this history could become a clue for forensic analysts to uncover the cause of an incident, i.e., what malware have actually done on the host. Nevertheless, existing research and tools for building stack traces for memory forensics are not well designed for the x64 environments, even though they have already become the most popular environment. In this paper, we introduce the design and implementation of our method for building stack traces from a memory dump of the Windows x64 environment. To build a stack trace, we retrieve a user context of the target thread from a memory dump for determining the start point of a stack trace, and then emulate stack unwinding referencing the metadata for exceptional handling for building the call stack of the thread. Even if the metadata are unavailable, which often occurs in a case of malicious software, we manage to produce the equivalent data by scanning the stack with a flow-based verification method. In this paper, we discuss the evaluation of our method through comparing the stack traces built with it with those built with WinDbg to show the accuracy of our method. We also explain some case studies using real malware to show the practicability of our method.


Stealth Loader: Trace-Free Program Loading for API Obfuscation

October 2017

·

208 Reads

·

10 Citations

Lecture Notes in Computer Science

Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show a limit of existing API de-obfuscations. To do that, we first analyze existing API [de]obfuscation techniques and clarify an attack vector commonly existed in API de-obfuscation techniques, and then we present Stealth Loader, which is a program loader using our API obfuscation technique to bypass all existing API de-obfuscations. The core idea of this technique is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrate the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools and techniques. The result shows that among other obfuscation techniques, only Stealth Loader is able to successfully bypass all analysis tools and techniques.


POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity

October 2016

·

89 Reads

·

6 Citations

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of operating systems. It is currently used in malicious documents that exploit viewer applications and cause malware infection. For inspecting a large number of commonly handled documents, high-performance and flexible-detection methods are required. However, current solutions are either time-consuming or less precise. In this paper, we propose a novel method for statically detecting ROP chains in malicious documents. Our method generates a hidden Markov model (HMM) of ROP chains as well as one of benign documents by learning known malicious and benign documents and libraries used for ROP gadgets. Detection is performed by calculating the likelihood ratio between malicious and benign HMMs. In addition, we reduce the number of false positives by ROP chain integrity checking, which confirms whether ROP gadgets link properly if they are executed. Experimental results showed that our method can detect ROP-based malicious documents with no false negatives and few false positives at high throughput.


API Chaser: Anti-analysis Resistant Malware Analyzer

October 2013

·

78 Reads

·

25 Citations

Lecture Notes in Computer Science

API (Application Programming Interface) monitoring is an effective approach for quickly understanding the behavior of malware. It has been widely used in many malware countermeasures as their base. However, malware authors are now aware of the situation and they develop malware using several anti-analysis techniques to evade API monitoring. In this paper, we present our design and implementation of an API monitoring system, API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g. stolen code and code injection. We have evaluated API Chaser with several real-world malware and the results showed that API Chaser is able to correctly capture API calls invoked from malware without being evaded.


Code shredding: Byte-granular randomization of program layout for detecting code-reuse attacks

December 2012

·

119 Reads

·

25 Citations

Code-reuse attacks by corrupting memory address pointers have been a major threat of software for many years. There have been numerous defenses proposed for countering this threat, but majority of them impose strict restrictions on software deployment such as requiring recompilation with a custom compiler, or causing integrity problems due to program modification. One notable exception is ASLR(address space layout randomization) which is a widespread defense free of such burdens, but is also known to be penetrated by a class of attacks that takes advantage of its coarse randomization granularity. Focusing on minimizing randomization granularity while also possessing these advantages of ASLR to the greatest extent, we propose a novel defensive approach called code shredding: a defensive scheme based on the idea of embedding the checksum value of a memory address as a part of itself. This simple yet effective approach hinders designation of specific address used in code-reuse attacks, by giving attackers an illusion of program code shredded into pieces at byte granularity and dispersed randomly over memory space. We show our design and implementation of a proof-of-concept prototype system for the Windows platform and the results from several experiments conducted to confirm its feasibility and performance overheads.


Detection, Analysis, and Countermeasure Technologies for Cyber Attacks from Evolving Malware

October 2012

·

14 Reads

·

3 Citations

NTT Technical Review

After outlining trends in cyber attacks mounted mainly through the use of malicious software (malware), we describe technology for detecting malware infections and isolating infection sources and technology for analyzing malware and extracting the features of its functions; describe how information obtained from detection and analysis can be used by countermeasure technology to generate blacklists and defend against attacks on the network; and describe analysis techniques for tracing attacks by using logs kept by network devices.


Controlling malware HTTP communications in dynamic analysis system using search engine

October 2011

·

77 Reads

·

27 Citations

Malware is one of the most serious threats on the Internet. Countermeasures have been developed, but still many users are infected. Detecting and preventing communication by infected users from the network side would effectively mitigate the threats of malware. For this, we need to collect information about the destinations or payloads of malware communication. Dynamic analysis is usually used to obtain this information. Since some malware requires access to the Internet, e.g., bots and downloaders, the dynamic analysis environment must connect to the Internet. Recently developed malware communicates with remote hosts by HTTP protocol for not only command-and-control (C&C) or malware downloading but also attacks. For secure dynamic analysis in an environment with Internet connectivity, it is necessary to determine if the destination is for C&C or malware downloading and to only allow connection to these servers. We propose a dynamic analysis system with Internet connection that controls HTTP communication by using a search engine. To control HTTP connections, we built a classifier using a support vector machine based on the assumption that sites for C&C or malware downloading, for example, are harder to find and have a lower backlink count than benign sites. Our classifier, which is trained on popular URLs and URLs based on malware analysis, has 99.69% cross-validation accuracy. We evaluated other known benign popular sites with our classifier, and they were all classified as benign. Our evaluation confirms that our classifier can distinguish benign sites, so the proposed dynamic analysis system is effective for safe analysis in an environment with Internet connection.


