发布求助
文献互助 智能选刊 最新文献

PPREW'14最新文献

筛选
英文 中文
Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis 使用过程间数据流分析从二进制文件中恢复c++对象
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2556465
Wesley Jin, Cory F. Cohen, Jeffrey Gennari, C. Hines, S. Chaki, A. Gurfinkel, Jeffrey Havrilla, P. Narasimhan
{"title":"Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis","authors":"Wesley Jin, Cory F. Cohen, Jeffrey Gennari, C. Hines, S. Chaki, A. Gurfinkel, Jeffrey Havrilla, P. Narasimhan","doi":"10.1145/2556464.2556465","DOIUrl":"https://doi.org/10.1145/2556464.2556465","url":null,"abstract":"Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.\u0000 In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"47 9","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114037993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 37
DroidLegacy: Automated Familial Classification of Android Malware DroidLegacy: Android恶意软件的自动家族分类
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2556467
Luke Deshotels, Vivek Notani, Arun Lakhotia
{"title":"DroidLegacy: Automated Familial Classification of Android Malware","authors":"Luke Deshotels, Vivek Notani, Arun Lakhotia","doi":"10.1145/2556464.2556467","DOIUrl":"https://doi.org/10.1145/2556464.2556467","url":null,"abstract":"We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code and the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more resilient to obfuscations.\u0000 In triage, AV companies need to automatically classify large number of samples so as to optimize assignment of human analysts. They need a system that gives low false negatives even if it is at the cost of higher false positives. Keeping this goal in mind, we fine tuned our system and used standard 10 fold cross validation over a dataset of 1,052 malicious APKs and 48 benign APKs to verify our algorithm. Results show that we have 94% accuracy, 97% precision, and 93% recall when separating benign from malware. We successfully classified our entire malware dataset into 11 families with 98% accuracy, 87% precision, and 94% recall.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130930602","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 141
The GDSL toolkit: Generating Frontends for the Analysis of Machine Code GDSL工具箱:为机器代码分析生成前端
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2559596
A. Simon, J. Kranz
{"title":"The GDSL toolkit: Generating Frontends for the Analysis of Machine Code","authors":"A. Simon, J. Kranz","doi":"10.1145/2556464.2559596","DOIUrl":"https://doi.org/10.1145/2556464.2559596","url":null,"abstract":"Any inspection, analysis or reverse engineering of binaries requires a translation of the program text into an intermediate representation (IR) that conveys the semantics of the program. To this end, we propose a domain specific language called GDSL (Generic Decoder Specification Language) that facilitates the translation from byte streams to instructions and from there to other intermediate representations. We present the GDSL toolkit, containing a compiler from GDSL to C, instruction decoders (currently for Intel x86 and Atmel AVR), translations to semantics, and optimizations of the semantics. Other processors, semantics and optimizations can be added, thereby providing a common platform for building frontends for the analysis of binaries. The emitted C code is human-readable and outperforms hand-written code such as the XED decoder shipped with the Intel Pin toolkit.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114915389","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Analyzing program dependencies for malware detection 分析恶意软件检测的程序依赖关系
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2556470
M. Preda, Isabella Mastroeni, R. Giacobazzi
{"title":"Analyzing program dependencies for malware detection","authors":"M. Preda, Isabella Mastroeni, R. Giacobazzi","doi":"10.1145/2556464.2556470","DOIUrl":"https://doi.org/10.1145/2556464.2556470","url":null,"abstract":"Metamorphic malware continuously modify their code, while preserving their functionality, in order to foil misuse detection. The key for defeating metamorphism relies in a semantic characterization of the embedding of the malware into the target program. Indeed, a behavioral model of program infection that does not relay on syntactic program features should be able to defeat metamorphism. Moreover, a general model of infection should be able to express dependences and interactions between the malicious code and the target program. ANI is a general theory for the analysis of dependences of data in a program. We propose an high order theory for ANI, later called HOANI, that allows to study program dependencies. Our idea is then to formalize and study the malware detection problem in terms of HOANI.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"98 43","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131879137","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Hardware-enforced Protection against Software Reverse-Engineering based on an Instruction Set Encoding 基于指令集编码的防软件逆向工程的硬件保护
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2556469
J. Danger, S. Guilley, Florian Praden
{"title":"Hardware-enforced Protection against Software Reverse-Engineering based on an Instruction Set Encoding","authors":"J. Danger, S. Guilley, Florian Praden","doi":"10.1145/2556464.2556469","DOIUrl":"https://doi.org/10.1145/2556464.2556469","url":null,"abstract":"Software programs are prone to reverse-engineering. Protection usually consists either in obfuscation or Randomized Instruction Set Emulation (RISE). In this article, we explore a mixed software/hardware RISE suitable for embedded systems. This solution is very easy to implement on any open CPU core (LEON, openRISC, LatticeMicro32, etc.), as it implies only localized changes at the latest stage of the code execution hardware, which makes Dallas and DMA attacks unsuccessful. Similarly, alternations in the software development flow are minor and straightforward. All in one, our study shows that an easy protection can be attained at virtually no overhead cost if both the hardware and the software are customized.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134398933","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
TDVMP: Improved Virtual Machine-Based Software Protection with Time Diversity TDVMP:改进的基于虚拟机的软件时间分集保护
PPREW'14 Pub Date : 2014-01-22 DOI: 10.1145/2556464.2556468
Huaijun Wang, Dingyi Fang, Guanghui Li, Na An, Xiaojiang Chen, Y. Gu
{"title":"TDVMP: Improved Virtual Machine-Based Software Protection with Time Diversity","authors":"Huaijun Wang, Dingyi Fang, Guanghui Li, Na An, Xiaojiang Chen, Y. Gu","doi":"10.1145/2556464.2556468","DOIUrl":"https://doi.org/10.1145/2556464.2556468","url":null,"abstract":"The VM (Virtual effective solution to protect software, making it extremely a Machine)-based software protection technique provides difficulty to analyze and crack. In this paper, we improve it from two aspects. Firstly, the time diversity is to fight against cumulative attack by making software executing along variant paths in different running time. Secondly, transform instructions in an execution path with reducing performance penalty through controlling deformation strategy. At last, we design and develop a VM-based protection with time diversity system, named TDVMP, and carry out some experiments with it. The results show that the improvements are effective.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"111 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124064251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信