Preventing insider malware threats using program analysis techniques

Current malware detection tools focus largely on malicious code that is injected into target programs by outsiders by exploiting inadvertent vulnerabilities such as failing to guard against a buffer overflow or failure to properly validate a user input in those programs. Hardly any attention is paid to threats arising from software developers, who, with their intimate knowledge of the inner workings of those programs, can easily sneak logic bombs, Trojan horses, and backdoors in those programs. Traditional software validation techniques such as testing based on user requirements are unlikely to detect such malware, because normal use cases will not trigger them and thus will fail to expose them. The state-of-the-art in preventing such malware involves manual inspection of the target program, which is a highly tedious, time consuming, and error prone process. We propose a dynamic, test driven approach that automatically steers program analysts towards examining and discovering such insider malware threats. It uses program analysis techniques to identify program parts whose execution automatically guarantees execution of a large number of previously unexplored parts of the program. It effectively leads analysts into creating test cases which may trigger, in a protected test environment, any malware code hidden in that application as early as possible, so it can be removed from the application before it is deployed in the field. We also present a tool that helps translate this approach into practice.