Exploring the Maze of Mix Network and Malware

Dr. Xinyuan Wang , Associate Professor
Department of Computer Science, George Mason University


Abstract

The concept of MIX is fundamental to all anonymous communication networks, and almost all existing anonymous networks used traffic mixing and transformation to achieve anonymity. It has long been believed that flow mixing and transformations would effectively disguise network flows, thus achieve good anonymity. In the first half of this talk, I will overview my work in investigating the fundamental limitations of flow mixing and transformation in achieving anonymity. I will describe how active flow watermarking in packet timing could transparently make a sufficiently long flow uniquely identifiable, thus breaks the anonymity of all practical anonymity networks (e.g., Tor, anonymizer.com). In the second half of my talk, I will discuss some of the key obstacles to the effective malware analysis and defense and how binary analysis could be used to address them. Specifically, I will focus on how to analyze sophisticated malwares that are protected by cryptographic algorithms such as packing (i.e., self-modifying code), encryption, digital signature. I will present some surprising results on how much the cryptographic operations and secrets can be recovered from the execution of a potentially obfuscated binary executable. I will also discuss how to recover obfuscated malware code from memory dump.