https://www.um.edu.mt/library/oar/handle/123456789/21961 Wed, 22 Apr 2026 08:11:10 GMT 2026-04-22T08:11:10Z https://www.um.edu.mt/library/oar/handle/123456789/30050 Title: Enhancing android malware sandboxes with anti-evasion code patching Abstract: Sophisticated Android malware families often implement techniques aimed at avoiding detection. Split personality malware for example, behaves benignly when it detects that it is running on an analysis environment such as a malware sandbox, and maliciously when running on a real user's device. These kind of techniques are problematic for malware analysts, often rendering them unable to detect or understand the malicious behaviour. This is where sandbox hardening comes into play. In this work, we exploit sandbox detection heuristic prediction to proactively generate bytecode patches, in order to disable the malware's ability to detect a malware sandbox. Through the development of AndroNeo, we demonstrate the feasibility of this approach by showing that the heuristic prediction basis is a solid starting point to build upon, and demonstrating that when heuristic prediction is followed by bytecode patch generation, split personality can be defeated. The AndroNeo prototype implements checks at the Java level for API method calls that can distinguish real devices from emulators. The robustness of AndroNeo was demonstrated by showing its ability to identify and patch evasion heuristics within packed code. The relevance of packed malware was confirmed by demonstrating the prevalence of packers in modern day malware samples. Description: M.SC.COMP.SCI.&ARTIFICIAL INTELLIGENCE Sun, 01 Jan 2017 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/30050 2017-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/30049 Title: Towards peer-to-peer caching techniques for web resources Abstract: When dealing with web applications, response and loading time can often be prolonged due to many factors such as large amounts of content which need to be sent to the client and excessive load on the server which causes responses to be processed and sent in a slower manner. These reasons often lead to website operators having to invest in scaling up their systems so as to handle larger server loads. Another strategy used to decrease server load is that of caching resources within clients' browsers in anticipation of future re-usability. Once a resource is cached, it is accessible only by the client at which it is cached yet it is a common occurrence that a group of clients require the same web resource. The idea of sharing cached resources between clients which are likely to access the same resources would make sense as it would further decrease server load, yet as standard implementations go, browsers do not currently have a way to share cached resources between them. With the recent introduction of browser-to-browser communication protocols which allow browsers to communicate directly with each other, the sharing of cached resources directly between clients has become a possibility. This dissertation explores the use of browser-to-browser communication to share cached web resources between a group of clients and more specifically, browsers. It also focuses on designing an approach which will allow website operators to incorporate a transparent content distribution network into their website so that website visitors will be able to share static web content between themselves in a peer-to-peer manner while reducing server loads. Description: M.SC.COMPUTER SCIENCE Sun, 01 Jan 2017 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/30049 2017-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/30048 Title: A distributed pipeline for interactive physically based rendering Abstract: The synthesis of virtual environments using physically based approaches re- quires high-end machines, even for dynamic scenarios that are moderately complex in terms of geometry and illumination. The constraint of interactivity further compounds these requirements, especially when large output resolutions are taken into consideration. In order to democratise physically based rendering and make it available to a wide spectrum of devices, from mobile to tablet to desktop machines, a distributed graphics pipeline is proposed that enhances traditional GPU-based real-time graphics with the computational power of the Cloud. A prototype of the proposed pipeline is presented. In the fi rst stage of the implementation, the computation of indirect light within the global illumination rendering pipeline is relocated to a precomputation stage and merged with the direct light image at the post-processing stage. In this stage the computation is performed on the target machine itself. In the second stage, the computation of indirect light is moved to the Cloud and applied to static scenes. Finally, in the third stage, support is added for dynamic scenes, with experiments performed on moving lights. This study demonstrates that such a distributed pipeline is viable, with good quality images obtained at high frame rates on the client. The proposed pipeline also scales well when servicing multiple clients simultaneously. Description: M.SC.COMPUTER SCIENCE Sun, 01 Jan 2017 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/30048 2017-01-01T00:00:00Z https://www.um.edu.mt/library/oar/handle/123456789/29983 Title: Memory forensics of control flow integrity violations Abstract: Incident response comprises of conducting digital investigation after a breach into a system occurs. Current tools which aid the incident responder in obtaining information on the attack are able to locate the payload of the attack such as a backdoor to the system, either by performing disk or memory forensics. However, current tools are not able to obtain artefacts related to the exploit i.e. the entrypoint to the system. This is due to the fact that disk forensic tools are only able to locate those artefacts which are persistent on disk. Memory forensics addresses the limitation of disk forensics as it aids the incident responder in locating artefacts which do not interact with the disk. However, such artefacts are recycled quickly out of memory especially in the case of script-based exploits since memory is volatile. Thus, memory snapshots need to be taken when some events occur and exploits are suspected, defined as MemDump points. If the exploit which violated the system is found, the system can be hardened so as to prevent future intrusions. The project aims to take an event-driven approach to memory forensics. Research proceeded into phases, the first part being conducting process memory analysis to locate the artefacts produced by state-of-the-art exploits and thus deduce a pattern of exploits at the memory level. Suitable MemDump points were defined based on the research conducted. The second phase was the definition of a framework Mem- CFI, which makes use of runtime instrumentation to inject the MemDump points in existing binaries in a way that minimal overhead is incurred and the MemDump points are tamper resistant. The framework was evaluated in terms of practicality and effectiveness. The practicality was evaluated by measuring the number of memory snapshots that are taken while browsing, the performance overhead which is induced and the size of the memory snapshots. The effectiveness of the proposed framework was shown through the use of different case studies which are representative of current attacks. The exploit was successfully located in memory in each case. Description: M.SC.COMPUTER SCIENCE Sun, 01 Jan 2017 00:00:00 GMT https://www.um.edu.mt/library/oar/handle/123456789/29983 2017-01-01T00:00:00Z