Towards Efficient Analysis for Malware in the Wild

July 2011

·

22 Reads

·

6 Citations

We propose two novel techniques for reducing the workload for malware analysis. The first technique is restricted instruction, which accelerates finding the longest common subsequence (LCS) between machine code instruction sequences of malware. The second technique is probabilistic disassembly, which can find the most probable disassembly result of a binary stream without a clue, such as debug symbols or the information of import functions. By combining the two proposals and our generic unpacker, we built an automatic malware classification system. Given an unknown malware program, the system enables malware analysts to find the most similar known malware program to this unknown one, and even estimate different/common instructions. In one of our experiments, we classified 3,233 malware samples in the wild and concluded that 75% of the samples belong to the seven largest clusters. As a result, only seven samples, one from each cluster, were required to be analyzed in order to reveal the functionality of the rest of the 75%, showing a great increase in efficiency of analysis.


Citations (22)


... To improve the defense and countermeasures against cyberattacks, we are developing the following technologies in response to the sophistication of cyberattacks: advanced technology for detecting malware in endpoint devices; advanced technology for determining malicious domains; and technology to counter attacks that exploit the psychological weaknesses of users. We are also developing the following technologies in response to increasing number of cyberattacks: technology for improving operational efficiency and labor-saving technology for security operations [2]. ...

Reference:

R&D on Security Contributing to Creation of New Value
The Forefront of Cyberattack Countermeasures Focusing on Traces of Attacks
  • Citing Article
  • April 2020

NTT Technical Review

... When the data flow reaches to a sink point, simulator knows it. Most of works in this area could be divided into three categories: Static taint analysis, Dynamic taint analysis, and Hybrid taint analysis [15][16][17]. As stated in [11], dynamic taint analyses propagate taints when applications are running. ...

Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis Frameworks
  • Citing Conference Paper
  • October 2022

... Macros can also be treated as Visual Basic scripts. With this respect, Usui et al. [36,37] proposed to trace API calls in scripting languages. Their work aims to be universally suitable for a plethora of scripting languages, including Visual Basic. ...

Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers
  • Citing Article
  • January 2021

Digital Threats Research and Practice

... Researchers train a convolutional neural network (CNN) or reccurent neural network (RNN) respectively based on the customized dataset consists of benign samples and crafted gadget chains [31][32][33]. ROPminer [34] statically detects ROP chains by learning the orders of ROP components and the byte patterns of each component. The authors build a HMM (Hidden Markov Model) model based on exhaustively collecting feasible ROP gadgets in the target libraries. ...

ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
  • Citing Article
  • July 2020

IEICE Transactions on Information and Systems

... The manual process of verifying false positives can be a daunting exercise; therefore, ML algorithms must achieve high performance and minimize false positives. The validation of false positives can also be incorporated into ML algorithms, as emphasized by Otsuki et al. [55]. ...

EIGER: automated IOC generation for accurate and interpretable endpoint malware detection
  • Citing Conference Paper
  • December 2019

... Macros can also be treated as Visual Basic scripts. With this respect, Usui et al. [36,37] proposed to trace API calls in scripting languages. Their work aims to be universally suitable for a plethora of scripting languages, including Visual Basic. ...

My script engines know what you did in the dark: converting engines into script API tracers
  • Citing Conference Paper
  • December 2019

... The frequent appearance of intrusive advertisements also serves as an indicator of a malware infection. Moreover, there may be an unexplained disk space expansion, resulting in a significant loss of storage capacity [47]. Additionally, certain types of malware grant unauthorized access to the attacker, enabling them to download secondary B Mohammed Nasereddin mnasereddin@iitis.pl ...

Toward the Analysis of Distributed Code Injection in Post-mortem Forensics
  • Citing Chapter
  • July 2019

Lecture Notes in Computer Science

... Selain itu, terdapat penelitian yang dilakukan oleh (Kanemoto et al., 2019) di mana mereka menggunakan metode shellcode emulation yang berlandaskan kepada nilai akurasi dan performa. Mereka bertujuan untuk mendapatkan model yang dapat mengidentifikasi pemberitahuan yang penting yang dapat memberikan informasi mengenai adanya gangguan keamanan pada sistem secara otomatis. ...

Detecting Successful Attacks from IDS Alerts Based On Emulation of Remote Shellcodes
  • Citing Conference Paper
  • July 2019

... Yuhei et al. [23], [24] proposed a code tainting techniquesbased analyzer, API Chaser, to identify the execution of monitored instructions. API Chaser gave different taint tags to the API, benign, and malware samples. ...

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Journal of Information Processing

... Call site monitoring BinUnpack [7], SOK [8], Scylla [9], Eureka [10], RePEc [11], PinDemonium [12], Arancino [13], Arg Prediction [14] Position monitoring API Chaser [15], QuietRIATT [16], Secure unpack [17], Taint-assisted [18] Hybrid monitoring API-Xray [4], RePEconstruct [19] Call site monitoring: Figure 2 depicts that the deobfuscation techniques for API call site monitoring follow two steps: (1) Instruction scanning (I in Figure 2), which runs PE files to find possible API call sites in memory, including indirect calls, direct calls, or indirect jumps. (2) Address association (II in Figure 2), which correlates the destination address of a possible call site with the exported API address of the loaded dynamic link library. ...

Taint-assisted IAT Reconstruction against Position Obfuscation

Journal of Information Processing