More Web Proxy on the site http://driver.im/

Article

Static analysis of executables to detect malicious patterns

Authors:

Mihai Christodorescu,

Somesh JhaAuthors Info & Claims

SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

Page 12

Published: 04 August 2003 Publication History

Abstract

Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers and researchers working on malicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as anti-virus software. We tested the resilience of three commercial virus scanners against code-obfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables).

References

[1]

{1} K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In 2002 IEEE Symposium on Security and Privacy (Oakland'02), pages 143-159, May 2002.]]

[2]

{2} T. Ball and S.K. Rajamani. Automatically validating temporal safety properties of interfaces. In Proceedings of the 8th International SPIN Workshop on Model Checking of Software (SPIN'01), volume 2057 of Lecture Notes in Computer Science. Springer-Verlag, 2001.]]

[3]

{3} B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. In Advances in Cryptology (CRYPTO'01), volume 2139 of Lecture Notes in Computer Science, pages 1-18. Springer-Verlag, August 2001.]]

[4]

{4} M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2), 1996.]]

[5]

{5} CERT Coordination Center. Denial of service attacks, 2001. http://www.cert.org/tech_tips/denial_ of_service.html (Last accessed: 3 February 2003).]]

[6]

{6} S. Chandra and T.W. Reps. Physical type checking for C. In ACM SIGPLAN - SIGSOFT Workshop on Program Analysis For Software Tools and Engineering (PASTE'99), pages 66-75. ACM Press, September 1999.]]

[7]

{7} H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In 9th ACM Conference on Computer and Communications Security (CCS'02). ACM Press, November 2002.]]

[8]

{8} B.V. Chess. Improving computer security using extending static checking. In 2002 IEEE Symposium on Security and Privacy (Oakland'02), pages 160-173, May 2002.]]

[9]

{9} D.M. Chess and S.R. White. An undetectable computer virus. In Proceedings of Virus Bulletin Conference, 2000.]]

[10]

{10} F. Cohen. Computer viruses: Theory and experiments. Computers and Security, 6:22-35, 1987.]]

[11]

{11} C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Sciences, The University of Auckland, July 1997.]]

[12]

{12} C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98). ACM Press, January 1998.]]

[13]

{13} J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In Proceedings of the 22nd International Conference on Software Engineering (ICSE'00), pages 439-448. ACM Press, 2000.]]

[14]

{14} P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proceedings of the 5th ACM Symposium on Principles of Programming Languages (POPL'78), pages 84-96. ACM Press, January 1978.]]

[15]

{15} D. W. Currie, A. J. Hu, and S. Rajan. Automatic formal verification of dsp software. In Proceedings of the 37th ACM IEEE Conference on Design Automation (DAC'00), pages 130-135. ACM Press, 2000.]]

[16]

{16} D. Detlefs, G. Nelson, and J. Saxe. The simplify theorem prover. http://research.compaq.com/SRC/ esc/simplify.html.]]

[17]

{17} U. Erlingsson and F. B. Schneider. IRM enforcement of Java stack inspection. In 2000 IEEE Symposium on Security and Privacy (Oakland'00), pages 246-255, May 2000.]]

[18]

{18} J. Esparza, D. Hansel, P. Rossmanith, and S. Schwoon. Efficient algorithms for model checking pushdown systems. In Proceedings of the 12th International Conference on Computer-Aided Verification (CAV'00), volume 1855 of Lecture Notes in Computer Science, pages 232-247. Springer-Verlag, July 2000.]]

[19]

{19} X. Feng and Alan J. Hu. Automatic formal verification for scheduled VLIW code. In Proceedings of the Joint Conference on Languages, Compilers and Tools for Embedded Systems - Software and Compilers for Embedded Systems (LCTES/SCOPES'02), pages 85-92. ACM Press, 2002.]]

[20]

{20} M. Fitting. First-Order Logic and Automated Theorem Proving. Springer-Verlag, 1996.]]

[21]

{21} J. T. Giffin, S. Jha, and B. P. Miller. Detecting manipulated remote call streams. In Proceedings of the 11th USENIX Security Symposium (Security'02). USENIX Association, August 2002.]]

[22]

{22} J.E. Hopcroft, R. Motwani, and J.D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2001.]]

[23]

{23} S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1):26-60, January 1990.]]

[24]

{24} GrammaTech Inc. Codesurfer - code analysis and understanding tool. http://www.grammatech.com/ products/codesurfer/index.html (Last accessed: 3 February 2003).]]

