Abstract
In this paper, we present a novel binary analysis method for malware which combines static and dynamic techniques. In the static phase, the target address of each indirect jump is resolved using backward analysis on static single assignment form of binary code. In the dynamic phase, those target addresses that are not statically resolved are recovered by way of emulation. The method is generic in the sense that it can reveal control flows of self-extracting/ obfuscated code without requiring special assumptions on executables such as compliance with standard compiler models, which is requisite for the conventional methods of static binary analysis but does not hold for many malware samples. Case studies on real-world malware examples are presented to demonstrate the effectiveness of our method.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ananian, C.S.: The static single information form. Tech. Rep. MIT-LCS-TR-801, Laboratory for Computer Science, Massachusetts Institute of Technology (September 1999), http://www.lcs.mit.edu/specpub.php?id=1340
Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)
Ballance, R.A., Maccabe, A.B., Ottenstein, K.J.: The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages. In: Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation, pp. 257–271 (1990)
Brumley, D.: Analysis and Defense of Vulnerabilities in Binary Code. Ph.D. thesis, School of Computer Science, Carnegie Mellon University (2008)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., et al. (eds.) Botnet Analysis and Defense (2007)
Cifuentes, C., Van Emmerik, M.: Recovery of jump table case statements from binary code. Science of Computer Programming 40(2-3), 171–188 (2001)
Comparetti, P.M., Salvaneschi, G., Kirda, E., Kolbitsch, C., Kruegel, C., Zanero, S.: Identifying dormant functionality in malware programs. In: IEEE Symposium on Security and Privacy, pp. 61–76. IEEE Computer Society, Los Alamitos (2010)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM, New York (2008)
Hashimoto, M., Mori, A.: Diff/TS: A tool for fine-grained structural change analysis. In: Proceedings of the 15th Working Conference on Reverse Engineering, WCRE (2008)
Mori, A.: Detecting unknown computer viruses – a new approach. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 226–241. Springer, Heidelberg (2004)
Mori, A., Izumida, T., Sawada, T., Inoue, T.: A tool for analyzing and detecting malicious mobile code. In: Proceedings of the 28th International Conference on Software Engineering (ICSE 2006), pp. 831–834 (2006)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, SP 2007, pp. 231–245 (2007)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: 23rd Annual Computer Security Applications Conference, ACSAC (2007)
Reif, J.H., Lewis, H.R.: Symbolic evaluation and the global value graph. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 104–118 (1977), http://doi.acm.org/10.1145/512950.512961
Reif, J.H., Lewis, H.R.: Efficent symbolic analysis of programs. Journal of Computer and System Sciences 32(3), 280–313 (1986), http://dx.doi.org/10.1016/0022-00008690031-0
Sharif, M.I., Lanzi, A., Giffin, J.T., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA (2008)
Stoltz, E., Wolfe, M., Gerlek, M.P.: Constant propagation: A fresh, demand-driven look. In: Symposium on Applied Computing. ACM SIGAPP, pp. 400–404 (1994)
Tarjan, R.E.: Fast algorithms for solving path problems. Journal of the ACM 28, 594–614 (1981)
Tu, P., Padua, D.: Gated SSA-based demand-driven symbolic analysis for parallelizing compilers. In: Proc. 9th International Conference on Supercomputing (ICS 1995), pp. 414–423. ACM Press, Barcelona (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Izumida, T., Futatsugi, K., Mori, A. (2010). A Generic Binary Analysis Method for Malware. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-16825-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16824-6
Online ISBN: 978-3-642-16825-3
eBook Packages: Computer ScienceComputer Science (R0)