Abstract
Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application—the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Xu, J., Sung, A.H., Chavez, P., Mukkamala, S.: Polymorphic malicious executable scanner by API sequence analysis. In: Fourth International Conference on Hybrid Intelligent Systems, pp. 378–383 (2004)
Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. Journal in Computer Virology 4, 279–287 (2008)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy 5(2), 32–39 (2007)
IDA Pro Disassembler, http://www.hex-rays.com/idapro/
Hex-Rays Decompiler, http://www.hex-rays.com/decompiler.shtml
Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Upper Saddle River (2005)
Szor, P., Ferrie, P.: Hunting for metamorphic. In: Virus Bulletin Conference, pp. 123–144 (2001)
Intel Corporation: Intel 64 and ia-32 architectures software developer’s manual. Basic architecture, vol. 1 (2011)
Aquilina, J.: Malware Forensics Investigating and Analyzing Malicious Code. Syngress Publishing, Burlington (2008)
International Data Corporation (IDC): Worldwide quarterly mobile phone tracker (2011)
Masařík, K.: System for Hardware-Software Co-Design, 1st edn., p. 156. Faculty of Information Technology BUT, Brno (2008)
The LLVM Compiler System, http://llvm.org/
Halstead, M.H.: Machine-Independent Computer Programming, pp. 143–150. Spartan Books, Washington (1962)
Barbe, P.: The PILER system of computer program translation. Technical report, Probe Consultants Inc. (1974)
Cifuentes, C.: Reverse Compilation Techniques. PhD thesis, School of Computing Science, Queensland University of Technology, Brisbane, AU-QLD (1994)
Boomerang, http://boomerang.sourceforge.net/
Reverse Engineering Compiler, http://www.backerstreet.com/rec/rec.htm
Fast Library Identification and Recognition Technology, http://www.hex-rays.com/idapro/flirt.htm
emscripten, http://code.google.com/p/emscripten/
llvm-js-backend, http://github.com/dmlap/llvm-js-backend
Lissom Project, http://www.fit.vutbr.cz/research/groups/lissom/
Adve, V., Lattner, C., Brukman, M., Shukla, A., Gaeke, B.: LLVA: A low-level virtual instruction set architecture. In: Proceedings of the 36th Annual ACM/IEEE International Symposium on Microarchitecture, San Diego, US-CA (2003)
Clang, http://clang.llvm.org/
LDC: LLVM D Compiler, http://www.dsource.org/projects/ldc
Trident Compiler, http://trident.sourceforge.net/
Tripp, J.L., Gokhale, M.B., Peterson, K.D.: Trident: From high-level language to hardware circuitry. Computer 40(3), 28–37 (2007)
Just-In-Time Adaptive Decoder Engine (Jade), http://sourceforge.net/apps/trac/orcc/
Faust: Signal Processing Language, http://sourceforge.net/projects/faudiostream/
Babić, D., Hu, A.J.: Structural abstraction of software verification conditions. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 366–378. Springer, Heidelberg (2007)
Babić, D., Hu, A.J.: Calysto: Scalable and precise extended static checking. In: ICSE 2008: Proceedings of the 30th International Conference on Software Engineering, Leipzig, DE, pp. 211–220 (2008)
Calysto Extended Static Checker, http://www.domagoj-babic.com/index.php/ResearchProjects/Calysto
Lewycky, N.: Checker: A static program checker. Master’s thesis, Computer Science Department, Ryerson University, Toronto, CA-ON (2006)
unladen-swallow: A Faster Implementation of Python, http://code.google.com/p/unladen-swallow/
Rubinius, http://rubini.us/
The Pure Programming Language, http://code.google.com/p/pure-lang/
Adve, V., Lattner, C.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization, Palo Alto, US-CA, pp. 75–86 (2004)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)
Coogan, K., Debray, S.K., Kaochar, T., Townsend, G.M.: Automatic static unpacking of malware binaries. In: Working Conference on Reverse Engineering, Lille, FR, pp. 167–176 (2009)
Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Security and Privacy 6(5), 65–69 (2008)
Husár, A., Trmač, M., Hranáč, J., Hruška, T., Masařík, K., Kolář, D., Přikryl, Z.: Automatic C compiler generation from architecture description language ISAC. In: 6th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science, pp. 84–91. Masaryk University, Brno (2010)
Hruška, T., Kolář, D., Lukáš, R., Zámečníková, E.: Two-way coupled finite automaton and its usage in translators. In: New Aspects of Circuits, Heraklion, GR, vol. 2008, pp. 445–449 (2008)
Python Programming Language, http://www.python.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ďurfina, L. et al. (2011). Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis. In: Kim, Th., Adeli, H., Robles, R.J., Balitanas, M. (eds) Information Security and Assurance. ISA 2011. Communications in Computer and Information Science, vol 200. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23141-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-23141-4_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23140-7
Online ISBN: 978-3-642-23141-4
eBook Packages: Computer ScienceComputer Science (R0)