Static Detection of Malicious Code in Executable Programs

摘要: In this paper, we propose a new approach for the static detection of malicious code in executable programs. Our rests on semantic analysis based behaviour that even makes possible unknown code. This is carried out directly binary Static offers techniques predicting properties programs without running them. The given achieved three major steps: construction an intermediate representation, flow-based catches securityoriented program behaviour, and verification critical behaviours against security policies (model checking). 1. Motivation Background With advent rising popularity networks, Internet, intranets distributed systems, becoming one focal points research. As matter fact, more people are concerned with could exist software products. A piece can affect secrecy, integrity, data control flow, functionality system. Therefore, ∗This research jointly funded by grant from Natural Sciences Engineering Research Council, NSERC, Canada also contract Defence Establishment, Valcartier (DREV), 2459, Pie XI Nord, Val-Belair, QC, Canada, G3J 1X5 their concern within computer science community as well user community. flow program, may naturally be helpful part process. address problem executables. primary objective initiative to elaborate practical methods tools robust theoretical foundations rest paper organized following way. Section 2 devoted comparison dynamic approaches. 3 presents our malices 4 discusses implementation approach. Finally, few remarks discussion future ultimately sketched conclusion 5. 2. vs There two main approaches : analysis. consists examining determine execution these technique has been used extensively past compiler developers carry various analyses transformations aiming at optimizing [10]. reverse engineering systems understanding [3, 4]. Its use fairly recent. Dynamic mainly monitoring detect behaviour. advantages over analysis: • permit make exhaustive They not bound specific give guarantees apply all executions program. contrast, only allow examination correspond selected test cases. verdict before execution, where it difficult proper action take presence malices. no run-time overhead. However, impossible certify statically certain hold (e.g., due undecidability). case, solution. Thus, complementary. first, cannot asserted monitored dynamically. mentioned introduction, techniques. Not much published about [8], authors method detecting C Their so-called tell-tale signs, which distinguish between benign combine sign slicing order produce small fragments large easily analyzed. 3. Description Approach generally operate source explained need them code, thus, had adapt evolve structured Firstly, translated into internal form (see 3.1) ; secondly, abstracted through flowbased relevant graphs (controlflow graph, data-flow call critical-API 1 etc.) (Section 3.2); third step checking 3.3). 3.1 Intermediate Representation machine version high-level or assembly compiled (or assembled) linked particular platform operating general format executables varies widely among systems. For example, Portable Executable (PE) Windows NT/98/95 PE includes comprehensive information different sections file, including segments: .text, contains entry point application, .data, type data, .idata .edata, contain respectively list imported exported APIs application Dynamic-Linking Library (DLL). segment (.text) constitutes file; section translate equivalent high-level-language disassembly tool IDA32 Pro [7], disassemble types files (ELF, EXE, PE, several processors (Windows 98, NT, etc.). Also, automatically recognizes calls standard libraries (i.e., API calls) long compilers. Statically analysing requires syntax tree called representation. abstract goal first then parse thus generated (Figure 1). API: Application Program Interface.