Wednesday 14 October 14:00 - 15:00, Small Talks room
Bramwell Brizendine, Alexander Wood, Jared Sheldon & William Lochte (University of Alabama in Huntsville)
Malware authors revel in creating chaos as they combine anti-debugging, anti-analysis and timing tricks to all but guarantee that malware analysts are thwarted from reaching what are often some of the most important blocks of code. After all, running malware in a sandbox will only expose the first path that a sample traverses, even if configured to help avoid some anti-analysis techniques; this can leave behind significant malicious functionality that is hidden behind any one of numerous anti-analysis techniques.
With this research, we present a game-changing innovation, a new binary emulation and analysis framework that helps recover potentially all malicious functionality by using complete code coverage while also neutralizing anti-debugging techniques. Complete code coverage allows BEAST to drive through protected branches and hidden functionality buried behind conditional logic, allowing potentially all or nearly all paths to be explored. Typically, after malware detonates and execution ends, any results are collected. But BEAST instead forces execution to resume at code locations not previously traversed, where it can then restore previously saved memory snapshots, thereby yielding more indicators of compromise and other valuable threat intelligence in a timely fashion. Thus, BEAST can recover malicious functionality that in some cases could never be reached through execution in sandboxes.
BEAST builds upon extensive research into myriad types of anti-debugging and anti-analysis behaviours, including both the obscure and the not so obscure. Each of these documented behaviours has elaborate, special handling built into the emulation to overcome them in a very robust, mature Windows emulation system. Even if complete code coverage were not utilized, because of BEAST's neutralization of anti-analysis techniques, BEAST would likely uncover significantly more functionality in many samples than traditional means would uncover. Overcoming anti-debugging techniques can be rather different via emulation than via other methods – some of which we will illuminate in our presentation.
While sandboxes have been immensely useful to malware analysts, their inherent limitation of only showing visited functionality remains significant. BEAST provides a viable alternative to the status quo through its advanced anti-analysis-aware emulation. In our presentation, we will highlight BEAST in action, showcasing in technical detail its ability to defeat anti-analysis techniques. We will also show some of the many options to customize how complete code coverage is implemented.
 |
Bramwell Brizendine Dr Bramwell Brizendine completed his Ph.D. in cyber operations. A security researcher, currently Bramwell is an assistant professor at the University of Alabama in Huntsville, and he is Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab). A cybersecurity expert, Bramwell has taught numerous undergraduate, graduate, and doctoral level courses in reverse engineering, software exploitation, advanced software exploitation, malware analysis, and offensive security. Additionally, Bramwell has authored several important cybersecurity tools, including JOP ROCKET, SHAREM, ShellWasp, and ROP ROCKET, which are open source and freely available. Bramwell was a PI on a $300,000 NSA research grant to develop a shellcode analysis framework, SHAREM. Bramwell is a 2025 recipient of the DARPA Young Faculty Award for $500,000. Bramwell has been a speaker at many top security conferences across the globe, including different regional variations of Black Hat, DEFCON, Hack in the Box, and more.
|
 |
Alexander Wood Alexander Wood is a student at the University of Alabama in Huntsville. He has completed a Bachelor's degree in computer science, and he is presently a Ph.D. student, working in the VERONA Lab under Dr Bramwell Brizendine. Alexander is interested in reverse engineering, malware analysis, and software exploitation, as well as other elements of low-level security. Alexander is also studying machine learning. Alexander has worked on the BEAST project and focused his efforts on implementation of the neutralization of anti-debugging and anti-analysis techniques.
|
 |
Jared Sheldon Jared Sheldon has completed a Bachelor’s degree in computer science and a Master’s degree in cybersecurity. He has been a developer for BEAST, helping with the implementation of anti-debugging and anti-analysis techniques. Jared is interested in many diverse facets of cybersecurity, including malware analysis and reverse engineering. Jared has published various academic papers and he has contributed extensively to a previous NIST publication. He is a past speaker at the National Cyber Summit. Jared works at UAH's Center for Cybersecurity Research and Education (CCRE), where he has worked on numerous funded cybersecurity projects, including past malware analysis tooling.
|
 |
William Lochte William Lochte has completed a Bachelor's degree in cybersecurity engineering. He is currently a Ph.D. student, working in the VERONA Lab under Dr Bramwell Brizendine. William has a deep interest in all elements of low-level security, including reverse engineering, malware analysis, and software exploitation. William previously participated in recent updates of SHAREM via the VICEROY program, and he joined as a co-presenter at a 2025 Black Hat Arsenal presentation on SHAREM. |
Back to VB2026 conference page
Register your interest for VB2026