Static analysis of executables to detect malicious patterns

Proceedings of the 12th USENIX Security Symposium

Volumn , Issue , 2003, Pages 169-186

  Christodorescu, Mihai ^a   Jha, Somesh ^a  

^a University of Wisconsin Madison   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER VIRUSES; SCANNING;

ANTIVIRUS SOFTWARES; CODE OBFUSCATION; DEFENSE MECHANISM; MALICIOUS CODE DETECTION; MALICIOUS CODES; OBFUSCATION TRANSFORMATIONS; PROTOTYPE TOOLS; STATIC ANALYZERS;

STATIC ANALYSIS;

EID: 84924223669     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (51)

1. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In 2002 IEEE Symposium on Security and Privacy (Oakland'02), pages 143-159, May 2002.
2. T. Ball and S.K. Rajamani. Automatically validating temporal safety properties of interfaces. In Proceedings of the 8th International SPIN Workshop on Model Checking of Software (SPIN'01), Volume 2057 of Lecture Notes in Computer Science. Springer-Verlag, 2001.
3. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. In Advances in Cryptology (CRYPTO'01), Volume 2139 of Lecture Notes in Computer Science, pages 1-18. Springer-Verlag, August 2001.
4. M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2), 1996.
5. CERT Coordination Center. Denial of service attacks, 2001. http://www.cert.org/tech-tips/denial-of-service.html (Last accessed: 3 February 2003).
6. S. Chandra and T.W. Reps. Physical type checking for C. In ACM SIGPLAN - SIGSOFT Workshop on Program Analysis For Software Tools and Engineering (PASTE'99), pages 66-75. ACM Press, September 1999.
7. H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In 9th ACM Conference on Computer and Communications Security (CCS'02). ACM Press, November 2002.
8. B.V. Chess. Improving computer security using extending static checking. In 2002 IEEE Symposium on Security and Privacy (Oakland'02), pages 160-173, May 2002.
9. D.M. Chess and S.R. White. An undetectable computer virus. In Proceedings of Virus Bulletin Conference, 2000.
10. F. Cohen. Computer viruses: Theory and experiments. Computers and Security, 6:22-35, 1987.
11. C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Sciences, The University of Auckland, July 1997.
12. C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98). ACM Press, January 1998.
13. J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In Proceedings of the 22nd International Conference on Software Engineering (ICSE'00), pages 439-448. ACM Press, 2000.
14. P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proceedings of the 5th ACM Symposium on Principles of Programming Languages (POPL'78), pages 84-96. ACM Press, January 1978.
15. D. W. Currie, A. J. Hu, and S. Rajan. Automatic formal verification of dsp software. In Proceedings of the 37th ACM IEEE Conference on Design Automation (DAC'00), pages 130-135. ACM Press, 2000.
16. D. Detlefs, G. Nelson, and J. Saxe. The simplify theorem prover. http://research.compaq.com/SRC/esc/simplify.html.
17. U. Erlingsson and F. B. Schneider. IRM enforcement of Java stackinspection. In 2000 IEEE Symposium on Security and Privacy (Oakland'00), pages 246-255, May 2000.
18. J. Esparza, D. Hansel, P. Rossmanith, and S. Schwoon. Efficient algorithms for model checking pushdown systems. In Proceedings of the 12th International Conference on Computer-Aided Verification (CAV'00), Volume 1855 of Lecture Notes in Computer Science, pages 232-247. Springer-Verlag, July 2000.
19. X. Feng and Alan J. Hu. Automatic formal verification for scheduled VLIW code. In Proceedings of the Joint Conference on Languages, Compilers and Tools for Embedded Systems - Software and Compilers for Embedded Systems (LCTES/SCOPES'02), pages 85-92. ACM Press, 2002.
20. M. Fitting. First-Order Logic and Automated Theorem Proving. Springer-Verlag, 1996.
21. J. T. Giffin, S. Jha, and B. P. Miller. Detecting manipulated remote call streams. In Proceedings of the 11th USENIX Security Symposium (Security'02). USENIX Association, August 2002.
22. J.E. Hopcroft, R. Motwani, and J.D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2001.
