Extracting ICS models from malware via concolic analysis

Abstract

While there has been significant progress in automated malware analysis, the focus of prior work has been mostly on programs written in C/C++. Advanced malware such as the Triton malware, however, also employ Python which imposes additional challenges to the automated malware analysis. Motivated by this example, we design and implement a concolic execution framework that is capable of extracting models of the targeted industrial control systems (ICS) based on the Python malware's communication with the system. Our approach first transforms the Python malware to C and then utilizes a symbolic execution engine to analyze the resulting C code. We prove the functionality of our framework on a set of test programs and evaluate it on two ICS-related samples including the Triton malware. Finally, we discuss how the results of our analysis can be used to identify potentially targeted ICS of a Python malware.