Modelling metamorphism by abstract interpretation

Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray, Kevin Coogan, Gregg M. Townsend

Research output: Chapter in Book/Report/Conference proceedingConference contribution

19 Scopus citations


Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.

Original languageEnglish (US)
Title of host publicationStatic Analysis - 17th International Symposium, SAS 2010, Proceedings
Number of pages18
StatePublished - 2010
Externally publishedYes
Event17th International Static Analysis Symposium, SAS 2010 - Perpignan, France
Duration: Sep 14 2010Sep 16 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6337 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other17th International Static Analysis Symposium, SAS 2010


  • Abstract interpretation
  • malware detection
  • metamorphic code
  • program transformation
  • security
  • semantics
  • static analysis

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Modelling metamorphism by abstract interpretation'. Together they form a unique fingerprint.

Cite this