Modelling metamorphism by abstract interpretation

Mila Dalla Preda; Roberto Giacobazzi; Saumya Debray; Kevin Coogan; Gregg M. Townsend

doi:10.1007/978-3-642-15769-1_14

Modelling metamorphism by abstract interpretation

Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray, Kevin Coogan, Gregg M. Townsend

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

19 Scopus citations

Abstract

Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.

Original language	English (US)
Title of host publication	Static Analysis - 17th International Symposium, SAS 2010, Proceedings
Pages	218-235
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-642-15769-1_14
State	Published - 2010
Event	17th International Static Analysis Symposium, SAS 2010 - Perpignan, France Duration: Sep 14 2010 → Sep 16 2010

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6337 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	17th International Static Analysis Symposium, SAS 2010
Country/Territory	France
City	Perpignan
Period	9/14/10 → 9/16/10

Keywords

Abstract interpretation
malware detection
metamorphic code
program transformation
security
semantics
static analysis

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-15769-1_14

Cite this

Dalla Preda, M., Giacobazzi, R., Debray, S., Coogan, K., & Townsend, G. M. (2010). Modelling metamorphism by abstract interpretation. In Static Analysis - 17th International Symposium, SAS 2010, Proceedings (pp. 218-235). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6337 LNCS). https://doi.org/10.1007/978-3-642-15769-1_14

Modelling metamorphism by abstract interpretation. / Dalla Preda, Mila; Giacobazzi, Roberto; Debray, Saumya et al.
Static Analysis - 17th International Symposium, SAS 2010, Proceedings. 2010. p. 218-235 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6337 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Dalla Preda, M, Giacobazzi, R, Debray, S, Coogan, K & Townsend, GM 2010, Modelling metamorphism by abstract interpretation. in Static Analysis - 17th International Symposium, SAS 2010, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6337 LNCS, pp. 218-235, 17th International Static Analysis Symposium, SAS 2010, Perpignan, France, 9/14/10. https://doi.org/10.1007/978-3-642-15769-1_14

Dalla Preda M, Giacobazzi R, Debray S, Coogan K, Townsend GM. Modelling metamorphism by abstract interpretation. In Static Analysis - 17th International Symposium, SAS 2010, Proceedings. 2010. p. 218-235. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-15769-1_14

@inproceedings{52933f9f46514f349a3564fdc60b333c,

title = "Modelling metamorphism by abstract interpretation",

abstract = "Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.",

keywords = "Abstract interpretation, malware detection, metamorphic code, program transformation, security, semantics, static analysis",

author = "{Dalla Preda}, Mila and Roberto Giacobazzi and Saumya Debray and Kevin Coogan and Townsend, {Gregg M.}",

year = "2010",

doi = "10.1007/978-3-642-15769-1_14",

language = "English (US)",

isbn = "3642157688",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "218--235",

booktitle = "Static Analysis - 17th International Symposium, SAS 2010, Proceedings",

note = "17th International Static Analysis Symposium, SAS 2010 ; Conference date: 14-09-2010 Through 16-09-2010",

}

TY - GEN

T1 - Modelling metamorphism by abstract interpretation

AU - Dalla Preda, Mila

AU - Giacobazzi, Roberto

AU - Debray, Saumya

AU - Coogan, Kevin

AU - Townsend, Gregg M.

PY - 2010

Y1 - 2010

N2 - Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.

AB - Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.

KW - Abstract interpretation

KW - malware detection

KW - metamorphic code

KW - program transformation

KW - security

KW - semantics

KW - static analysis

UR - http://www.scopus.com/inward/record.url?scp=78149235458&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78149235458&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-15769-1_14

DO - 10.1007/978-3-642-15769-1_14

M3 - Conference contribution

AN - SCOPUS:78149235458

SN - 3642157688

SN - 9783642157684

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 218

EP - 235

BT - Static Analysis - 17th International Symposium, SAS 2010, Proceedings

T2 - 17th International Static Analysis Symposium, SAS 2010

Y2 - 14 September 2010 through 16 September 2010

ER -

Modelling metamorphism by abstract interpretation

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this