Skip to Main content Skip to Navigation

Binary Analysis for Linux and IoT Malware

Abstract : For the past two decades, the security community has been fighting malicious programs for Windows-based operating systems. However, the increasing number of interconnected embedded devices and the IoT revolution are rapidly changing the malware landscape. Malicious actors did not stand by and watch, but quickly reacted to create "Linux malware", showing an increasing interest in Linux-based operating systems and platforms running architectures different from the typical Intel CPU. As a result, researchers must react accordingly. Through this thesis, we navigate the world of Linux-based malicious software and highlight the problems we need to overcome for their correct analysis.After a systematic exploration of the challenges involved in the analysis of Linux malware, we present the design and implementation of the first malware analysis pipeline, specifically tailored to study this emerging phenomenon. We use our platform to analyze over 100K samples and collect detailed statistics and insights that can help to direct future works.We then apply binary code similarity techniques to systematically reconstruct the lineage of IoT malware families, and track their relationships, evolution, and variants. We show how the free availability of source code resulted in a very large number of variants, often impacting the classification of antivirus systems.Last but not least, we address a major problem we encountered in the analysis of statically linked executables. In particular, we present a new approach to identify the boundary between user code and third-party libraries, such that the burden of libraries can be safely removed from binary analysis tasks.
Complete list of metadata
Contributor : ABES STAR :  Contact
Submitted on : Friday, November 5, 2021 - 3:09:10 PM
Last modification on : Tuesday, November 16, 2021 - 4:28:55 AM
Long-term archiving on: : Sunday, February 6, 2022 - 7:15:12 PM


Version validated by the jury (STAR)


  • HAL Id : tel-03417110, version 1


Emanuele Cozzi. Binary Analysis for Linux and IoT Malware. Cryptography and Security [cs.CR]. Sorbonne Université, 2020. English. ⟨NNT : 2020SORUS197⟩. ⟨tel-03417110⟩



Record views


Files downloads