论文信息 - Stack Shape Analysis to Detect Obfuscated calls in Binaries

Stack Shape Analysis to Detect Obfuscated calls in Binaries

Information about calls to the operating system (or kernel libraries) made by a binary executable maybe used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the CALL instruction. For instance, the CALL ADDR instruction may be replaced by two PUSH instructions and a RETURN instruction, the first PUSH pushes the address of instruction after the RETURN instruction, and the second PUSH pushes the address ADDR. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This paper presents a method to statically detect obfuscated calls in binary code. The notion of abstract stack is introduced to associate each element in the stack to the instruction that pushes the element. An abstract stack graph is a concise representation of all abstract stacks at every point in the program. The abstract stack graph may be created by abstract interpretation of the binary executable and may be used to detect obfuscated calls.

Arun Lakhotia

[1] Gregory Wroblewski,et al. General Method of Program Code Obfuscation , 2002 .

[2] Saumya K. Debray,et al. Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[3] Amit Sahai,et al. On the (im)possibility of obfuscating programs , 2001, JACM.

[4] Understanding Heuristics : Symantec ’ s Bloodhound Technology , 1997 .

[5] Christian S. Collberg,et al. A Taxonomy of Obfuscating Transformations , 1997 .

[6] Somesh Jha,et al. Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[7] Arun Lakhotia,et al. CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[8] Peter Szor,et al. HUNTING FOR METAMORPHIC , 2001 .

[9] Cristina Cifuentes,et al. Decompilation of binary programs , 1995, Softw. Pract. Exp..

[10] Clark Thomborson,et al. Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[11] Christian S. Collberg,et al. Breaking abstractions and unstructuring data structures , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[12] Christian S. Collberg,et al. Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..