Context-sensitive analysis of obfuscated x86 executables

Lakhotia, Arun; Boccardo, Davidson R.; Singh, Anshuman; Manacero, Aleardo

doi:10.1145/1706356.1706381

Cited by 11 publications

(4 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to face this problem, researchers have recently started to consider semantic approaches to malware detection in order to deal with metamorphism, i.e., obfuscation, (e.g., see [9,11,16,29,[26][27][28]32]). …”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Unveiling metamorphism by abstract interpretation of code properties

Preda

Giacobazzi

Debray

2015

Theoretical Computer Science

View full text Add to dashboard Cite

interpretation Program semantics Metamorphic malware detection Self-modifying programs Metamorphic code includes self-modifying semantics-preserving transformations to exploit code diversification. The impact of metamorphism is growing in security and code protection technologies, both for preventing malicious host attacks, e.g., in software diversification for IP and integrity protection, and in malicious software attacks, e.g., in metamorphic malware self-modifying their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extracting metamorphic signatures from metamorphic code. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics. In particular, we introduce the notion of regular metamorphism, where the invariants of the phase semantics can be modeled as finite state automata representing the code structure of all possible metamorphic change of a metamorphic code, and we provide a static signature extraction algorithm for metamorphic code where metamorphic signatures are approximated in regular metamorphism.

show abstract

Section: Related Workmentioning

confidence: 99%

“…In [28] the authors propose a methodology for making context-sensitive analysis of assembly programs even when the call and ret instructions are obfuscated. In particular, they define a general framework where they formalize the notion of context-trace semantics.…”

Section: Related Workmentioning

confidence: 99%

Unveiling metamorphism by abstract interpretation of code properties

Preda

Giacobazzi

Debray

2015

Theoretical Computer Science

View full text Add to dashboard Cite

show abstract

“…For example, Shivers' 1CFA allocates distinct contexts for each call site. Lakhotia et al [12] introduce ℓ-contexts to build a static analysis for obfuscated x86 binaries, employing finite sequences of unique enclosed function calls. Finally, one can take a bounded set of naturals {n ∈ N | n ≤ N } for some N as contexts, which will give a good precision for sufficiently big N .…”

Section: Abstracting Over Addressesmentioning

confidence: 99%

Monadic abstract interpreters

et al. 2013

View full text Add to dashboard Cite

Recent developments in the systematic construction of abstract interpreters hinted at the possibility of a broad unification of concepts in static analysis. We deliver that unification by showing context-sensitivity, polyvariance, flow-sensitivity, reachabilitypruning, heap-cloning and cardinality-bounding to be independent of any particular semantics. Monads become the unifying agent between these concepts and between semantics. For instance, by plugging the same "context-insensitivity monad" into a monadicallyparameterized semantics for Java or for the lambda calculus, it yields the expected context-insensitive analysis. To achieve this unification, we develop a systematic method for transforming a concrete semantics into a monadically-parameterized abstract machine. Changing the monad changes the behavior of the machine. By changing the monad, we recover a spectrum of machines-from the original concrete semantics to a monovariant, flow-and context-insensitive static analysis with a singly-threaded heap and weak updates. The monadic parameterization also suggests an abstraction over the ubiquitous monotone fixed-point computation found in static analysis. This abstraction makes it straightforward to instrument an analysis with high-level strategies for improving precision and performance, such as abstract garbage collection and widening. While the paper itself runs the development for continuationpassing style, our generic implementation replays it for direct-style lambda-calculus and Featherweight Java to support generality.

show abstract

“…We believe that our techniques are more precise since we do not abstract the stack. Moreover, the techniques of [18] were only tried on toy examples, they have not been applied for malware detection.…”

Section: Introductionmentioning

confidence: 99%