Unveiling metamorphism by abstract interpretation of code properties

Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray

Research output: Contribution to journalArticlepeer-review

9 Scopus citations


Metamorphic code includes self-modifying semantics-preserving transformations to exploit code diversification. The impact of metamorphism is growing in security and code protection technologies, both for preventing malicious host attacks, e.g., in software diversification for IP and integrity protection, and in malicious software attacks, e.g., in metamorphic malware self-modifying their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extracting metamorphic signatures from metamorphic code. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics. In particular, we introduce the notion of regular metamorphism, where the invariants of the phase semantics can be modeled as finite state automata representing the code structure of all possible metamorphic change of a metamorphic code, and we provide a static signature extraction algorithm for metamorphic code where metamorphic signatures are approximated in regular metamorphism.

Original languageEnglish (US)
Pages (from-to)74-97
Number of pages24
JournalTheoretical Computer Science
Issue number1
StatePublished - 2015
Externally publishedYes


  • Abstract interpretation
  • Metamorphic malware detection
  • Program semantics
  • Self-modifying programs

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Unveiling metamorphism by abstract interpretation of code properties'. Together they form a unique fingerprint.

Cite this