LTL Model Checking of Self Modifying Code

Touili, Tayssir; Ye, Xin

doi:10.1109/iceccs.2019.00008

Cited by 2 publications

(4 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As for LTL and CTL modelchecking, they can be reduced to the emptiness problem for Selfmodifying (Alternating) Büchi Pushdown Systems. The basic idea is to make a product of the given SM-PDS and the given LTL or CTL formula to get a Self-modifying (Alternating) Büchi Pushdown system and then apply the algorithms of [43] to check the emptiness of the Self-modifying (Alternating) Büchi Pushdown system.…”

Section: The Model Checking Algorithmsmentioning

confidence: 99%

“…For example, we show in this section how LTL can be used to express the malicious behavior of registry key injecting. Other LTL and CTL formulas that describe other malicious behaviors can be found in [13,14,43].…”

Section: Applying Smodic For Malware Detectionmentioning

confidence: 99%

“…For example, if we consider the sequence 𝑓 1 , 𝑓 2 , 𝑓 3 , then Reachability component checks whether the SM-PDS has a run that calls first 𝑓 1 , then 𝑓 2 , then 𝑓 3 . The LTL (CTL) component takes as input a SM-PDS and an LTL (CTL) formula, and applies the algorithms of [43] to check whether the SM-PDS satisfies the LTL (CTL) formula.…”

Section: Architecturementioning

confidence: 99%

“…Then, it translates this CFG into a SM-PDS. It then implements the algorithms of [42,43] to perform reachability analysis and LTL/CTL model-checking for this model.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SMODIC: A Model Checker for Self-modifying Code

Touili

2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

In this paper, we present SMODIC, a model checker for selfmodifying binary codes. SMODIC uses Self Modifying Pushdown Systems (SM-PDS) to model self-modifying binary code. This allows to faithfully represent the program's stack as well as the self-modifying instructions of the program. SMODIC takes a selfmodifying binary code or a self modifying pushdown system as input. It can then perform reachability analysis and LTL/CTL modelchecking for these models. We successfully used SMODIC to modelcheck more than 900 self-modifying binary codes. In particular, we applied SMODIC for malware detection, since malwares usually use self-modifying instructions, and since malicious behaviors can be described by LTL or CTL formulas. In our experiments, SMODIC was able to detect 895 malwares and to prove that 200 benign programs were benign. SMODIC was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Baidu, Avast, and Symantec failed to detect. SMODIC can be found in https://lipn.univ-paris13.fr/~touili/smodic CCS CONCEPTS• Theory of computation → Verification by model checking;• Security and privacy → Logic and verification.

show abstract

Section: The Model Checking Algorithmsmentioning

confidence: 99%

Section: Applying Smodic For Malware Detectionmentioning

confidence: 99%

Section: Architecturementioning

confidence: 99%

“…Then, it translates this CFG into a SM-PDS. It then implements the algorithms of [42,43] to perform reachability analysis and LTL/CTL model-checking for this model.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations