Context-sensitive analysis of obfuscated x86 executables

A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in `calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart.

[1]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[2]  David W. Wall,et al.  A practical system fljr intermodule code optimization at link-time , 1993 .

[3]  Mohamed R. Chouchane,et al.  The Design Space of Metamorphic Malware , 2007 .

[4]  Matthew Might,et al.  Environment analysis via Delta CFA , 2006, POPL.

[5]  Matthew Might,et al.  Environment analysis via ΔCFA , 2006, POPL '06.

[6]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[7]  David W. Goodwin,et al.  Interprocedural dataflow analysis in an executable optimizer , 1997, PLDI '97.

[8]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[9]  Jianwen Zhu,et al.  Symbolic pointer analysis revisited , 2004, PLDI '04.

[10]  Arun Lakhotia,et al.  Abstract Stack Graph to Detect Obfuscated Calls in Binaries , 2004 .

[11]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[12]  Ondrej Lhoták,et al.  Context-Sensitive Points-to Analysis: Is It Worth It? , 2006, CC.

[13]  Thomas W. Reps,et al.  Improving Pushdown System Model Checking , 2006, CAV.

[14]  Patrick Cousot,et al.  Basic concepts of abstract interpretation , 2004, IFIP Congress Topical Sessions.

[15]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.

[16]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2005, Sci. Comput. Program..

[17]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[18]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[19]  Arun Lakhotia,et al.  CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[20]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[21]  Thomas W. Reps,et al.  Improved Memory-Access Analysis for x86 Executables , 2008, CC.

[22]  Shinichiro Yamamoto,et al.  A CASE tool platform using an XML representation of Java source code , 2004, Source Code Analysis and Manipulation, Fourth IEEE International Workshop on.

[23]  Thomas W. Reps,et al.  Intermediate-representation recovery from low-level code , 2006, PEPM '06.

[24]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[25]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[26]  Arun Lakhotia,et al.  A method for detecting obfuscated calls in malicious binaries , 2005, IEEE Transactions on Software Engineering.

[27]  Jianwen Zhu,et al.  Towards scalable flow and context sensitive pointer analysis , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[28]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[29]  K. Thompson Reflections on trusting trust , 1984, CACM.

[30]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[31]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[32]  Arun Lakhotia,et al.  Analyzing Memory Accesses in Obfuscated x86 Executables , 2005, DIMVA.