Team for Research in
Ubiquitous Secure Technology

Differential Slicing: Identifying Causal Execution Differences for Security Applications
Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song

Citation
Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song. "Differential Slicing: Identifying Causal Execution Differences for Security Applications". Proceedings of the 32nd IEEE Symposium on Security and Privacy, IEEE, pp. 347-362, May, 2011.

Abstract
A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.

Electronic downloads

Citation formats  
  • HTML
    Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen
    McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song.
    <a href="http://www.truststc.org/pubs/858.html"
    >Differential Slicing: Identifying Causal Execution
    Differences for Security Applications</a>, Proceedings
    of the 32nd IEEE Symposium on Security and Privacy, IEEE,
    pp. 347-362, May, 2011.
  • Plain text
    Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen
    McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song.
    "Differential Slicing: Identifying Causal Execution
    Differences for Security Applications". Proceedings of
    the 32nd IEEE Symposium on Security and Privacy, IEEE, pp.
    347-362, May, 2011.
  • BibTeX
    @inproceedings{JohnsonCaballeroChenMcCamantPoosankamReynaudSong11_DifferentialSlicingIdentifyingCausalExecutionDifferences,
        author = {Noah Johnson and Juan Caballero and Kevin Zhijie
                  Chen and Stephen McCamant and Pongsin Poosankam
                  and Daniel Reynaud and Dawn Song},
        title = {Differential Slicing: Identifying Causal Execution
                  Differences for Security Applications},
        booktitle = {Proceedings of the 32nd IEEE Symposium on Security
                  and Privacy},
        organization = {IEEE},
        pages = {pp. 347-362},
        month = {May},
        year = {2011},
        abstract = {A security analyst often needs to understand two
                  runs of the same program that exhibit a difference
                  in program state or output. This is important, for
                  example, for vulnerability analysis, as well as
                  for analyzing a malware program that features
                  different behaviors when run in different
                  environments. In this paper we propose a
                  differential slicing approach that automates the
                  analysis of such execution differences.
                  Differential slicing outputs a causal difference
                  graph that captures the input differences that
                  triggered the observed difference and the causal
                  path of differences that led from those input
                  differences to the observed difference. The
                  analyst uses the graph to quickly understand the
                  observed difference. We implement differential
                  slicing and evaluate it on the analysis of 11
                  real-world vulnerabilities and 2 malware samples
                  with environment-dependent behaviors. We also
                  evaluate it in an informal user study with two
                  vulnerability analysts. Our results show that
                  differential slicing successfully identifies the
                  input differences that caused the observed
                  difference and that the causal difference graph
                  significantly reduces the amount of time and
                  effort required for an analyst to understand the
                  observed difference.},
        URL = {http://www.truststc.org/pubs/858.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.