Skip to main content
SpringerLink
Log in

Functional polymorphic engines: formalisation, implementation and use cases

  • Eicar 2008 extended version
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

With regards to the known shortcomings suffered by form-based detection, an increasing number of antivirus products considers behavioral detection. Following this trend, form-based mutations could become function-based with the apparition of functional polymorphism: a third generation of mutation mechanism, specially designed to address behavioral detection. In effect, a same global behavior or purpose (replication, propagation, residency, etc.) can be achieved through different functional solutions, thus leaving space for possible mutations. Whereas actual form-based mutation techniques mainly modify the code structure of malware, functional mutations modify the code functionality, and more particularly the resulting interaction scheme with the operating system and other software. These functional mutations could not be achieved without reaching a semantic level of interpretation, higher than actual techniques remaining purely syntactic. Drawing a parallel, this article underlines the consequent relation existing between functional polymorphic engines and compilers. By studying the associated mutation properties, we prove that these engines exhibit logarithmic entropy and result in a NP-complete complexity for behavioral detection. The implementation of a prototype is finally addressed as well as its possible use for antivirus testing and software protection.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy (WTCV’07 special issue). J. Comput. Virol. 4(3) (2008)

  2. Fortinet Observatory. http://www.fortinet.com/FortiGuardCenter/

  3. Virus Construction Tools From viruslist.com. http://www.viruslist.com/en/virusesdescribed?chapter=153318618

  4. Vx heaven: virus creation tools repository. http://vx.netlux.org/vx.php?id=tidx

  5. Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)

  6. Gao, M.K.R.D., Song, D.: On gray-box program tracking for anomaly detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 103–118 (2004)

  7. Driller, T.M.: Metamorphism in practice, 29A E-zine, vol. 6 (2002)

  8. Filiol, E.: Techniques Virales Avancées. Springer, IRIS Collection, ISBN: 2-287-33887-8 (2007)

  9. Ször P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005) ISBN:0-321-30454-3

    Google Scholar 

  10. Beaucamps P.: Advanced polymorphic techniques. Int. J. Comput. Sci. 2(3), 194–205 (2007)

    Google Scholar 

  11. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. In: Proceedings of the International Conference on Computational Intelligence (ICCI), Published in Int. J. Comput. Sci. 2(1) 70–75 (2007)

  12. Spinellis D.: Reliable identification of boundedlength viruses is np-complete. IEEE Trans. Inf. Theory 49(1), 280–284 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  13. Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantic-based approach to malware detection. In: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2007)

  14. Filiol E., Jacob G., Liard M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies (WTCV’06 special issue). J. Comput. Virol. 3(1), 23–37 (2007)

    Article  Google Scholar 

  15. Hopcroft J., Motwani R., Ullman J.: Introduction to Automata Theory, Languages and Computation, 2nd edn. Addison Wesley, New York (1995) ISBN:0-201-44124-1

    Google Scholar 

  16. Knuth D.E.: Semantics of context-free grammars. Theory Comput. Syst. 2(2), 127–145 (1968)

    MATH  MathSciNet  Google Scholar 

  17. Noll, T.: Compiler construction, lectures 15 to 18: Semantic analysis. RWTH Aachen University (2006). http://www-i2.informatik.rwth-aachen.de/Teaching/Course/CB/2006/Slides/

  18. Shannon, C.E.: A mathematical theory of communications. Bell Syst. Tech. J. 27, 379–423, 623–656 (1948)

    Google Scholar 

  19. Filiol, E.: Malware pattern scanning schemes secure against black-box analysis (EICAR 2006 special issue). J. Comput. Virol. 2(1), pp. 35–50, (2006)

    Google Scholar 

  20. Papadimitirou C.H.: Computational Complexity. Addison Wesley, Reading (1995) ISBN:0-201-53082-1

    Google Scholar 

  21. Jacob, G., Filiol, E., Debar, H.: Malwares as interactive machines: a new framework for behavior modelling (WTCV’07 special issue). J. Comput. Virol. 4(3) (2008)

  22. Charlier, B.L., Mounji, A., Swimmer, M.: Dynamic detection and classification of computer viruses using general behaviour patterns. In: Proceedings of the 5th Virus Bulletin Conference (1995)

  23. Ford, R., Wagner, M., Michalske, J.: Gatekeeper ii: new approaches to generic virus prevention. In: Proceedings of the 14th Virus Bulletin Conference (2004)

  24. Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of ACM SIGSOFT: Internatinal Symposium on Software Testing and Analysis (ISSTA 04), pp. 34–44 (2004)

  25. Qemu: open source processor emulator. http://fabrice.bellard.free.fr/qemu/

  26. Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: obstructing static analysis of programs. Tech. Rep. CS-2000–2012 (2000)

  27. Horne, B., Matheson, L.R., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Proceeding of the Digital Rights Management Workshop pp. 141–159 (2001)

Download references

Author information

Authors and Affiliations

  1. French Army Signal Academy, Virology and Cryptology Lab., Rennes, France

    Grégoire Jacob & Eric Filiol

  2. France Télécom R&D, Caen, France

    Grégoire Jacob & Hervé Debar

Authors
  1. Grégoire Jacob
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Filiol
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Grégoire Jacob.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jacob, G., Filiol, E. & Debar, H. Functional polymorphic engines: formalisation, implementation and use cases. J Comput Virol 5, 247–261 (2009). https://doi.org/10.1007/s11416-008-0095-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0095-z

Keywords

Search

Navigation