Efficient symbolic analysis of programs
Journal of Computer and System Sciences
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Efficiently computing static single assignment form and the control dependence graph
ACM Transactions on Programming Languages and Systems (TOPLAS)
Gated SSA-based demand-driven symbolic analysis for parallelizing compilers
ICS '95 Proceedings of the 9th international conference on Supercomputing
Fast Algorithms for Solving Path Problems
Journal of the ACM (JACM)
Constant propagation: a fresh, demand-driven look
SAC '94 Proceedings of the 1994 ACM symposium on Applied computing
Recovery of jump table case statements from binary code
Science of Computer Programming - Special issue on program comprehension (IWPC '99)
Symbolic evaluation and the global value graph
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
A tool for analyzing and detecting malicious mobile code
Proceedings of the 28th international conference on Software engineering
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Diff/TS: A Tool for Fine-Grained Structural Change Analysis
WCRE '08 Proceedings of the 2008 15th Working Conference on Reverse Engineering
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Analysis and defense of vulnerabilities in binary code
Analysis and defense of vulnerabilities in binary code
Identifying Dormant Functionality in Malware Programs
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
In this paper, we present a novel binary analysis method for malware which combines static and dynamic techniques. In the static phase, the target address of each indirect jump is resolved using backward analysis on static single assignment form of binary code. In the dynamic phase, those target addresses that are not statically resolved are recovered by way of emulation. The method is generic in the sense that it can reveal control flows of self-extracting/obfuscated code without requiring special assumptions on executables such as compliance with standard compiler models, which is requisite for the conventional methods of static binary analysis but does not hold for many malware samples. Case studies on real-world malware examples are presented to demonstrate the effectiveness of our method.