23. S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1):26-60, January 1990.
24. GrammaTech Inc. Codesurfer - code analysis and understanding tool. http://www.grammatech.com/products/codesurfer/index.html (Last accessed: 3 February 2003).
25. T. Jensen, D.L. Metayer, and T. Thorn. Verification of control flow based security properties. In 1999 IEEE Symposium on Security and Privacy (Oakland'99), May 1999.
26. E. Kaspersky. Virus List Encyclopaedia, chapter Ways of Infection: Viruses without an Entry Point. Kaspersky Labs, 2002. http://www.viruslist.com/eng/viruslistbooks.asp?id=32&key=0000100007000020000100003 (Last accessed: 3 February 2003).
27. Kaspersky Labs. http://www.kasperskylabs.com (Last accessed: 3 February 2003).
28. W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323-337, December 1992.
29. R.W. Lo, K.N. Levitt, and R.A. Olsson. MCF: A malicious code filter. Computers & Society, 14(6):541-566, 1995.
30. G. McGraw and G. Morrisett. Attacking malicious code: Report to the Infosec research council. IEEE Software, 17(5):33-41 September/October 2000.
31. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the Sapphire/Slammer worm. http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html (Last accessed: 3 February 2003).
32. G. Morrisett, K. Crary, N. Glew, and D. Walker. Stack-based Typed Assembly Language. In Xavier Leroy and Atsushi Ohori, editors, 1998 Workshop on Types in Compilation, Volume 1473 of Lecture Notes in Computer Science, pages 28-52. Springer-Verlag, March 1998.
33. G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to Typed Assembly Language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98), pages 85-97. ACM Press, January 1998.
34. S.S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann, 1997.
35. E.M. Myers. A precise interprocedural data flow algorithm. In Conference Record of the 8th Annual ACM Symposium on Principles of Programming Languages (POPL'81), pages 219-230. ACM Press, January 1981.
36. C. Nachenberg. Polymorphic virus detection module. United States Patent # 5,696,822, December 9, 1997.
37. C. Nachenberg. Polymorphic virus detection module. United States Patent # 5,826,013, October 20, 1998.
38. G. C. Necula. Translation validation for an optimizing compiler. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'00), pages 83-94. ACM Press, June 2000.
39. S. Owre, S. Rajan, J. Rushby, N. Shankar, and M. Srivas. PVS: Combining specification, proof checking, and model checking. In Proceedings of the 8th International Conference on Computer-Aided Verification (CAV'96), Volume 1102 of Lecture Notes in Computer Science, pages 411-414. Springer-Verlag, August 1996.
40. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'95), pages 49-61. ACM Press, January 1995.
41. M. Samamura. Expanded Threat List and Virus Encyclopaedia, chapter W95.CIH. Symantec Antivirus Research Center, 1998. http://securityresponse.symantec.com/avcenter/venc/data/cih.html (Last accessed: 3 February 2003).
42. DataRescue sa/nv. IDA Pro - interactive disassembler. http://www.datarescue.com/idabase/ (Last accessed: 3 February 2003).
43. S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security'02), pages 149-167. USENIX, USENIX Association, August 2002.
44. P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of Virus Bulletin Conference, pages 123-144, September 2001.
45. TESO. burneye elf encryption program. https://teso.scene.at (Last accessed: 3 February 2003).
46. D. Wagner and D. Dean. Intrusion detection via static analysis. In 2001 IEEE Symposium on Security and Privacy (Oakland'01), May 2001.
47. R. Wang. Flash in the pan? Virus Bulletin, July 1998. Virus Analysis Library.
48. Z. Xu. Safety-Checking of Machine Code. PhD thesis, University of Wisconsin, Madison, 2000.
49. z0mbie. Automated reverse engineering: Mistfall engine. http://z0mbie.host.sk/autorev.txt (Last accessed: 3 February 2003).
50. z0mbie. RPME mutation engine. http://z0mbie.host.sk/rpme.zip (Last accessed: 3 February 2003).
51. z0mbie. z0mbie's homepage. http://z0mbie.host.sk (Last accessed: 3 February 2003).