A generic binary analysis method for malware

Authors:
Tomonori Izumida;Kokichi Futatsugi;Akira Mori
Affiliations:
National Institute of Advanced Industrial Science and Technology, Tokyo, Japan and Japan Advanced Institute of Science and Technology, Nomi, Ishikawa, Japan;Japan Advanced Institute of Science and Technology, Nomi, Ishikawa, Japan;National Institute of Advanced Industrial Science and Technology, Tokyo, Japan
Venue:
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Year:
2010

Citing 14
Cited 0

Efficient symbolic analysis of programs

Journal of Computer and System Sciences
The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages

PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Efficiently computing static single assignment form and the control dependence graph

ACM Transactions on Programming Languages and Systems (TOPLAS)
Gated SSA-based demand-driven symbolic analysis for parallelizing compilers

ICS '95 Proceedings of the 9th international conference on Supercomputing
Fast Algorithms for Solving Path Problems

Journal of the ACM (JACM)
Constant propagation: a fresh, demand-driven look

SAC '94 Proceedings of the 1994 ACM symposium on Applied computing
Recovery of jump table case statements from binary code

Science of Computer Programming - Special issue on program comprehension (IWPC '99)
Symbolic evaluation and the global value graph

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
A tool for analyzing and detecting malicious mobile code

Proceedings of the 28th international conference on Software engineering
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Diff/TS: A Tool for Fine-Grained Structural Change Analysis

WCRE '08 Proceedings of the 2008 15th Working Conference on Reverse Engineering
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Analysis and defense of vulnerabilities in binary code

Analysis and defense of vulnerabilities in binary code
Identifying Dormant Functionality in Malware Programs

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present a novel binary analysis method for malware which combines static and dynamic techniques. In the static phase, the target address of each indirect jump is resolved using backward analysis on static single assignment form of binary code. In the dynamic phase, those target addresses that are not statically resolved are recovered by way of emulation. The method is generic in the sense that it can reveal control flows of self-extracting/obfuscated code without requiring special assumptions on executables such as compliance with standard compiler models, which is requisite for the conventional methods of static binary analysis but does not hold for many malware samples. Case studies on real-world malware examples are presented to demonstrate the effectiveness of our method.