The design and implementation of a certifying compiler
PLDI '98 Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation
Translation validation for an optimizing compiler
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A PVS Based Framework for Validating Compiler Optimizations
SEFM '06 Proceedings of the Fourth IEEE International Conference on Software Engineering and Formal Methods
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Using Entropy Analysis to Find Encrypted and Packed Malware
IEEE Security and Privacy
Design of a Certifying Compiler Supporting Proof of Program Safety
TASE '07 Proceedings of the First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Equality saturation: a new approach to optimization
Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Binary translation using peephole superoptimizers
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
Evaluating value-graph translation validation for LLVM
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Measuring pay-per-install: the commoditization of malware distribution
SEC'11 Proceedings of the 20th USENIX conference on Security
Q: exploit hardening made easy
SEC'11 Proceedings of the 20th USENIX conference on Security
Obfuscation: The Hidden Malware
IEEE Security and Privacy
Return-Oriented Programming: Systems, Languages, and Applications
ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Binary program statistical features hiding through huffman obfuscated coding
ICIC'13 Proceedings of the 9th international conference on Intelligent Computing Theories
Hi-index | 0.00 |
This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware. Specifically, although mutants produced by current state-of-the-art metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software. Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for feature-based malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality.