Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security and Assurance

ISA 2011: Information Security and Assurance pp 72–86Cite as

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 200))

Abstract

Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application—the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Xu, J., Sung, A.H., Chavez, P., Mukkamala, S.: Polymorphic malicious executable scanner by API sequence analysis. In: Fourth International Conference on Hybrid Intelligent Systems, pp. 378–383 (2004)

    Google Scholar 

  2. Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. Journal in Computer Virology 4, 279–287 (2008)

    Article  Google Scholar 

  3. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy 5(2), 32–39 (2007)

    Article  Google Scholar 

  4. IDA Pro Disassembler, http://www.hex-rays.com/idapro/

  5. Hex-Rays Decompiler, http://www.hex-rays.com/decompiler.shtml

  6. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Upper Saddle River (2005)

    Google Scholar 

  7. Szor, P., Ferrie, P.: Hunting for metamorphic. In: Virus Bulletin Conference, pp. 123–144 (2001)

    Google Scholar 

  8. Intel Corporation: Intel 64 and ia-32 architectures software developer’s manual. Basic architecture, vol. 1 (2011)

    Google Scholar 

  9. Aquilina, J.: Malware Forensics Investigating and Analyzing Malicious Code. Syngress Publishing, Burlington (2008)

    Google Scholar 

  10. International Data Corporation (IDC): Worldwide quarterly mobile phone tracker (2011)

    Google Scholar 

  11. Masařík, K.: System for Hardware-Software Co-Design, 1st edn., p. 156. Faculty of Information Technology BUT, Brno (2008)

    Google Scholar 

  12. The LLVM Compiler System, http://llvm.org/

  13. Halstead, M.H.: Machine-Independent Computer Programming, pp. 143–150. Spartan Books, Washington (1962)

    MATH  Google Scholar 

  14. Barbe, P.: The PILER system of computer program translation. Technical report, Probe Consultants Inc. (1974)

    Google Scholar 

  15. Cifuentes, C.: Reverse Compilation Techniques. PhD thesis, School of Computing Science, Queensland University of Technology, Brisbane, AU-QLD (1994)

    Google Scholar 

  16. Boomerang, http://boomerang.sourceforge.net/

  17. Reverse Engineering Compiler, http://www.backerstreet.com/rec/rec.htm

  18. Fast Library Identification and Recognition Technology, http://www.hex-rays.com/idapro/flirt.htm

  19. emscripten, http://code.google.com/p/emscripten/

  20. llvm-js-backend, http://github.com/dmlap/llvm-js-backend

  21. Lissom Project, http://www.fit.vutbr.cz/research/groups/lissom/

  22. Adve, V., Lattner, C., Brukman, M., Shukla, A., Gaeke, B.: LLVA: A low-level virtual instruction set architecture. In: Proceedings of the 36th Annual ACM/IEEE International Symposium on Microarchitecture, San Diego, US-CA (2003)

    Google Scholar 

  23. Clang, http://clang.llvm.org/

  24. LDC: LLVM D Compiler, http://www.dsource.org/projects/ldc

  25. Trident Compiler, http://trident.sourceforge.net/

  26. Tripp, J.L., Gokhale, M.B., Peterson, K.D.: Trident: From high-level language to hardware circuitry. Computer 40(3), 28–37 (2007)

    Article  Google Scholar 

  27. Just-In-Time Adaptive Decoder Engine (Jade), http://sourceforge.net/apps/trac/orcc/

  28. Faust: Signal Processing Language, http://sourceforge.net/projects/faudiostream/

  29. Babić, D., Hu, A.J.: Structural abstraction of software verification conditions. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 366–378. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  30. Babić, D., Hu, A.J.: Calysto: Scalable and precise extended static checking. In: ICSE 2008: Proceedings of the 30th International Conference on Software Engineering, Leipzig, DE, pp. 211–220 (2008)

    Google Scholar 

  31. Calysto Extended Static Checker, http://www.domagoj-babic.com/index.php/ResearchProjects/Calysto

  32. Lewycky, N.: Checker: A static program checker. Master’s thesis, Computer Science Department, Ryerson University, Toronto, CA-ON (2006)

    Google Scholar 

  33. unladen-swallow: A Faster Implementation of Python, http://code.google.com/p/unladen-swallow/

  34. Rubinius, http://rubini.us/

  35. The Pure Programming Language, http://code.google.com/p/pure-lang/

  36. Adve, V., Lattner, C.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization, Palo Alto, US-CA, pp. 75–86 (2004)

    Google Scholar 

  37. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)

    Article  Google Scholar 

  38. Coogan, K., Debray, S.K., Kaochar, T., Townsend, G.M.: Automatic static unpacking of malware binaries. In: Working Conference on Reverse Engineering, Lille, FR, pp. 167–176 (2009)

    Google Scholar 

  39. Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Security and Privacy 6(5), 65–69 (2008)

    Article  Google Scholar 

  40. Husár, A., Trmač, M., Hranáč, J., Hruška, T., Masařík, K., Kolář, D., Přikryl, Z.: Automatic C compiler generation from architecture description language ISAC. In: 6th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science, pp. 84–91. Masaryk University, Brno (2010)

    Google Scholar 

  41. Hruška, T., Kolář, D., Lukáš, R., Zámečníková, E.: Two-way coupled finite automaton and its usage in translators. In: New Aspects of Circuits, Heraklion, GR, vol. 2008, pp. 445–449 (2008)

    Google Scholar 

  42. Python Programming Language, http://www.python.org/

Download references

Author information

Authors and Affiliations

  1. Faculty of Information Technology, Brno University of Technology, Božetěchova 2, 612 66, Brno, Czech Republic

    Lukáš Ďurfina, Jakub Křoustek, Petr Zemek, Dušan Kolář, Tomáš Hruška, Karel Masařík & Alexander Meduna

Authors
  1. Lukáš Ďurfina
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jakub Křoustek
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Petr Zemek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dušan Kolář
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tomáš Hruška
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Karel Masařík
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Alexander Meduna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Hannam University, 133 Ojeong-dong, Daeduk-gu, 306-791, Daejeon, South Korea

    Tai-hoon Kim

  2. The Ohio State University, 470 Hitchcock Hall, 2070 Neil Avenue, 43210-1275, Columbus, OH, USA

    Hojjat Adeli

  3. Hannam University, 133 Ojeong-dong, Daeduk-gu, 306-791, Daejeon, Korea

    Rosslin John Robles

  4. Hannam University, 133 Ojeong-dong, Daeduk-gu, Daejeon, Korea

    Maricel Balitanas

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ďurfina, L. et al. (2011). Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis. In: Kim, Th., Adeli, H., Robles, R.J., Balitanas, M. (eds) Information Security and Assurance. ISA 2011. Communications in Computer and Information Science, vol 200. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23141-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23141-4_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23140-7

  • Online ISBN: 978-3-642-23141-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation