Modelling metamorphism by abstract interpretation

Authors:
Mila Dalla Preda;Roberto Giacobazzi;Saumya Debray;Kevin Coogan;Gregg M. Townsend
Affiliations:
Dipartimento di Informatica, Università di Verona;Dipartimento di Informatica, Università di Verona;Department of Computer Science, University of Arizona;Department of Computer Science, University of Arizona;Department of Computer Science, University of Arizona
Venue:
SAS'10 Proceedings of the 17th international conference on Static analysis
Year:
2010

Citing 16
Cited 2

Context-sensitive interprocedural points-to analysis in the presence of function pointers

PLDI '94 Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation
Formal language, grammar and set-constraint-based program analysis by abstract interpretation

FPCA '95 Proceedings of the seventh international conference on Functional programming languages and computer architecture
Making abstract interpretations complete

Journal of the ACM (JACM)
Automatic discovery of linear restraints among variables of a program

POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Constructive design of a hierarchy of semantics of a transition system by abstract interpretation

Theoretical Computer Science
Systematic design of program analysis frameworks

POPL '79 Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Testing malware detectors

ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Certified self-modifying code

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Static analysis of executables to detect malicious patterns

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
A semantics-based approach to malware detection

ACM Transactions on Programming Languages and Systems (TOPLAS)
Using verification technology to specify and detect malware

EUROCAST'07 Proceedings of the 11th international conference on Computer aided systems theory
CodeSurfer/x86—A platform for analyzing x86 executables

CC'05 Proceedings of the 14th international conference on Compiler Construction
Detecting malicious code by model checking

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Context-sensitive analysis without calling-context

Higher-Order and Symbolic Computation
Analyzing program dependencies for malware detection

Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014

Quantified Score

Hi-index	0.01

Visualization

Abstract

Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.