Symbolic Boolean manipulation with ordered binary-decision diagrams
ACM Computing Surveys (CSUR)
A BDD-Based Model Checker for Recursive Programs
CAV '01 Proceedings of the 13th International Conference on Computer Aided Verification
Model checking LTL with regular valuations for pushdown systems
Information and Computation - TACS 2001
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A Method for Detecting Obfuscated Calls in Malicious Binaries
IEEE Transactions on Software Engineering
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Mining specifications of malicious behavior
ISEC '08 Proceedings of the 1st India software engineering conference
Context-sensitive analysis of obfuscated x86 executables
Proceedings of the 2010 ACM SIGPLAN workshop on Partial evaluation and program manipulation
Using verification technology to specify and detect malware
EUROCAST'07 Proceedings of the 11th international conference on Computer aided systems theory
Proactive Detection of Computer Worms Using Model Checking
IEEE Transactions on Dependable and Secure Computing
Effcient CTL model-checking for pushdown systems
CONCUR'11 Proceedings of the 22nd international conference on Concurrency theory
Detecting malicious code by model checking
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Model checking x86 executables with codesurfer/x86 and WPDS++
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
LTL model-checking for malware detection
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Reasoning about nondeterminism in programs
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
PoMMaDe: pushdown model-checking for malware detection
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
| Hi-index | 0.00 |
The number of malware is growing extraordinarily fast. Therefore, it is important to have efficient malware detectors. Malware writers try to obfuscate their code by different techniques. Many of these well-known obfuscation techniques rely on operations on the stack such as inserting dead code by adding useless push and pop instructions, or hiding calls to the operating system, etc. Thus, it is important for malware detectors to be able to deal with the program's stack. In this paper we propose a new model-checking approach for malware detection that takes into account the behavior of the stack. Our approach consists in : (1) Modeling the program using a Pushdown System (PDS). (2) Introducing a new logic, called SCTPL, to represent the malicious behavior. SCTPL can be seen as an extension of the branching-time temporal logic CTL with variables, quantifiers, and predicates over the stack. (3) Reducing the malware detection problem to the model-checking problem of PDSs against SCTPL formulas. We show how our new logic can be used to precisely express malicious behaviors that could not be specified by existing specification formalisms. We then consider the model-checking problem of PDSs against SCTPL specifications. We reduce this problem to emptiness checking in Symbolic Alternating Büchi Pushdown Systems, and we provide an algorithm to solve this problem. We implemented our techniques in a tool, and we applied it to detect several viruses. Our results are encouraging.