-------------- Papers to read -------------- ===================== A. Symbolic execution ===================== (0) Symbolic Execution and Program Testing http://portal.acm.org/citation.cfm?doid=360248.360252 (1) EXE: Automatically Generating Inputs of Death http://www.stanford.edu/~engler/exe-ccs-06.pdf (2) DART: Directed automated random testing http://research.microsoft.com/users/pg/public_psfiles/pldi2005.pdf (3) Towards automatic generation of vulnerability-based signatures http://www.cs.cmu.edu/~dbrumley/pubs/oakland-06.pdf (4) Towards Automatically Identifying Trigger-based Behavior in Malware using Symbolic Execution and Binary Analysis link N/A ============================= B. Static analysis of malware ============================= (1) Detecting Kernel-Level Rootkits Through Binary Analysis http://ieeexplore.ieee.org/iel5/9473/30059/01377219.pdf?arnumber=1377219 (2) Obfuscation of Executable Code to Improve Resistance to Static Disassembly http://www.cs.arizona.edu/solar/papers/CCS2003.pdf (3) Static Disassembly of Obfuscated Binaries http://www.auto.tuwien.ac.at/~chris/research/doc/2004_03.pdf ============================== C. Dynamic analysis of malware ============================== (1) Minos: Control Data Attack Prevention Orthogonal to Memory Model http://wwwcsif.cs.ucdavis.edu/~crandall/micro2004.pdf (2) Siren: Catching Evasive Malware http://doi.ieeecomputersociety.org/10.1109/SP.2006.37 (3) Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management (4) Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor (5) Dynamic analysis of malicious code (Virology, 2006) ======================== D. Virtual machine stuff ======================== (1) Terra: A Virtual Machine-Based Platform for Trusted Computing (2) ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay (3) SubVirt: Implementing malware with virtual machines (4) Debugging operating systems with time-traveling virtual machines (5) Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems (6) ============ E. IDS stuff ============ (1) Host-based intrusion detection (infsec 2005, Vigna/Kruegel) (2) Anomalous System Call Detection (TISSEC 2006) (3) Backtracking Intrusions (4) Enriching intrusion alerts through multi-host causality ========== F. Systems ========== (1) Vulcan: Binary transformation in a distributed environment ftp://ftp.research.microsoft.com/pub/tr/tr-2001-50.pdf (2) The Paradyn Parallel Performance Measurement Tool ftp://ftp.cs.wisc.edu/paradyn/papers/Miller95Paradyn.pdf (3) Qemu, a Fast and Portable Dynamic Translator http://www.usenix.org/publications/library/proceedings/usenix05/tech/freenix/full_papers/bellard/bellard.pdf (4) Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation http://valgrind.org/docs/valgrind2007.pdf ======== G. Other ======== (1) Hunting for Metamorphic (Szor/Ferrie) (2) An Undetectable Computer Virus (Chess/White) (3) The Nepenthes Platform: An Efficient Approach To Collect Malware. (4) TTAnalyze: A Tool for Analyzing Malware (5) Vigilante: End-to-End Containment of Internet Worms http://research.microsoft.com/~manuelc/MS/VigilanteSOSP.pdf (6) CWSandbox: Automatic Behaviour Analysis of Malware http://www.cwsandbox.org/ (7)