Unveiling metamorphism by abstract interpretation of code properties

Preda, Mila Dalla; Giacobazzi, Roberto; Debray, Saumya

doi:10.1016/j.tcs.2015.02.024

Cited by 12 publications

(8 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The notion of wave that we use is a little bit different to the one introduced by Dalla Preda, Giacobazzi and Debray [9] (called phase). The main advantage of our approach is that waves can be computed on the fly.…”

Section: Resultsmentioning

confidence: 99%

Gorille sniffs code similarities, the case study of qwerty versus regin

Bonfante

Marion

Sabatier

2015

2015 10th International Conference on Malicious and Unwanted Software (MALWARE)

View full text Add to dashboard Cite

In the last decade, our group has developed a tool called Gorille which implements morphological analysis, roughly speaking control graph comparison of malware. Our first intention was to use it for malware detection, and this works quite well as already presented in [2]. However, morphological analysis outputs a more refine output than 'yes' or 'no'. In the current contribution, we show that it can be used in several ways for retro-engineering. First, we describe a rapid triggering process that enlighten code similarities. Second, we present a function identification mechanism which aim is to reveal some key code in a malware. Finally, we supply a procedure which separate different families of code given some samples. All these tasks are done (almost) automatically seen from a retro-engineering perspective.

show abstract

Section: Resultsmentioning

confidence: 99%

Gorille sniffs code similarities, the case study of qwerty versus regin

Bonfante

Marion

Sabatier

2015

2015 10th International Conference on Malicious and Unwanted Software (MALWARE)

View full text Add to dashboard Cite

show abstract

“…In [12] Dalla Preda et al follow the idea of extracting the specification of the metamorphic engine and of the possible code variants, from the metamorphic code analysis. They introduce a semantics for self-modifying code, called phase semantics, and prove its correctness by proving that it is an abstract interpretation of standard trace semantics.…”

Section: Related Workmentioning

confidence: 99%

“…In particular, they introduce the notion of regular metamorphism, in which the invariants of phase semantics can be modeled as a FSA representing the code structure of all possible metamorphic changes of a metamorphic code. As a matter of fact, the work in [12] can be considered as a general formal framework for modeling malware metamorphism, while our work provides a practical application of the formal framework that allows us to automatically extract the metamorphic signatures as a rewriting rules system.…”

Section: Related Workmentioning

confidence: 99%

“…We start with a simple case study taken from [12] where the authors manually built the graph accepting all the possible metamorphic variants generated from the following program: [P : mov e, 10] The hidden metamorphic engine applies the following transformation rules: R1 push e 2 ; pop e 1 ↔ mov e 1 ,e 2 R2 mov e 2 , e 1 ; push e 2 ↔ push e 1 R3 pop e 2 ; mov e 1 ,e 2 ↔ pop e 1 Note that, by substituting e with either an immediate value Imm, a register or a memory value, in the above three rules we obtain the first six rules presented in Sect. 5.1 which are implemented in MetaSign.…”

Section: Case Studiesmentioning

confidence: 99%

“…The key idea is to build a unique CFG for all the code variants that over-approximates the union of their recognized languages, i.e., it models the metamorphic behavior as a regular language of abstract instructions. This process is called regular metamorphism [12]. Finally, from the resulting widening CFG, MetaSign tries to learn the rewriting rules used to generate each variant through a simple learning grammar technique [13,14] and it produces, as output, the inferred rules.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Learning metamorphic malware signatures from samples

Campion

Preda

Giacobazzi

2021

J Comput Virol Hack Tech

Self Cite

View full text Add to dashboard Cite

Metamorphic malware are self-modifying programs which apply semantic preserving transformations to their own code in order to foil detection systems based on signature matching. Metamorphism impacts both software security and code protection technologies: it is used by malware writers to evade detection systems based on pattern matching and by software developers for preventing malicious host attacks through software diversification. In this paper, we consider the problem of automatically extracting metamorphic signatures from the analysis of metamorphic malware variants. We define a metamorphic signature as an abstract program representation that ideally captures all the possible code variants that might be generated during the execution of a metamorphic program. For this purpose, we developed MetaSign: a tool that takes as input a collection of metamorphic code variants and produces, as output, a set of transformation rules that could have been used to generate the considered metamorphic variants. MetaSign starts from a control flow graph representation of the input variants and agglomerates them into an automaton which approximates the considered code variants. The upper approximation process is based on the concept of widening automata, while the semantic preserving transformation rules, used by the metamorphic program, can be viewed as rewriting rules and modeled as grammar productions. In this setting, the grammar recognizes the language of code variants, while the production rules model the metamorphic transformations. In particular, we formalize the language of code variants in terms of pure context-free grammars, which are similar to context-free grammars with no terminal symbols. After the widening process, we create a positive set of samples from which we extract the productions of the grammar by applying a learning grammar technique. This allows us to learn the transformation rules used by the metamorphic engine to generate the considered code variants. We validate the results of MetaSign on some case studies.

show abstract