2008
DOI: 10.1007/s11416-008-0094-0
|View full text |Cite
|
Sign up to set email alerts
|

Detection of metamorphic and virtualization-based malware using algebraic specification

Abstract: We present an overview of the latest developments in the detection of metamorphic and virtualizationbased malware using an algebraic specification of the Intel 64 assembly programming language. After giving an overview of related work, we describe the development of a specification of a subset of the Intel 64 instruction set in Maude, an advanced formal algebraic specification tool. We develop the technique of metamorphic malware detection based on equivalence-in-context so that it is applicable to imperative … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
6
0

Year Published

2009
2009
2014
2014

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 13 publications
(6 citation statements)
references
References 16 publications
0
6
0
Order By: Relevance
“…The Blue/Red Pill saga illustrates the basic security questions that must be answered when virtualization is used for protection-particularly whether a general hypervisor can be detected, subverted, or used for a nefarious purpose. The original notion of the undetectable hypervisor has been challenged and other researchers have extended both the Blue and Red Pill approaches [20]. As we performed our own case study analysis to characterize the security provided by PVMs, we use the same approach as Rutkowska for discovering or detecting hypervisor entry points as the basis for MATE attacks against a PVM-protected application.…”
Section: Virtualization For Protecting Malwarementioning
confidence: 99%
See 1 more Smart Citation
“…The Blue/Red Pill saga illustrates the basic security questions that must be answered when virtualization is used for protection-particularly whether a general hypervisor can be detected, subverted, or used for a nefarious purpose. The original notion of the undetectable hypervisor has been challenged and other researchers have extended both the Blue and Red Pill approaches [20]. As we performed our own case study analysis to characterize the security provided by PVMs, we use the same approach as Rutkowska for discovering or detecting hypervisor entry points as the basis for MATE attacks against a PVM-protected application.…”
Section: Virtualization For Protecting Malwarementioning
confidence: 99%
“…Virtualization has been used to provide safe environments for dynamic malware analysis and to protect malware itself from detection or analysis [4,5,10,17,19,20]. The technology offers great promise for legitimate code protection and has been the subject of considerable research [1,6,8] and commercial realization.…”
Section: Introductionmentioning
confidence: 99%
“…Given that harmful attacks on operating systems are falsifications of necessary conditions for the correctness of the operating system, anti-malware production is the responsibility of operating system producers. Other approaches in a similar spirit are: [30] based on algebraic specification for assembly software systems, [31] based on static program analysis (control-flow graph extraction) for arbitrary software systems, and [32] based on abstract interpretation.…”
Section: Assessmentmentioning
confidence: 99%
“…Many more formal works have been published on this subject. As an example, in 2003, Frédéric Perriot proposed an approach based on the use of compiler optimisations to improve polymorphic code detection [9]; other Malcolm [10]. In the same spirit, one should be aware of Mihai Christodorescu's paper [11].…”
Section: Case Study: a Protection Analysismentioning
confidence: 99%