[25]

{25} T. Jensen, D.L. Metayer, and T. Thorn. Verification of control flow based security properties. In 1999 IEEE Symposium on Security and Privacy (Oakland'99), May 1999.]]

[26]

{26} E. Kaspersky. Virus List Encyclopaedia, chapter Ways of Infection: Viruses without an Entry Point. Kaspersky Labs, 2002. http: //www.viruslist.com/eng/viruslistbooks. asp?id=32&key=0000100007000020000100003 (Last accessed: 3 February 2003).]]

[27]

{27} Kaspersky Labs. http://www.kasperskylabs.com (Last accessed: 3 February 2003).]]

[28]

{28} W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS) , 1(4):323-337, December 1992.]]

[29]

{29} R.W. Lo, K.N. Levitt, and R.A. Olsson. MCF: A malicious code filter. Computers & Society, 14(6):541-566, 1995.]]

[30]

{30} G. McGraw and G. Morrisett. Attacking malicious code: Report to the Infosec research council. IEEE Software, 17(5):33-41, September/October 2000.]]

[31]

{31} D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the Sapphire/Slammer worm. http://www.caida.org/outreach/ papers/2003/sapphire/sapphire.html (Last accessed: 3 February 2003).]]

[32]

{32} G. Morrisett, K. Crary, N. Glew, and D. Walker. Stack-based Typed Assembly Language. In Xavier Leroy and Atsushi Ohori, editors, 1998 Workshop on Types in Compilation , volume 1473 of Lecture Notes in Computer Science , pages 28-52. Springer-Verlag, March 1998.]]

[33]

{33} G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to Typed Assembly Language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98), pages 85-97. ACM Press, January 1998.]]

[34]

{34} S.S. Muchnick. Advanced Compiler Design and Implementation . Morgan Kaufmann, 1997.]]

[35]

{35} E.M. Myers. A precise interprocedural data flow algorithm. In Conference Record of the 8th Annual ACM Symposium on Principles of Programming Languages (POPL'81), pages 219-230. ACM Press, January 1981.]]

[36]

{36} C. Nachenberg. Polymorphic virus detection module. United States Patent # 5,696,822, December 9, 1997.]]

[37]

{37} C. Nachenberg. Polymorphic virus detection module. United States Patent # 5,826,013, October 20, 1998.]]

[38]

{38} G. C. Necula. Translation validation for an optimizing compiler. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'00), pages 83-94. ACM Press, June 2000.]]

[39]

{39} S. Owre, S. Rajan, J. Rushby, N. Shankar, and M. Srivas. PVS: Combining specification, proof checking, and model checking. In Proceedings of the 8th International Conference on Computer-Aided Verification (CAV'96), volume 1102 of Lecture Notes in Computer Science, pages 411-414. Springer-Verlag, August 1996.]]

[40]

{40} T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'95), pages 49-61. ACM Press, January 1995.]]

[41]

{41} M. Samamura. Expanded Threat List and Virus Encyclopaedia , chapter W95.CIH. Symantec Antivirus Research Center, 1998. http://securityresponse. symantec.com/avcenter/venc/data/cih.html (Last accessed: 3 February 2003).]]

[42]

{42} DataRescue sa/nv. IDA Pro - interactive disassembler. http://www.datarescue.com/idabase/ (Last accessed: 3 February 2003).]]

[43]

{43} S. Staniford, V. Paxson, and N. Weaver. How to Own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security'02), pages 149-167. USENIX, USENIX Association, August 2002.]]

[44]

{44} P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of Virus Bulletin Conference, pages 123-144, September 2001.]]

[45]

{45} TESO. burneye elf encryption program. https:// teso.scene.at (Last accessed: 3 February 2003).]]

[46]

{46} D. Wagner and D. Dean. Intrusion detection via static analysis. In 2001 IEEE Symposium on Security and Privacy (Oakland'01), May 2001.]]

[47]

{47} R. Wang. Flash in the pan? Virus Bulletin, July 1998. Virus Analysis Library.]]

[48]

{48} Z. Xu. Safety-Checking of Machine Code. PhD thesis, University of Wisconsin, Madison, 2000.]]

[49]

{49} z0mbie. Automated reverse engineering: Mistfall engine. http://z0mbie.host.sk/autorev.txt (Last accessed: 3 February 2003).]]

