Abstract
The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. To circumvent detection by anti-virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Rapid 7. Java Applet JMX Remote Code Execution (2013)
Rapid 7. Metasploit (2014)
Andersen, L.: Binding-time analysis and the taming of C pointers. In: PEPM, pp. 47–58. ACM (1993)
Braux, M., Noyé, J.: Towards partially evaluating reflection in Java. In: PEPM, pp. 2–11. ACM (2000)
Christodorescu, M., Jha, S., Kinder, J., Katzenbeisser, S., Veith, H.: Software transformations to improve malware detection. J. Comput. Virol. 3(4), 253–265 (2007)
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley, Boston (2009)
Dalla Preda, M., Christodorescu, M., Jha, S., Debray, S.: A Semantics-based Approach to Malware Detection. ACM TOPLAS, 30 (2008)
Einarsson, A., Nielsen, J.D.: A Survivor’s Guide to Java Program Analysis with Soot. Technical report (2008)
Flexeder, A., Petter, M., Seidl, H.: Side-effect analysis of assembly code. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 77–94. Springer, Heidelberg (2011)
Giacobazzi, R., Jones, N.D., Mastroeni, I.: Obfuscation by partial evaluation of distorted interpreters. In: PEPM, pp. 63–72. ACM (2012)
Hirzel, M., Diwan, A., Hind, M.: Pointer analysis in the presence of dynamic class loading. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 96–122. Springer, Heidelberg (2004)
Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005)
McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2(4), 308–320 (1976)
National Institute of Standards and Technology. Vulnerability Summary for CVE-2013-3346 (2013)
OWASP. Metasploit Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681) (2013)
Park, J.-G., Lee, A.H.: Removing reflection from Java Programs using partial evaluation. In: Matsuoka, S. (ed.) Reflection 2001. LNCS, vol. 2192, pp. 274–275. Springer, Heidelberg (2001)
Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead: analysis and detection of malicious Java applets. In: ACSAC, pp. 249–257. ACM (2012)
Shali, A., Cook, W.R.: Hybrid partial evaluation. In: OOPSLA, pp. 375–390. ACM (2011)
Sistemas, H.: VirusTotal Analyses Suspicious Files and URLs (2014). https://www.virustotal.com/
Valleé Rai, R., Hendren, L.J.: Jimple: Simplifying Java Bytecode for Analyses and Transformations. Technical report TR-1998-4. McGill University (1998)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Singh, R., King, A. (2015). Partial Evaluation for Java Malware Detection. In: Proietti, M., Seki, H. (eds) Logic-Based Program Synthesis and Transformation. LOPSTR 2014. Lecture Notes in Computer Science(), vol 8981. Springer, Cham. https://doi.org/10.1007/978-3-319-17822-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-17822-6_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17821-9
Online ISBN: 978-3-319-17822-6
eBook Packages: Computer ScienceComputer Science (R0)