Context-sensitive analysis of obfuscated x86 executables
Autor(a) principal: | |
---|---|
Data de Publicação: | 2010 |
Outros Autores: | , , |
Tipo de documento: | Artigo de conferência |
Idioma: | eng |
Título da fonte: | Repositório Institucional da UNESP |
Texto Completo: | http://dx.doi.org/10.1145/1706356.1706381 http://hdl.handle.net/11449/71657 |
Resumo: | A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM. |
id |
UNSP_2fa103caeb8b6736db16fce6b16fa04b |
---|---|
oai_identifier_str |
oai:repositorio.unesp.br:11449/71657 |
network_acronym_str |
UNSP |
network_name_str |
Repositório Institucional da UNESP |
repository_id_str |
2946 |
spelling |
Context-sensitive analysis of obfuscated x86 executablesAnalysis of bianriesContext-sensitive analysisDeobfuscationObfuscationAbstract interpretationsContext sensitivityContext-sensitiveControl flow graphsExecutablesInter-proceduralInter-procedural analysisProcedure callSpecific semanticsMathematical operatorsProgram interpretersTechnical presentationsJava programming languageA method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM.Center for Advanced Computer Studies University of Louisiana, Lafayette, LAElectrical Engineering Dept. Paulista State University (UNESP)Electrical Engineering Dept. Paulista State University (UNESP)University of LouisianaUniversidade Estadual Paulista (Unesp)Lakhotia, ArunBoccardo, Davidson R. [UNESP]Singh, AnshumanManacero Jr., Aleardo [UNESP]2014-05-27T11:24:40Z2014-05-27T11:24:40Z2010-04-20info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/conferenceObject131-140http://dx.doi.org/10.1145/1706356.1706381Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140.http://hdl.handle.net/11449/7165710.1145/1706356.17063812-s2.0-77950882873Scopusreponame:Repositório Institucional da UNESPinstname:Universidade Estadual Paulista (UNESP)instacron:UNESPengProceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulationinfo:eu-repo/semantics/openAccess2021-10-23T21:37:48Zoai:repositorio.unesp.br:11449/71657Repositório InstitucionalPUBhttp://repositorio.unesp.br/oai/requestopendoar:29462024-08-05T16:04:44.534777Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP)false |
dc.title.none.fl_str_mv |
Context-sensitive analysis of obfuscated x86 executables |
title |
Context-sensitive analysis of obfuscated x86 executables |
spellingShingle |
Context-sensitive analysis of obfuscated x86 executables Lakhotia, Arun Analysis of bianries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Context sensitivity Context-sensitive Control flow graphs Executables Inter-procedural Inter-procedural analysis Procedure call Specific semantics Mathematical operators Program interpreters Technical presentations Java programming language |
title_short |
Context-sensitive analysis of obfuscated x86 executables |
title_full |
Context-sensitive analysis of obfuscated x86 executables |
title_fullStr |
Context-sensitive analysis of obfuscated x86 executables |
title_full_unstemmed |
Context-sensitive analysis of obfuscated x86 executables |
title_sort |
Context-sensitive analysis of obfuscated x86 executables |
author |
Lakhotia, Arun |
author_facet |
Lakhotia, Arun Boccardo, Davidson R. [UNESP] Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
author_role |
author |
author2 |
Boccardo, Davidson R. [UNESP] Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
author2_role |
author author author |
dc.contributor.none.fl_str_mv |
University of Louisiana Universidade Estadual Paulista (Unesp) |
dc.contributor.author.fl_str_mv |
Lakhotia, Arun Boccardo, Davidson R. [UNESP] Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
dc.subject.por.fl_str_mv |
Analysis of bianries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Context sensitivity Context-sensitive Control flow graphs Executables Inter-procedural Inter-procedural analysis Procedure call Specific semantics Mathematical operators Program interpreters Technical presentations Java programming language |
topic |
Analysis of bianries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Context sensitivity Context-sensitive Control flow graphs Executables Inter-procedural Inter-procedural analysis Procedure call Specific semantics Mathematical operators Program interpreters Technical presentations Java programming language |
description |
A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM. |
publishDate |
2010 |
dc.date.none.fl_str_mv |
2010-04-20 2014-05-27T11:24:40Z 2014-05-27T11:24:40Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/conferenceObject |
format |
conferenceObject |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://dx.doi.org/10.1145/1706356.1706381 Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140. http://hdl.handle.net/11449/71657 10.1145/1706356.1706381 2-s2.0-77950882873 |
url |
http://dx.doi.org/10.1145/1706356.1706381 http://hdl.handle.net/11449/71657 |
identifier_str_mv |
Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140. 10.1145/1706356.1706381 2-s2.0-77950882873 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
131-140 |
dc.source.none.fl_str_mv |
Scopus reponame:Repositório Institucional da UNESP instname:Universidade Estadual Paulista (UNESP) instacron:UNESP |
instname_str |
Universidade Estadual Paulista (UNESP) |
instacron_str |
UNESP |
institution |
UNESP |
reponame_str |
Repositório Institucional da UNESP |
collection |
Repositório Institucional da UNESP |
repository.name.fl_str_mv |
Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP) |
repository.mail.fl_str_mv |
|
_version_ |
1808128604868968448 |