Differential Slicing: Identifying Causal Execution Differences for Security Applications

Differential Slicing: Identifying Causal Execution Differences for Security Applications
Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song

Citation
Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song. "Differential Slicing: Identifying Causal Execution Differences for Security Applications". Proceedings of the 32nd IEEE Symposium on Security and Privacy, IEEE, pp. 347-362, May, 2011.

Abstract
A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.

Electronic downloads

http://dx.doi.org/10.1109/SP.2011.41

Citation formats

HTML

Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen
McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song.
<a href="http://www.truststc.org/pubs/858.html"
>Differential Slicing: Identifying Causal Execution
Differences for Security Applications</a>, Proceedings
of the 32nd IEEE Symposium on Security and Privacy, IEEE,
pp. 347-362, May, 2011.

Plain text

Noah Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen
McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song.
"Differential Slicing: Identifying Causal Execution
Differences for Security Applications". Proceedings of
the 32nd IEEE Symposium on Security and Privacy, IEEE, pp.
347-362, May, 2011.

BibTeX

@inproceedings{JohnsonCaballeroChenMcCamantPoosankamReynaudSong11_DifferentialSlicingIdentifyingCausalExecutionDifferences,
    author = {Noah Johnson and Juan Caballero and Kevin Zhijie
              Chen and Stephen McCamant and Pongsin Poosankam
              and Daniel Reynaud and Dawn Song},
    title = {Differential Slicing: Identifying Causal Execution
              Differences for Security Applications},
    booktitle = {Proceedings of the 32nd IEEE Symposium on Security
              and Privacy},
    organization = {IEEE},
    pages = {pp. 347-362},
    month = {May},
    year = {2011},
    abstract = {A security analyst often needs to understand two
              runs of the same program that exhibit a difference
              in program state or output. This is important, for
              example, for vulnerability analysis, as well as
              for analyzing a malware program that features
              different behaviors when run in different
              environments. In this paper we propose a
              differential slicing approach that automates the
              analysis of such execution differences.
              Differential slicing outputs a causal difference
              graph that captures the input differences that
              triggered the observed difference and the causal
              path of differences that led from those input
              differences to the observed difference. The
              analyst uses the graph to quickly understand the
              observed difference. We implement differential
              slicing and evaluate it on the analysis of 11
              real-world vulnerabilities and 2 malware samples
              with environment-dependent behaviors. We also
              evaluate it in an informal user study with two
              vulnerability analysts. Our results show that
              differential slicing successfully identifies the
              input differences that caused the observed
              difference and that the causal difference graph
              significantly reduces the amount of time and
              effort required for an analyst to understand the
              observed difference.},
    URL = {http://www.truststc.org/pubs/858.html}
}

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.