The complementation problem for Bu¨chi automata with applications to temporal logic
Theoretical Computer Science
Monodic fragments of first-order temporal logics: 2000-2001 A.D
LPAR '01 Proceedings of the Artificial Intelligence on Logic for Programming
Reachability Analysis of Pushdown Automata: Application to Model-Checking
CONCUR '97 Proceedings of the 8th International Conference on Concurrency Theory
Model Checking for a First-Order Temporal Logic Using Multiway Decision Graphs
CAV '98 Proceedings of the 10th International Conference on Computer Aided Verification
A BDD-Based Model Checker for Recursive Programs
CAV '01 Proceedings of the 13th International Conference on Computer Aided Verification
Model checking LTL with regular valuations for pushdown systems
Information and Computation - TACS 2001
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A Method for Detecting Obfuscated Calls in Malicious Binaries
IEEE Transactions on Software Engineering
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Context-sensitive analysis of obfuscated x86 executables
Proceedings of the 2010 ACM SIGPLAN workshop on Partial evaluation and program manipulation
An automata-theoretic approach to infinite-state systems
Time for verification
Behavior abstraction in malware analysis
RV'10 Proceedings of the First international conference on Runtime verification
Malware analysis with tree automata inference
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
Detecting malicious code by model checking
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Variable automata over infinite alphabets
LATA'10 Proceedings of the 4th international conference on Language and Automata Theory and Applications
Pushdown model checking for malware detection
TACAS'12 Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems
PoMMaDe: pushdown model-checking for malware detection
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
| Hi-index | 0.00 |
Nowadays, malware has become a critical security threat. Traditional anti-viruses such as signature-based techniques and code emulation become insufficient and easy to get around. Thus, it is important to have efficient and robust malware detectors. In [20,19], CTL model-checking for PushDown Systems (PDSs) was shown to be a robust technique for malware detection. However, the approach of [20,19] lacks precision and runs out of memory in several cases. In this work, we show that several malware specifications could be expressed in a more precise manner using LTL instead of CTL. Moreover, LTL can express malicious behaviors that cannot be expressed in CTL. Thus, since LTL model-checking for PDSs is polynomial in the size of PDSs while CTL model-checking for PDSs is exponential, we propose to use LTL model-checking for PDSs for malware detection. Our approach consists of: (1) Modeling the binary program as a PDS. This allows to track the program's stack (needed for malware detection). (2) Introducing a new logic (SLTPL) to specify the malicious behaviors. SLTPL is an extension of LTL with variables, quantifiers, and predicates over the stack. (3) Reducing the malware detection problem to SLTPL model-checking for PDSs. We reduce this model checking problem to the emptiness problem of Symbolic Büchi PDSs. We implemented our techniques in a tool, and we applied it to detect several viruses. Our results are encouraging.