discussion: capa doesn't handle sandbox or API traces

[williballenthin]

capa relies on analysis of code structures to identify patterns. this is similar to matching sequences of API calls or other events in a sandbox, but not exactly. right now, capa rules don't directly translate to identifying behaviors from sandbox or debugging output, but it seems like there's a lot of overlap. maybe we can find a way to re-use a lot of work we've done for the static analysis rules.

[musaabimran]

Hey, I am interested in this project. How can I get started with this?

[mr-tz]

This is a larger project. Are you interested in the context of GSoC?
If so, please see https://github.com/mandiant/flare-gsoc-2023/blob/main/doc/project-ideas.md#capa-capabilities-from-dynamic-analysis and https://github.com/mandiant/flare-gsoc-2023/blob/main/doc/contributor-guidance.md.

[musaabimran]

Yes, I am. So, should I send the proposal regarding my approach?

[mr-tz]

Yes, and please see the other steps we point out, i.e., the patch preparation.

[1nf3rn0-H]

Even I am interested, I'll send the proposal right away!

[1nf3rn0-H]

Hey @mr-tz I am interested to work on this. I have prepared my GSoC proposal, can you review it once?

[mr-tz]

Great, yes, please share it with us in the respective GSOC repo discussion or via email. Ideally, use Google Docs or a similar tool so we can add comments.

[1nf3rn0-H]

Alright, I have sent it over email, do check and review!

[williballenthin]

closed in v7 by @yelhamer