Context-sensitive analysis of obfuscated x86 executables

Detalhes bibliográficos
Autor(a) principal: Lakhotia, Arun
Data de Publicação: 2010
Outros Autores: Boccardo, Davidson R. [UNESP], Singh, Anshuman, Manacero Jr., Aleardo [UNESP]
Tipo de documento: Artigo de conferência
Idioma: eng
Título da fonte: Repositório Institucional da UNESP
Texto Completo: http://dx.doi.org/10.1145/1706356.1706381
http://hdl.handle.net/11449/71657
Resumo: A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM.
id UNSP_2fa103caeb8b6736db16fce6b16fa04b
oai_identifier_str oai:repositorio.unesp.br:11449/71657
network_acronym_str UNSP
network_name_str Repositório Institucional da UNESP
repository_id_str 2946
spelling Context-sensitive analysis of obfuscated x86 executablesAnalysis of bianriesContext-sensitive analysisDeobfuscationObfuscationAbstract interpretationsContext sensitivityContext-sensitiveControl flow graphsExecutablesInter-proceduralInter-procedural analysisProcedure callSpecific semanticsMathematical operatorsProgram interpretersTechnical presentationsJava programming languageA method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM.Center for Advanced Computer Studies University of Louisiana, Lafayette, LAElectrical Engineering Dept. Paulista State University (UNESP)Electrical Engineering Dept. Paulista State University (UNESP)University of LouisianaUniversidade Estadual Paulista (Unesp)Lakhotia, ArunBoccardo, Davidson R. [UNESP]Singh, AnshumanManacero Jr., Aleardo [UNESP]2014-05-27T11:24:40Z2014-05-27T11:24:40Z2010-04-20info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/conferenceObject131-140http://dx.doi.org/10.1145/1706356.1706381Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140.http://hdl.handle.net/11449/7165710.1145/1706356.17063812-s2.0-77950882873Scopusreponame:Repositório Institucional da UNESPinstname:Universidade Estadual Paulista (UNESP)instacron:UNESPengProceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulationinfo:eu-repo/semantics/openAccess2021-10-23T21:37:48Zoai:repositorio.unesp.br:11449/71657Repositório InstitucionalPUBhttp://repositorio.unesp.br/oai/requestopendoar:29462024-08-05T16:04:44.534777Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP)false
dc.title.none.fl_str_mv Context-sensitive analysis of obfuscated x86 executables
title Context-sensitive analysis of obfuscated x86 executables
spellingShingle Context-sensitive analysis of obfuscated x86 executables
Lakhotia, Arun
Analysis of bianries
Context-sensitive analysis
Deobfuscation
Obfuscation
Abstract interpretations
Context sensitivity
Context-sensitive
Control flow graphs
Executables
Inter-procedural
Inter-procedural analysis
Procedure call
Specific semantics
Mathematical operators
Program interpreters
Technical presentations
Java programming language
title_short Context-sensitive analysis of obfuscated x86 executables
title_full Context-sensitive analysis of obfuscated x86 executables
title_fullStr Context-sensitive analysis of obfuscated x86 executables
title_full_unstemmed Context-sensitive analysis of obfuscated x86 executables
title_sort Context-sensitive analysis of obfuscated x86 executables
author Lakhotia, Arun
author_facet Lakhotia, Arun
Boccardo, Davidson R. [UNESP]
Singh, Anshuman
Manacero Jr., Aleardo [UNESP]
author_role author
author2 Boccardo, Davidson R. [UNESP]
Singh, Anshuman
Manacero Jr., Aleardo [UNESP]
author2_role author
author
author
dc.contributor.none.fl_str_mv University of Louisiana
Universidade Estadual Paulista (Unesp)
dc.contributor.author.fl_str_mv Lakhotia, Arun
Boccardo, Davidson R. [UNESP]
Singh, Anshuman
Manacero Jr., Aleardo [UNESP]
dc.subject.por.fl_str_mv Analysis of bianries
Context-sensitive analysis
Deobfuscation
Obfuscation
Abstract interpretations
Context sensitivity
Context-sensitive
Control flow graphs
Executables
Inter-procedural
Inter-procedural analysis
Procedure call
Specific semantics
Mathematical operators
Program interpreters
Technical presentations
Java programming language
topic Analysis of bianries
Context-sensitive analysis
Deobfuscation
Obfuscation
Abstract interpretations
Context sensitivity
Context-sensitive
Control flow graphs
Executables
Inter-procedural
Inter-procedural analysis
Procedure call
Specific semantics
Mathematical operators
Program interpreters
Technical presentations
Java programming language
description A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM.
publishDate 2010
dc.date.none.fl_str_mv 2010-04-20
2014-05-27T11:24:40Z
2014-05-27T11:24:40Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/conferenceObject
format conferenceObject
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://dx.doi.org/10.1145/1706356.1706381
Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140.
http://hdl.handle.net/11449/71657
10.1145/1706356.1706381
2-s2.0-77950882873
url http://dx.doi.org/10.1145/1706356.1706381
http://hdl.handle.net/11449/71657
identifier_str_mv Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140.
10.1145/1706356.1706381
2-s2.0-77950882873
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv 131-140
dc.source.none.fl_str_mv Scopus
reponame:Repositório Institucional da UNESP
instname:Universidade Estadual Paulista (UNESP)
instacron:UNESP
instname_str Universidade Estadual Paulista (UNESP)
instacron_str UNESP
institution UNESP
reponame_str Repositório Institucional da UNESP
collection Repositório Institucional da UNESP
repository.name.fl_str_mv Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP)
repository.mail.fl_str_mv
_version_ 1808128604868968448