UNIVERSITY COLLEGE LONDON
scheme代写 | security代写 – 这个题目属于一个security的代写任务, 是比较典型的security等代写方向
EXAMINATION FOR INTERNAL STUDENTS
MODULE CODE : COMP
ASSESSMENT : COMP0060A7UD
PATTERN
MODULE NAME : Malware
LEVEL: : Undergraduate ( Masters Level)
DATE : Friday 26-Aug-
TIME : 10:
Controlled-Condition exam: 2 Hours exam
You cannot submit your work after the date and time shown on
AssessmentUCL you must ensure to allow sufficient time to upload and
hand in your work
This paper is suitable for candidates who attended classes for this
module in the following academic year(s):
Year
2021/
Duration 2 hours
Additional time for converting handwritten
notes to PDF where applicable^10 minutes^
Upload window^20 minutes^
Total time 2 hours 30 minutes
Additional material
N/A
Special instructions
N/A
Exam paper word
count
N/A
TURN OVER
Malware, COMP0060 (A7U,A7P) Late Summer Assessment Period, 2021-
Suitable for Cohorts: 2020/21, 2019/
This paper consists of THREE questions worth a total of 100 marks. Answer ALL THREE questions. This paper is suitable for resit students.
Marks for each part of each question are indicated in square brackets. Standard calculators are permitted.
COMP0060 1 TURN OVER
- a. Operational semantics for programs comes in two flavours: natural semantics and structural operational semantics. 1. Explain the difference between these two. (2 marks) 2. Illustrate this difference using either anifstatement or awhilestatement. ( marks) 3. Which flavour is more likely to be useful for establishing the correctness of static analysis of malware and why? (2 marks) [8 marks]
b. Consider the abstraction of program properties using a Galois connection.
i. Give the definition of a Galois connection, between two complete lattices,A
andC.
[3 marks]
ii. Given that much static analysis of programs is based on abstractions of data,
explain why and how how Galois connections can be useful in static analysis.
[2 marks]
iii. Informally explain how infection of programs by malware can be modelled by
an abstraction of the trace semantics for a programming language.
[2 marks]
c. Consider Dynamic Defence Predicates.
- Give an example of a dynamic defence against forced unpacking of code. ( marks)
- Contrast the characteristics ofcontrol baseddynamic defences with code and simpledynamic defences against code, illustrating each one. (6 marks)
- What is the main difference in how a reverse engineer needs to deal with these two types of defence? (2 marks) [10 marks]
[Question 1 cont. on next page]
COMP0060 2 CONTINUED
[Question 1 cont.]
d. Consider static analysis of execution traces for programs potentially infected with
malware. Formally define the following two abstractions on traces seen in the
course: the restriction abstraction,r:, that maps a state trace to a state
trace; and the forgetful abstraction,e:Xthat maps a state trace to an exe-
cution trace. Briefly explain how each abstraction is used in practice.
[8 marks]
[Total for Question 1: 33 marks]
COMP0060 3 TURN OVER
- a. This subquestion is about constructing abstract interpretations of programs. All question parts relate to the following code fragment, call itF, with identified pro- gram points: p0: input(x); p1: while isOdd(x){ p2: x = x div 2; } p3: x++; p4: exit
i. Give the concretisation and abstraction maps for the Galois connection that
captures the parity abstract interpretation of programF.
[6 marks]
[Question 2 cont. on next page]
COMP0060 4 CONTINUED
[Question 2 cont.] ii. Given the following concrete transfer functions forF. Define the corresponding abstract transfer functions.
- f 0 :p 0 p 1 f 0 (x) = x
- f 1 :p 1 p 2 f 1 (x) = x, ifx%2= 1 = ,otherwise
- f 2 :p 1 p 3 f 2 (x) = x, ifx%2= 0 = ,otherwise
- f 3 :p 2 p 1 f 3 (x) =xdiv 2
- f 4 :p 3 p 4 f 4 (x) =x+ 1 [9 marks] iii. For each program point inFgive the formula that calculates the abstract value that attaches to that point in terms of the abstract values at each immediate predecessor point and the abstract transfer functions between the points. [6 marks] iv. Use your answers to the previous questions to perform the fixed point calcula- tion that calculates the abstract interpretation of the program. [6 marks] b. i. Explain what is an opaque constant and why these are useful to malware writers [2 marks] ii. Describe a simple scheme for constructing an opaque constant as shown in lectures. What does the opacity rely on? [4 marks] [Total for Question 2: 33 marks]
COMP0060 5 TURN OVER
- a. A packer is like a compiler; an unpacker is like a loader. Discuss. [3 marks]
b. i. Define multiset intersection.
[4 marks]
ii. Define an intersection operator for sequences.
[4 marks]
iii. How might one use an intersection operator over sequences in the context of
malware detection?
[2 marks]
c. In lecture, you learned about a technique by Sharifet al. for detecting and auto-
matically reverse engineering malware that use a polymorphic virtual machine, or
emulator, to hide itself.
i. Explain how Sharifet al.s technique works.
[4 marks]
ii. Devise a defence against Sharifet al.s interpreter finding technique.
[4 marks]
d. Explain how return-oriented programming (ROP) implements a Von Neumann ma-
chine.
[5 marks]
[Question 3 cont. on next page]
COMP0060 6 CONTINUED
[Question 3 cont.]
e. You work for MI6. You have 0wned (cracker slang for gaining administrative con-
trol of someone elses computer) a server used by Anonymous, the anarchist cracker
collective. You have found an obfuscation engine on it that protects malware by
wrapping it in a virtual machine.
i. Describe how you would modify that obfuscation engine so that when Anony-
mous uses it to obfuscate malware 1) MI6 can detect that malware 2) without
weakening the obfuscation engine to the point that Anonymous stops using it.
Constraint # 2 means that organisations, like the KGB, cannot trivially detect
malware protected by this obfuscation engine.
[5 marks]
ii. What measures do you take to hide your changes to the obfuscation engine, so
the Anonymous does not easily or immediately detect those changes?
[3 marks]
[Total for Question 3: 34 marks]