Pushdown model checking for malware detection

The number of malware is growing extraordinarily fast. Therefore, it is important to have efficient malware detectors. Malware writers try to obfuscate their code by different techniques. Many well-known obfuscation techniques rely on operations on the stack such as inserting dead code by adding useless push and pop instructions, or hiding calls to the operating system, etc. Thus, it is important for malware detectors to be able to deal with the program’s stack. In this study, we propose a new model-checking approach for malware detection that takes into account the behavior of the stack. Our approach consists in: (1) Modeling the program using a pushdown system (PDS). (2) Introducing a new logic, called stack computation tree predicate logic (SCTPL), to represent the malicious behavior. SCTPL can be seen as an extension of the branching-time temporal logic CTL with variables, quantifiers, and predicates over the stack. (3) Reducing the malware detection problem to the model-checking problem of PDSs against SCTPL formulas. We show how our new logic can be used to precisely express malicious behaviors that could not be specified by existing specification formalisms. We then consider the model-checking problem of PDSs against SCTPL specifications. We reduce this problem to emptiness checking in Symbolic Alternating Büchi Pushdown Systems, and we provide an algorithm to solve this problem. We implemented our techniques in a tool and applied it to detect several viruses. Our results are encouraging.

[1]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[2]  Гарнаева Мария Александровна,et al.  Kaspersky security Bulletin 2013 , 2014 .

[3]  Arun Lakhotia,et al.  Context-sensitive analysis of obfuscated x86 executables , 2010, PEPM '10.

[4]  Javier Esparza,et al.  Efficient Algorithms for Alternating Pushdown Systems with an Application to the Computation of Certificate Chains , 2006, ATVA.

[5]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[6]  Guillaume Bonfante,et al.  Architecture of a morphological malware detector , 2009, Journal in Computer Virology.

[7]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[8]  Javier Esparza,et al.  Model checking LTL with regular valuations for pushdown systems , 2001, Inf. Comput..

[9]  Thierry Cachat Symbolic Strategy Synthesis for Games on Pushdown Graphs , 2002, ICALP.

[10]  Javier Esparza,et al.  Model-Checking LTL with Regular Valuations for Pushdown Systems , 2001, TACS.

[11]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[12]  Chi-Hua Chen,et al.  Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ , 2005, CAV.

[13]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[14]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Helmut Veith,et al.  Using Verification Technology to Specify and Detect Malware , 2007, EUROCAST.

[16]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[17]  Tayssir Touili,et al.  Pushdown Model Checking for Malware Detection , 2012, TACAS.

[18]  Arun Lakhotia,et al.  A method for detecting obfuscated calls in malicious binaries , 2005, IEEE Transactions on Software Engineering.

[19]  Tayssir Touili,et al.  Efficient CTL model-checking for pushdown systems , 2011, Theor. Comput. Sci..

[20]  Yasuhiko Minamide,et al.  Pushdown Systems with Stack Manipulation , 2013, ATVA.

[21]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[22]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[23]  Stefan Katzenbeisser,et al.  Proactive Detection of Computer Worms Using Model Checking , 2010, IEEE Transactions on Dependable and Secure Computing.

[24]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[25]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.