SMODIC: A Model Checker for Self-modifying Code

Proceedings of the 17th International Conference on Availability, Reliability and Security Pub Date : 2022-08-23 DOI:10.1145/3538969.3538978

Tayssir Touili, Xin Ye

{"title":"SMODIC: A Model Checker for Self-modifying Code","authors":"Tayssir Touili, Xin Ye","doi":"10.1145/3538969.3538978","DOIUrl":null,"url":null,"abstract":"In this paper, we present SMODIC, a model checker for self-modifying binary codes. SMODIC uses Self Modifying Pushdown Systems (SM-PDS) to model self-modifying binary code. This allows to faithfully represent the program’s stack as well as the self-modifying instructions of the program. SMODIC takes a self-modifying binary code or a self modifying pushdown system as input. It can then perform reachability analysis and LTL/CTL model-checking for these models. We successfully used SMODIC to model-check more than 900 self-modifying binary codes. In particular, we applied SMODIC for malware detection, since malwares usually use self-modifying instructions, and since malicious behaviors can be described by LTL or CTL formulas. In our experiments, SMODIC was able to detect 895 malwares and to prove that 200 benign programs were benign. SMODIC was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Baidu, Avast, and Symantec failed to detect. SMODIC can be found in https://lipn.univ-paris13.fr/~touili/smodic","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 17th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3538969.3538978","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

In this paper, we present SMODIC, a model checker for self-modifying binary codes. SMODIC uses Self Modifying Pushdown Systems (SM-PDS) to model self-modifying binary code. This allows to faithfully represent the program’s stack as well as the self-modifying instructions of the program. SMODIC takes a self-modifying binary code or a self modifying pushdown system as input. It can then perform reachability analysis and LTL/CTL model-checking for these models. We successfully used SMODIC to model-check more than 900 self-modifying binary codes. In particular, we applied SMODIC for malware detection, since malwares usually use self-modifying instructions, and since malicious behaviors can be described by LTL or CTL formulas. In our experiments, SMODIC was able to detect 895 malwares and to prove that 200 benign programs were benign. SMODIC was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Baidu, Avast, and Symantec failed to detect. SMODIC can be found in https://lipn.univ-paris13.fr/~touili/smodic

查看原文本刊更多论文

SMODIC:用于自我修改代码的模型检查器

在本文中，我们提出了SMODIC，一个自修改二进制码的模型检查器。SMODIC使用自修改下推系统(SM-PDS)对自修改二进制代码进行建模。这允许忠实地表示程序的堆栈以及程序的自修改指令。SMODIC采用自修改二进制码或自修改下推系统作为输入。然后，它可以为这些模型执行可达性分析和LTL/CTL模型检查。我们成功地使用SMODIC对900多个自修改二进制码进行了模型检查。特别是，我们将SMODIC应用于恶意软件检测，因为恶意软件通常使用自修改指令，并且恶意行为可以通过LTL或CTL公式来描述。在我们的实验中，SMODIC能够检测到895个恶意软件，并证明200个良性程序是良性的。SMODIC还能够检测到一些众所周知的防病毒软件，如Bit-Defender、Kinsoft、Avira、eScan、卡巴斯基、百度、Avast和赛门铁克未能检测到的恶意软件。SMODIC可以在https://lipn.univ-paris13.fr/~touili/smodic找到

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 17th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量