[50]

{50} z0mbie. RPME mutation engine. http://z0mbie. host.sk/rpme.zip (Last accessed: 3 February 2003).]]

[51]

{51} z0mbie. z0mbie's homepage. http://z0mbie.host. sk (Last accessed: 3 February 2003).]]

Cited By

Li YYadavally AZhang JWang SNguyen TChandra SBlincoe KTonella P(2023)DeMinify: Neural Variable Name Recovery and Type InferenceProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616368(758-770)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616368
Chen J(2020)A Malware Detection Method Based on Rgb ImageProceedings of the 2020 6th International Conference on Computing and Artificial Intelligence10.1145/3404555.3404622(283-290)Online publication date: 23-Apr-2020
https://dl.acm.org/doi/10.1145/3404555.3404622
Barbhuiya SKilpatrick PNikolopoulos D(2020)DroidLightProceedings of the 21st International Conference on Distributed Computing and Networking10.1145/3369740.3369796(1-10)Online publication date: 4-Jan-2020
https://dl.acm.org/doi/10.1145/3369740.3369796
Show More Cited By

Index Terms

Recommendations

Static Analyzer of Vicious Executables (SAVE)
ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference

Software security assurance and malware (trojans, worms, and viruses, etc.) detection are important topics of information security. Software obfuscation, a general technique that is useful for protecting software from reverse engineering, can also be ...
Malware Detection by Static Checking and Dynamic Analysis of Executables

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...
Static Detection of API-Calling Behavior from Malicious Binary Executables
ICCEE '08: Proceedings of the 2008 International Conference on Computer and Electrical Engineering

The broad spread of malware in recent years has presented a serious threat to our world. Because Windows API-calling sequence usually reflects the vicious behavior in a piece of particular code, more and more AV researchers like to detect malware based ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

August 2003

321 pages

Publisher

USENIX Association

United States

Publication History

Published: 04 August 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

112
Total Citations
View Citations
72
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YYadavally AZhang JWang SNguyen TChandra SBlincoe KTonella P(2023)DeMinify: Neural Variable Name Recovery and Type InferenceProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616368(758-770)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616368
Chen J(2020)A Malware Detection Method Based on Rgb ImageProceedings of the 2020 6th International Conference on Computing and Artificial Intelligence10.1145/3404555.3404622(283-290)Online publication date: 23-Apr-2020
https://dl.acm.org/doi/10.1145/3404555.3404622
Barbhuiya SKilpatrick PNikolopoulos D(2020)DroidLightProceedings of the 21st International Conference on Distributed Computing and Networking10.1145/3369740.3369796(1-10)Online publication date: 4-Jan-2020
https://dl.acm.org/doi/10.1145/3369740.3369796
Pinto DDuarte JSant'Ana R(2019)A Deep Learning Approach to the Malware Classification Problem using AutoencodersProceedings of the XV Brazilian Symposium on Information Systems10.1145/3330204.3330229(1-8)Online publication date: 20-May-2019
https://dl.acm.org/doi/10.1145/3330204.3330229
Tran HTran NNguyen SNguyen HNguyen TAtlee JBultan TWhittle J(2019)Recovering variable names for minified code with usage contextsProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00119(1165-1175)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00119
Tajoddin AAbadi M(2019)RAMDApplied Intelligence10.1007/s10489-018-01405-049:7(2641-2658)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1007/s10489-018-01405-0
Chakkaravarthy SVaidehi VRajesh P(2018)Hybrid Analysis Technique to detect Advanced Persistent ThreatsInternational Journal of Intelligent Information Technologies10.4018/IJIIT.201804010414:2(59-76)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.4018/IJIIT.2018040104
Cakir BDogdu EWong KShen CBrown D(2018)Malware classification using deep learning methodsProceedings of the 2018 ACM Southeast Conference10.1145/3190645.3190692(1-5)Online publication date: 29-Mar-2018
https://dl.acm.org/doi/10.1145/3190645.3190692
Zeng DTan GZhao ZAhn GKrishnan RGhinita G(2018)From Debugging-Information Based Binary-Level Type Inference to CFG GenerationProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176309(366-376)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176309
Karna AChen YYu HZhong HZhao J(2018)The role of model checking in software engineeringFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-016-6192-012:4(642-668)Online publication date: 1-Aug-2018
https://dl.acm.org/doi/10.1007/s11704-016-6192-0
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents