Boolean Signatures for Metamorphic Malware

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 78 (2016) 255 – 262

,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ6HFXULW\ 3ULYDF\,&,63 'HFHPEHU 1DJSXU,1',$

%RROHDQ6LJQDWXUHVIRU0HWDPRUSKLF0DOZDUH $GLW\D.DXVKDO5DQMDQD 5DMD$OLE9LMD\.XPDUFDQG0LQRR+RVVHLQ]DGHKG a,b,c

Dept. of CSE, Central University of Rajasthan, Kishangarh 305817, India d Dept. of CSE, Urmia University, West Azerbaijan 5756151818, Iran

$EVWUDFW 7KLVSDSHUWULHVWRPRGHOWKHFRGHREIXVFDWLRQDVVDWLVILDELOLW\SUREOHP,QWKLVSDSHUZHWU\WRGHYHORSWKHPRGHOWRUHSUHVHQW WKH REIXVFDWHG FRGH DV WKH VDWLVILDEOH SUREOHP ZKLFK FRXOG EH WKHQ FKHFNHG E\ WKH 6$7 VROYHU WR FKHFN ZKHWKHU DW FHUWDLQ LQVWDQFHVWKHPRGHOLVVDWLVILDEOH:HSURYLGHWKHQRWLRQRIFRQYHUWLQJWKH66$IRUPDWRIWKHLQVWUXFWLRQVWRWKHSURSRVLWLRQDO ORJLFDQGWKHQE\WKHKHOSRIWKHWKHRUHPSURYHUVZHWHOOZKHWKHUERWKWKHFRGHVQLSSHWVRIREIXVFDWHGFRGHDUHVDPHRUQRW 7KLVFDQEHGRQHE\FRQYHUWLQJERWKFRGHVIURPWKHLURULJLQDOFRGHWRWKHPDWKHPDWLFDOVLJQDWXUHRUUHODWLRQDOHQFRGLQJDQGWKHQ FKHFNLQJWKHLUORJLFDOHTXLYDOHQFH © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license 7KH$XWKRUV3XEOLVKHGE\(OVHYLHU%9 (http://creativecommons.org/licenses/by-nc-nd/4.0/). 3HHUUHYLHZXQGHUUHVSRQVLELOLW\RIRUJDQL]LQJFRPPLWWHHRIWKH,&,63 Peer-review under responsibility of organizing committee of the ICISP2015 Keywords:&RGHREIXVFDWLRQ',0$&6/RJLFDOHTXLYDOHQFH6$7VROYLQJ0HWDPRUSKLFPDOZDUH

,QWURGXFWLRQ 6XFFHVVIXOO\GHWHFWLQJFRGHREIXVFDWLRQLVDQRQGHWHUPLQLVWLFSUREOHP,WLVKLJKO\XQOLNHO\WRWHOOZKHWKHUWKH WZRFRGHVZLOOGRWKHVDPHZRUNWLOOZHH[HFXWHWKHP,WKDVLWVRZQEHQHILWVDQGKDVLWVRZQVHULRXVSUREOHPVWRR 2QWKHJRRGVLGHWKHVRIWZDUHYHQGRUVFDQVDYHWKHLUVRIWZDUHIURPEHLQJUHYHUVHHQJLQHHULQJDQGFRS\LQJWKHP DQGYDULRXVDWWDFNVFDQDOVREHSUHYHQWHGXVLQJWKHFRGHREIXVFDWLRQVOLNHLIZHKDYHVRPHEXJRUYXOQHUDELOLW\LQ FRGH DW WKH FHUWDLQ SRLQW LW FDQ HDVLO\ EH HYDGHG LQ WKH WUDQVIRUPHG YHUVLRQ RI WKH VDPH FRGH RU VRIWZDUH )RU H[DPSOHLIWKHUHLVVFRSHIRUWKHEXIIHURYHUIORZDWWDFNLQFHUWDLQFRGHDQGDWWDFNHUNQRZVLWWKHYHQGRUFRXOGHDVLO\

&RUUHVSRQGLQJDXWKRU7HO E-mail address: [email protected]

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of organizing committee of the ICISP2015 doi:10.1016/j.procs.2016.02.041

256

Aditya Kaushal Ranjan et al. / Procedia Computer Science 78 (2016) 255 – 262

WUDQVIRUPWKHFRGHDQGWKDWYXOQHUDELOLW\ZLOOQRWUHPDLQVDPHDWWKHVDPHSRLQW,WGRHVQ¶WUHPRYHWKHYXOQHUDELOLW\ EXWLVKLGHVLWOLNHDQHHGOHLQWKHKD\VWDFNLIWKHFRGHREIXVFDWLRQVDUHDSSOLHGSURSHUO\+HQFHWKHUHLVDVWURQJ SRVLWLYHVLGHRIPHWDPRUSKLVP &RPLQJWRWKHGDUNVLGHRIPHWDPRUSKLVPWKHPDOZDUHZULWHUVFRXOGXVHWKHFRGHREIXVFDWLRQIRUHYLOSXUSRVHV 7KH\ FRXOG EXLOG WKH FRPSOH[ PDOZDUH XVLQJ WKHVH WHFKQLTXHV ZKLFK FRXOG HDVLO\ HYDGH WKH FRPPRQO\ DYDLODEOH DQWLYLUXVHV0HWDPRUSKLVPDOORZVPDOZDUHZULWHUVWRPDNHDQLQILQLWHQXPEHURIFRSLHVIRUVDPHPDOZDUHDQGLW EHFRPHVSUDFWLFDOO\LQIHDVLEOHIRUWKHDQWLYLUXVPDQXIDFWXUHUWREXLOGWKHVLJQDWXUHGDWDEDVHIRUWKHVDPHPDOZDUH DV LW LV XVHOHVV WR WDNH WKH V\QWDFWLF VLJQDWXUH IRU WKH FRGH ZKLFK WUDQVIRUPV DIWHU HDFK LQIHFWLRQ +HQFH D PHWDPRUSKLF FRGH LV YHU\ GLIILFXOW DQG DOPRVW LPSRVVLEOH WR ILQG RXW E\ WKH FRQYHQWLRQDO GHWHFWLRQ PHWKRG OLNH V\QWDFWLFVLJQDWXUHEDVHGPHWKRGV 7KHUHDUHQXPHURXVKHXULVWLFVEDVHGPHWKRGVDYDLODEOHIRUGHWHFWLRQRIVXFKPDOZDUHEXWWKHVHPHWKRGVDUHQRW IRROSURRIDQGLWWDNHVQRWWRRPXFKHIIRUWIRUWKHPDOZDUHZULWHUVWRFRQYHUWWKHFRGHLQWRDQRWKHUIRUPZKLFKFDQ HDVLO\ HYDGH WKH SDUWLFXODU KHXULVWLFEDVHG PHWKRG 7KXV QHHG IRU WKH VROLG VHPDQWLF VLJQDWXUH LV WKHUH ZKLFK FRXOGQ¶WFKDQJHHYHQLIWKHUHDUHDQLQILQLWHQXPEHURIWUDQVIRUPDWLRQVLQWKHFRGH 7KDWVLJQDWXUHPXVWQRWFKDQJHHYHQLIWKHUHDUHV\QWDFWLFWUDQVIRUPDWLRQVLQWKHFRGH6RZHSURSRVHDPHWKRG ZKLFK GRHVQ¶W UHOLHV RQ WKH V\QWDFWLF QDWXUH RI FRGH EXW JHWV LQWR WKH VHPDQWLFV RI WKH FRGH +HQFH FDQ EH VXFFHVVIXOO\XVHGWRGHWHFWWKHFRGHREIXVFDWLRQVLQPHWDPRUSKLFPDOZDUH 5HODWHG:RUN 7KHUHDUHQXPHURXV WHFKQLTXHV XVHG WRGHWHFW WKH PHWDPRUSKLF PDOZDUH EXW PRVW RI WKHP DUH HLWKHU V\QWDFWLF EDVHGRUEHKDYLRXUDOEDVHDQDO\VLVZKLFKPD\VRPHWLPHVJLYHPDQ\IDOVHSRVLWLYHV7HFKQLTXHVEDVHGRQ+LGGHQ 0DUNRY0RGHOVKDYHEHHQSURSRVHGWRGHWHFWVXFKNLQGRIPDOZDUH7KHVHWHFKQLTXHVWU\WRILQGWKHQH[WVWDWH RIWKHPDOZDUHZLWKRXWNQRZOHGJHRIWKHSUHYLRXVVWDWHV7KLVPHWKRGSURYHGWREHYHU\JRRGIRUVRPHPDOZDUHEXW IDLOHGZKLOHGHWHFWLQJRWKHUV(QKDQFHGYHUVLRQVRIVDPHWHFKQLTXHKDGEHHQSURSRVHGOLNHWLHUHG+00DQG+00 DQG &KL 6TXDUHG WHVWLQJ EDVHG %XW VDPH DXWKRUV GHYHORSHG WKH PDOZDUH ZKLFK FRXOG HDVLO\ HYDGH WKHVH WHFKQLTXHV *UDSKEDVHGVROXWLRQVZHUHJLYHQWRREXWZLWKPDQ\IDOVHSRVLWLYHUHVXOWV6RPHDXWKRUVJDYHWKHVROXWLRQVRQ FRXQWLQJWKHQXPEHURIFRQWUROIORZJUDSKVFUHDWHGE\WKHPDOZDUHDQGFRXQWLQJWKHP7KHFODVVLILFDWLRQZDVGRQH RQWKHEDVLVRIWKHQXPEHURIFRQWUROIORZJUDSKVLQDPDOZDUH 0HWKRGVEDVHGRQ(LJHQIDFHVDQGHLJHQYHFWRUZHUHJLYHQE\7KHVHPHWKRGVPRGHOWKHPHWDPRUSKLFPDOZDUH DVWKH(LJHQYLUXVMXVWOLNHWKHHLJHQIDFH7KLVNLQGRIGHWHFWLRQPHWKRGVSURYHGYHU\XVHIXOZLWKKLJKGHWHFWLRQUDWH 5DQN/LQHDU'LVFULPLQDQWDQDO\VLVPHWKRGZDVJLYHQLQZKLFKWKHDXWKRUVXVHGUDQNOLQHDUGLVFULPLQDQWDQDO\VLV WRUDQNWKHRSFRGHRURSFRGHVHTXHQFHVDQGVXEVHTXHQWO\UHGXFHWKDWWRWKHQHHGHGRSFRGHVHTXHQFHWKDWSURYLGHG WREHYHU\XVHIXOIRUWKHGHWHFWLRQRIFHUWDLQSDUWLFXODUPDOZDUHDQGLWVYDULDQWV %HKDYLRXUDO GHWHFWLRQ EDVHG RQ WKH FDSWXULQJ RI FULWLFDO $3, FDOOV KDYH EHHQ GRQH E\ YDULRXV DXWKRUV 7KHVH PHWKRGVDUHG\QDPLFLQQDWXUHDQGKDYHSURYHGYHU\HIILFLHQWLQGHWHFWLQJZLWKJUHDWDFFXUDF\ 7KH UHJLVWHUHG VZDS REIXVFDWLRQV ZHUH VROYHG E\ WKH ZLOG FDUG VHDUFK DQG KDOI E\WH VFDQQLQJ ZKLFK ZHUH VXFFHVVIXOWRWKHYHU\JUHDWH[WHQWEXWODWHURQWKHVHPHWKRGVVKRZHGVRPHGUDZEDFNV *HUDUGR HWDOKDVSURSRVHGPHWKRGZKLFKLVEDVHGRQDQXPEHURISXVKDQGSRSLQVWUXFWLRQVXVHGE\PDOZDUH 7KHLQVWUXFWLRQVXVHGE\RQHNLQGRIPDOZDUHDQGLWVYDULDQWVDUHGLIIHUHQWIURPDVXVHGE\RWKHUNLQGVRIPDOZDUH DQGLWVYDULDQWVDQGDVZHOOIURPWKHEHQLJQFRGH &ORVHO\ UHODWHG ZRUN KDV GRQH E\ LQGXVWU\ $GYDQFHG 0DOZDUH /DERUDWRU\ &26(,1& 6LQJDSRUH KDV GRQH ZRUN 7KH\ KDYH JLYHQ 2SWL6LJ VROXWLRQ ZKLFK XVHG //90 DV LQWHUPHGLDWH IRUP DQG FRQYHUVLRQ RI WKH LQWHUPHGLDWHUHSUHVHQWDWLRQLQERROHDQORJLF2XUPDLQDLPWRLPSURYHDQGRSWLPL]HWKHLUPHWKRG 8VHRIHQJLQHVLJQDWXUH WRGHWHFWPHWDPRUSKLFPDOZDUHZDVGRQHE\0RKDPPDGHWDOEXWQRZDGD\VDGYDQFHG PXWDWLQJ WHFKQLTXHV UHQGHU WKLV PHWKRG XVHOHVV DV WKH\ OHDYH QR VDIH FOXH RI DQ HQJLQH ZKLFK FRXOG OHDG WR WKHLU GHWHFWLRQ 9DULRXVRWKHUVHPDQWLFEDVHGDSSURDFKHVKDYHEHHQXVHGE\YDULRXVDXWKRUVEXWWKHVHDUHYHU\GLIIHUHQWIURP WKHDSSURDFKZHXVH


257

3 3URSRVHG:RUN N SURSRVHGPHWKRG GLVDV 7KHHRYHUYLHZRIS x 'LVDVVHP PEOHPDOZDUHH[ [HFXWDEOHZLWK,,'$3UR x 7DNHDVVHPEO\FRGHVQLS SSHWV x &RQYHUWLQWR66$IRUP N FRGH GHDG FFRGH x 5XQ RSWWLPL]HU SDVVHV RQ 66$ IRUP WR UHPRYH WKHH EDVLF REIXVFDDWLRQV OLNH MXQN XQUHDFKDDEOHLQVWUXFWLRQVVHWF x &RQYHUWRSWLPL]HGLQWHUUPHGLDWHIRUPLQ QWRERROHDQORJLLFRU',0$&6IRUPDW $7VROYLQJWRUHHPRYHSRWHQWLDOFRQIOLFWVDQG IXUWKHUVLPSOLILLFDWLRQRIFRQYHHUWHG x 3HUIRUP LQFUHPHQWDO6$ ERROHDQORJLF PDWKHPDWLFDOP PRGHOIRULW x )LQGWKHFRUUHVSRQGLQJP RUWKHFRGH x 7KDWZLOOOEHILQDOPDWKHHPDWLFDORUERROHDQVLJQDWXUHIR x )ROORZDDOODERYHHLJKWVVWHSVRQNQRZQFRGH x )LQGWKHORJLFDOHTXLYDOHHQFHYLDWKHRUHP PSURYHUV

)LJ2YHUYLHZRI3URSRVHHG0HWKRG

7KLLVQHHGFDQEHIIXOILOOHGLIZHFDDQFRQYHUWWKHVVLPSOHFRGHLQWR RWKHPDWKHPDWWLFDOIRUPRULIZ ZHFRQYHUWWKHFFRGH LQWRWK KHIRUPZKRVH YDOLGLW\FRXOGE EHPDWKHPDWLFDDOO\FKHFNHGDQG GZKRVHVDWLVILDDELOLW\FRXOGEHHFKHFNHGDWYDUULRXV LQVWDQFHV7KLVPRWLY YDWHVXVWRFUHDWHHWKHVHPDQWLFVVLJQDWXUHIRUWKHHPHWDPRUSKLFPDOZDUHILUVWO\ \E\VLPSOLI\LQJJWKH XFWXUHGFRGHDQG GWKHQE\FRQYHHUWLQJWKLVFRGHLQWRWKHERROHDDQRUSURSRVLWLRQQDOORJLFDFFRUG GLQJWRWKHQHHGGDQG XQVWUX VXEVHT TXHQWO\FKHFNLQ QJWKHYDOLGLW\DQ QGVDWLVILDELOLW\ \RIWKDWVLJQDWXUUH )RUUGRLQJWKLVWDVN NZHQHHGWRJR RWKURXJKYDULR RXVSKDVHVDQGHHDFKRIWKHVHSKKDVHVKDVLWVRZ ZQLPSRUWDQFH )LUVW ZHKDDYHWRFOHDQWKH FRGHUHPRYLQJ JWKHGHDGFRGHUHPRYLQJQRSVHPDQWLFLQVWUUXFWLRQVUHPRYLQJWKHXQUHDFKKDEOH FRGH GRLQJ FRQVWDQWW SURSDJDWLRQ DQ QG RWKHU FRGH FOHDQLQJ F ZRUNVV 1H[W WKDW SDUUWLDOO\ FOHDQ RU IODW FRGH KDV WWR EH P ORJ JLF1H[WZHKDDYH WRFKHFN WKKH HTXLYDOHQFHR RI WKH WZRGLIIHHUHQW FKDQJHG LQWR WKHSURSSRVLWLRQDO RU PDWKHPDWLFDO XODHZHKDYHFUHHDWHGIRUWKHYHHULILHGDQGVXVSHHFWHGFRGHUHVS SHFWLYHO\,QWKLVVSDSHULQWKHY YHU\QH[WVHFWLRQQZH IRUPX ZLOO GHILQH G KRZ WR GR G FRGH IODWWHQLLQJ E\ FRQYHUWLLQJ WKH PDFKLQH FRGH LQWR VRP PH LQWHUPHGLDWH IRUP DQG LQ QH[W VHFWLRQ Q ZH ZLOO GHILQQH KRZ WR FRQY YHUW WKDW FRGH LQWR L WKH PDWKHP PDWLFDO IRUPXOD DQG DW ODVW ZHH ZLOO VKRZ KRZ Z WR FKHFNWKHHTXLYDOHQFHHRIWKDWPDWKHP PDWLFDOVLJQDWXUUH QJ RIWKHFRGHVWDWHPHQWVZHKDYHWRGRWZRWKLQJVHLWKHUFFRQYHUWWKHFRP PSOH[ 7R SHUIRUPWKHUHOODWLRQDOHQFRGLQ XFWXUHGFRGHLQWWRWKH66$IRUP PDWRUGRRZQ FXVWRPHQFRGLQ QJE\UXQQLQJSSUHDQGSRVWFR RQGLWLRQRQWKH HDFK XQVWUX VWDWHP PHQW RU HDFK LQ QVWUXFWLRQ 7KH ODWHU DSSURDFK K WDNHV PRUH ZRUN Z DV LW LV YYHU\ GLIILFXOW WR R FRQYHUW WKH HDFK LQVWUXFFWLRQ WR WKH PDDWKHPDWLFDO ORJLLF IRU ZH KDYH WR GR WKH UHODWLLRQDO HQFRGLQJ RQ HDFK LQVWUXFWLRQ DQG LW LV YHU\ GLIILFX XOWWRVHWSUHFRQ QGLWLRQDQGSRVWFRQGLWLRQRQHDDFKEORFN7KXVVZHKDYHWDNHQQWKHOLEHUW\WRFFRQYHUWWKHPDFFKLQH LQVWUXFFWLRQVWRWKHVLP PSOLILHG66$IR RUPDWDQGWKHFRQYHUWLQJLQWRWWKHSURSRVLWLRQDDOORJLFDQGPDDWKHPDWLFDOIRUP PXOD $IWHU WKDW WKH GLIIHUUHQW ZD\V FDQ EH E XVHG WR VROY YH HDFK RI WKH FRGH REIXVFDWLRRQ 2XU PHWKRG G WULHV WR VROYHH WKH

258


SUREOHP RI V\QWDFWLLF VLJQDWXUHV ZKLFK Z KDV WR EH E XSGDWHG RQ HDFK LQVWDQFH RI WKH WUDQVIRUUPDWLRQ LQ FDVVH RI PRUSKLF PDOZDDUH WKDW KDV WR EH DQ LQILQLWHH QXPEHU RI VLLJQDWXUHV IRU VLLQJOH PDOZDUH ZKLFK LV REYLRRXVO\ PHWDP LQIHDVVLEOH DQG UHTXLLUHV ERXQGOHVV VSDFH +HQFH WKH VLQJOH PDWKKHPDWLFDO VLJQDDWXUH ZLOO EH VDPH IRU WKH LQQILQLWH QXPEEHURIWUDQVIRUP PDWLRQVRIWKHVDPHPHWDPRUSKLLFFRGH RGH)ODWWHQLQJ &R K WR PDNH FR RGH FOHDQ E\ VR RPH RI WKH EDVLLF REIXVFDWLRQV OLNH WKH LQVHUWLLRQ RI QRS VHP PDQWLF )LUUVW RI DOO ZH KDYH LQVWUXXFWLRQVGHDGFR RGHXQUHDFKDEOHHLQVWUXFWLRQVDQ QGRWKHUHTXLYDOHQWLQVWUXFWLRQLQVHUWLRQ7KHVVHW\SHRIFOHDQLLQJLV QHFHVVVDU\DVWKLVZLOOOMXVWDGGEXON NWRWKHPDWKHP PDWLFDORUSURSRRVLWLRQDOIRUPXODDZHSURGXFHDDWWKHHQG7KH EDVLF REIXVVFDWLRQV DUH WK KH LQVHUWLRQ RI QRS VHPDQWLF LQVWUXFWLRQV GHDG LQVWUXFWLRRQV UHJLVWHU UHHQDPLQJ VXEURRXWLQH UHRUGHULQJLQVWUXFWLR RQUHRUGHULQJLQ QVHUWLRQRIXQFR RQGLWLRQDOMXPSVDQGFHUWDLQRWKKHUDGYDQFHGFR RGHPXWDWLRQV

)LJ(T TXLYDOHQW,QVWUXFWLRQ Q6XEVWLWXWLRQ

)LJ&R RGHVQLSSHWVRI5HJ J6ZDS9LUXV

s Instru uction 4.1 Removal of Nop semantic KHUHDUHVHYHUDOQRSVHPDQWLFLQ QVWUXFWLRQVZKLLFKKDGWREHUHP PRYHGILUVW6WDDWLFDOO\VRPHRIIWKHLQVWUXFWLRQQVFDQ 7K EH UHPRYHG DQG VRP PH RI WKH LQVWUX XFWLRQV FDQQRW EH UHPRYHG 7KHVH 7 W\SH RI LQQVWUXFWLRQV FDQ EH UHPRYHG E\ WKH $ IRUP &RQYHHUWLQJ LQWR 6$ IRUP FRPSSLOHU RSWLPL]HU DV WKHVH KDYH WR EH FRQYHUWHG LQWR WKH LQWWHUPHGLDWH 66$ VLPSOOLILHV WKH UHPRY YDO RI QRS VHPDDQWLF LQVWUXFWLRQ QV :H ZLOO XVHH HLWKHU //90 0 RSWLPL]HU SDVVV WR UHPRYH WKHH QRS VHPDQ QWLFLQVWUXFWLRQVRUZHFDQXVHHPD\DQRWKHU 66$IRUP//9 90QHHGVWKHIIURQWHQGIRUWK KHPDFKLQHFRGHHDQG WKHQZ ZHFDQUXQWKHE EXLOWLQSDVVHVWR RRSWLPL]HWKHLLQWHUPHGLDWHODQQJXDJH

)LJ1RS S6HPDQWLFDQGGHDDGLQVWUXFWLRQV


259

4.2 Deead Code Remooval XUHIRUDQ\FRGHHEXW &UHDWLLQJRUSUHVHQWLQQJWKHPDFKLQH FRGHDVIRUPDO ORJLFLVWKHNHH\WRFUHDWLQJVHHPDQWLFVLJQDWX \RXKDDYHWREHDZDUHHRIWKHKLGGHQ RSHUDWLRQVLVWR REHWDNHQEHKLQQGWKHFXUWDLQV )RUH[DPSOHZ ZKLOH\RXFUHDWHHWKH PDWKHHPDWLFDOIRUPXODDWLRQIRUFHUWDLQQFRGHOLNHDERX XWWKHVLPSOHDGGGLWLRQLQVWUXFWLRRQWKHQ\RXKDY YHWRWDNHFDUHRIWKH YDULRXXVIODJVEHFDXVHHWKHVHDUHDIIHFWHGWKRXJK6RFKDQJLQJFHUWDDLQFRGHLQWRWKHHIRUPDOORJLFLVVQRWWKDWPXFKHDV\ VRZHQHHGDQLQWHUP PHGLDWHDQGVLPSSOLILHGIRUPZK KLFKWDNHVFDUHRRIWKHIODJVDQG WKHLQWHUQDOSUR RFHVVRUFKDQJHVVDQG X WKH LQWHUPHGGLDWH IRUP LQGHHSHQGHQW RI WKHH SURFHVVRU 'HHDG FRGH FDQ EH VWDWLFDOO\ UHP PRYHG DOVR EXWW WKH JLYH XV UHPRYYDO LV HIIHFWLYHHO\ GRQH DIWHU FRQYHUWLQJ LQ QWR LQWHUPHGLDWHH 66$ IRUP &RPSLOHUV OLNHH //90 RU RRWKHU LQWHUP PHGLDWHODQJXDJHHJHQHUDWRUVZKKLFKFRQYHUWPDFKLQHFRGHWRWKKHRWKHUVLPSOLIILHGIRUPV 4.3 Deeleting Unreachhable Instructionns X FRGGH FDQ EH UHPRRYHG E\ FRPSLOOHU SDVV YLD VLP PSOLI\LQJ WKH FRQWURO IORZ JUDDSK 7KH //90 0 RU 7KH XQUHDFKDEOH DQRWKHHU RSWLPL]HU FDQ Q EH XVHG WR GHHOHWH WKH XQUHDFFKDEOH LQVWUXFWLRRQV IURP FRQWUURO IORZ JUDSK LW LV YHU\ VLPSOH WR GHOHWH WKH XQUHDFKDEOH LQVWUXFWLRQV :KLOH RSWLPL]]LQJ WKH &)* ZH FDQ HDVLO\ NQRZ ZKLFK EOORFN RI FRGH LVV QRW PRYHG$QDO\VLLQJWKHHGJHRIIWKHFRQWUROIORRZJUDSKFDQEHHHDVLO\GRQHDQQGLW H[HFXWWHGVRFDQEHVXEVHTXHQWO\UHP ZLOOHIIILFLHQWO\VKRZZKLFKLQVWUXFWLR RQVDUHQRWUHDFFKDEOHDQGZLOOQHYHUH[HFXWH6RPHRIWKHFRG GHREIXVFDWLRQVVOLNH UHJLVWHHUVZDSSLQJLQVVWUXFWLRQUHRUGHHULQJDQGVXEURXWLQHUHRUGHULQJJFDQQRWEHUHP PRYHGE\VLPSOHHPHWKRGV$OOWWKHVH KDYHWWREHUHPRYHGEE\FRQYHUWLQJWK KLVLQWRERROHDQORJLF

)LJ8Q QUHDFKDEOH&RGH,Q QVHUWLRQ

QYHUWLQJWR)RUUPDO/RJLF &RQ 9HUU\VLPSOHPDWKHHPDWLFDOORJLFLLVXVHGDVWKHDOOWHUQDWHUHSUHVHQQWDWLRQIRUWKHLLQWHUPHGLDWHFRGHJHQHUDWHGE\\WKH //90 0RSWLPL]HU:HHFDQFRQYHUWWK KHLQVWUXFWLRQVWRWKHERROHDQORRJLF:HFDQXVVHHLWKHUELWYHFFWRUVDUUD\VRURRWKHU PHWKRRGV EDVHG RQ RXXU QHHG RU VD\ RQ R WKH W\SH RI REIXVFDWLRQ WR EH GHWHFWHG 7KKHQ ZH QHHG WR R SURYH ZKHWKHUU WKH IRUPXXOD ZH KDYH JHQQHUDWHG IRU WKH FRGH VQLSSHWV LV L VDPH IRU WKDDW ZH KDYH WR XXVH 6$7 VROYHUU RU DQ\ NLQG RII WKH WKHRUHHPSURYHU

)LJ%RROHDQ/R RJLF5HSUHVHQWDWLRQ QRIPRY,QVWUXFWLRQQV

260


)LJ%RROHDQ/RJLF5HSUHVHQWDWLRQRIDQG RULQVWUXFWLRQV

&RQYHUWLQJWKHDVVHPEO\LQVWUXFWLRQVWRPDWKHPDWLFDOORJLFQHHGGHHSLQVLJKWLQWRWKHZD\HDFKLQVWUXFWLRQZRUNV :HPXVWNQRZWKHSUHDQGSRVWFRQGLWLRQVRIHDFKLQVWUXFWLRQDVLQVWUXFWLRQVDUHWREHHQFRGHGLQWRIRUPDOORJLFDQG LWLVYHU\QHFHVVDU\WRNQRZWKHSRWHQWLDOFRQIOLFWVLQWKHLQVWUXFWLRQVDVFRQIOLFWVPDNHLWGLIILFXOWIRUWKHLQVWUXFWLRQV WRHQFRGH:HKDYHWRGRERROHDQRUSURSRVLWLRQDOHQFRGLQJRIWKHLQVWUXFWLRQVDVSHUQHHG)RUVRPHLQVWUXFWLRQV ZHQHHGWRXVHELWYHFWRUVDQGIRURWKHUVZHQHHGDGLIIHUHQWZD\WRHQFRGHWKHLQVWUXFWLRQV

)LJ%RROHDQ/RJLF5HSUHVHQWDWLRQRIFRQGLWLRQDO-XPSV

7KH)LJXUHVKRZVKRZZHFDQZULWHLQVWUXFWLRQVLQERROHDQORJLF7KHLQVWUXFWLRQVDUHWREHHQFRGHGGLIIHUHQWO\ HJPRY[\VD\VWRPRYHWKHFRQWHQWVRI\LQWR[,WZLOOEHZULWWHQDV[ \ LQERROHDQORJLF6LPLODUO\IRURWKHU LQVWUXFWLRQV ZH QHHG VLPLODU NLQG RI HQFRGLQJ OLNH DQG D E PHDQV WR DGG WKH FRQWHQWV RI D DQG E WKHQ PRYH WKH FRQWHQWVWRD7KLVLQVWUXFWLRQLVRIWZRVWHSV,QWKHILUVWVWHSWKHFRQWHQWVRIDDQGEDUHHQGHGDQGWKHQLQVWHSWKH FRQWHQWVDUHVWRUHGLQD7KHWZRVWHSVLQERROHDQORJLFZLOOEHZULWWHQDV[ [ \ LQWKHILUVWVWHSDQG[ \ LQWKH VHFRQGVWHS7KLVVHHPVWULYLDOEXWVHHVWKHSUREOHPVDQGSRWHQWLDOFRQIOLFWVLQWKLV7KLVLVQRW66$IRUPDWDVWKHUH ZLOOEHWZRLQVWUXFWLRQVDQGWKHYDOXHRI[LVGLIIHUHQWLQERWKRIWKHPEXWWKHYDULDEOHLVVDPHLH[6RWKLVLVQRW 66$ IRUP WKH FRQYHUVLRQ LQWR ERROHDQ ORJLF PXVW EH GRQH DIWHU FRQYHUWLQJ WKH XQVWUXFWXUHG PDFKLQH FRGH LQWR VLPSOLILHG66$)RUP 5.1 Incremental Sat. Solving 7KHWZRFRGHVPLJKWGLIIHUWRRPXFKV\QWDFWLFDOO\EXWWKHPDWKHPDWLFDOPRGHOWKH\SURGXFHPXVWEHVDPH7KHUHLV D QHHG WR UHGXFH WKH &1) SURGXFHG IRU WKH FRGH 7KH FRQVWDQW SURSDJDWLRQ ZLOO EH GRQH E\ WKH LQFUHPHQWDO VDW VROYLQJ DQG LW ZLOO DOVR UHVROYH WKH SRWHQWLDO FRQIOLFWV 7KH LQFUHPHQWDO VDW VROYLQJ ZLOO UHGXFH WKH IRUPXOD WR PLQLPDO FODXVHV 7KHVH FODXVHV FDQ EH FRQYHUWHG LQWR WKH PDWKHPDWLFDO PRGHO WKDW ZLOO EH WKH H[DFW VHPDQWLF VLJQDWXUH)RUHDFKVDWLVILDELOLW\SUREOHPWKHUHH[LVWVDFRUUHVSRQGLQJIRUPXODWLRQRIWKHPRGHO :HFDQYLHZWKLVVROXWLRQDVLIZHKDYHWZRGLIIHUHQWFRGHRQHLVFOHDQDQGZLWKRXWWKHFRGHREIXVFDWLRQVZKLOH RWKHU KDG VRPH REIXVFDWLRQV 7KH &1)SURGXFHGIRU WKHVH WZRGLIIHUHQW FRGHV ZLOO EH LQLWLDOO\ GLIIHUHQW DQG DIWHU LQFUHPHQWDO VROYLQJ WKH REIXVFDWLRQV ZKLFK DUH QRW UHPRYHG E\ WKH FRPSLOHU RSWLPL]HU OLNH //90 HWF FDQ EH LQFUHPHQWDOO\UHPRYHGE\WKH6$7VROYHU7KHFDVHRIWKHFRQVWDQWSURSDJDWLRQHWFLQWKHXQVWUXFWXUHGLQVWUXFWLRQV


261

ZLOO EH UHPRYHG E\ WKLV W :H KDYH \HW \ DQRWKHU DGY YDQWDJH RI XVLQ QJ WKLV ,I GXULQQJ WKH VLPSOLILFDDWLRQ RI WKH // /90 PHGLDWHODQJXDJHHVRPHVSXULRXVVLQVWUXFWLRQVP PD\FUHHSLWWKHVVHFDQHDVLO\EHHUHPRYHGE\WKLVPHWKRG LQWHUP

)LJ3URSRVHG%R RROHDQ,QFUHPHQWDO6ROYLQJ0HWKRG

PRGHORXULQVWUXFFWLRQVLQWRWKHIIRUPDOORJLFDQGGFDQXVHVDPH IRUWKHLQFUHPHHQWDO :HFDDQXVH=607 VDWVROYHUWRP VROYLQ QJ)LJ XVLQJPLQLVDWDQGWKHH',0$&6IRUP PDW 5.2 DIIMACS Format 0HWKR RGVWRFRQYHUWWKKHLQVWUXFWLRQV LQWR&1)IRUP PFDQEHGRQHYLDPLQLVDWZKLFFKWDNHVLQSXWDDV',0$&6&HHQWUH IRU'LLVFUHHW0DWKHP PDWLFVDQG7KHRUUHWLFDO&RPSXWHHU6FLHQFH IRUP PDW,QWKLVIRUUPDWZHFDQZULWHWKHFODXVHVVDQG YDULDE EOHV DV QXPEHUVV HDFK FODXVH VHSDUDWHG E\ 7KLV IRUPDW LVV YHU\ VLPSOH DDQG WKHUH DUH PDQ\ P WRROV DYDLOODEOH ZKLFK K FDQ HDVLO\ SURRGXFH WKH PDWKHHPDWLFDO PRGHO IRU WKH ',0$& &6 IRUPDW :HH FDQ XVH WKLV IRUPDW IR WR PRGHOO RXU LQVWUXFFWLRQVDQGDIWHUWKDWZHZLOOFUHHDWHWKHPDWKHP PDWLFDOPRGHOGLLUHFWO\IURPLW 5.3 Final Signature ZHLPSOHPHQWDDOOWKHVWHSVDERRYHWKHUHGXFHG GPDWKHPDWLFDOIIRUPXODZLOOEHHWKHILQDOVHPDQ QWLFVLJQDWXUHRIWKH $IWHUZ PDOZDDUH1RPDWWHUK KRZPDQ\WUDQVVIRUPDWLRQVWKHPDOZDUHPD\X XQGHUJRWKHVHP PDQWLFVLJQDWXUHZLOOQHYHUFKDDQJH EHFDXVVH VWHS E\ VWHS S IROORZLQJ RI I WKHVH WHFKQLTX XHV ZLOO ILUVW UHYHUVH U WKH HIIHHFWV ZKLFK DUH LQWURGXFHG E\\ WKH PHWDP PRUSKLVPDQGWKKHWUDQVIRUPDWLRRQVZKLFKDUHQ QRWUHGXFHGFDQ QEHVROYHGE\WWKHLQFUHPHQWDO VDWVROYLQJ+HHQFH WKHILQ QDOVLJQDWXUHLVWWKHPDWKHPDWLFDDOPRGHOIRUPHG GDIWHUWKHDSSOLLFDWLRQRIDOOWKHHDERYHPHWKRG GV quivalence Checcking 5.4 Eq 1RZDIWHUZHKDYHFFUHDWHGWKHIRUP PDOORJLFIRUWKHFRGHRUWKHILQDDOVLJQDWXUHRIWWKHFRGHQRZZ ZHKDYHWRFKHFNNIRU TXLYDOHQFHRIWKHFRGH)RUWKDWWZHKDYHWRVK KRZWKDWWKHPDDWKHPDWLFDOIRUP PXODVZKLFKZHHKDYHGHULYHGIIURP WKHHT FRQYHUUWLQJWKHFRGHLQQWRIRUPDOORJLFFDUHVDPH7KLVVHTXLYDOHQFHFDDQEHFKHFNHGEE\WKHWKHRUHPS SURYHUZKLFKVKKRZV ZKHWK KHUERWKWKHIRUP PXODHDUHVDPH QFOXVLRQ &RQ S PHWKRRG ZLOO EH YHU\ XVHIXO LQ GHWHFWLQJ WKH PHWDP PRUSKLF PDOZDDUH DQG WKHUH ZLOO Z QRW WKH QHHHG RI 7KH SURSRVHG FUHDWLQ QJ PLOOLRQV RI VLJQDWXUHV IRU WKH W VDPH PDOZ ZDUH EXW RQH PDWKHPDWLFDO P VLJJQDWXUH ZLOO VXIIILFH WKH QHHG 7KDW PDWKHHPDWLFDOPRGHO ZLOOUHPDLQVDP PHIRUWKHPDOZ ZDUHQRPDWWHU KRZPDQ\WLP PHVWKHJLYHQPDDOZDUHV\QWDFWLFFDOO\ WUDQVIR RUP LWVHOI 7KLVV PHWKRG ZLOO QRW JLYH IDOVH SRVLWLYHV DV LW FKHFNV WKH VHP PDQWLFV RI WKH FRGH &HUWDLQ FFRGH

262


REIXVFDWLRQVDUHYHU\KDUGWRGHWHFWDQGQRIRUPDOPHWKRGLVEHLQJGHYHORSHGWRGHWHFWRUUHPRYHWKHP2XUPHWKRG FDQEHXVHGDVDEDVHPRGHOWRGHVLJQWKHVWUDWHJ\WRGHWHFWWKHKDUGHUREIXVFDWLRQPHWKRGVOLNHXQFRQGLWLRQDOMXPSV HWF )XWXUH:RUN :HZLOOLPSOHPHQWWKLVZRUNDQGWU\WRLQWHJUDWHWKLVZLWKDQ\H[LVWLQJIUDPHZRUN:HZLOOWU\WRZULWHWKLVDV RQHRIWKH//90DQDO\VLVSDVVHVZKLFKZLOOHQFRGHWKHFOHDQLQVWUXFWLRQVRQWKHIO\:HZLOOWU\WRRSWLPL]HRXU LGHDV ZKHUH LW PLJKW SHUIRUP SRRUO\ 7KH XQFRQGLWLRQDO MXPS LV YHU\ XQSUHGLFWDEOH DQG FDQQRW EH HIILFLHQWO\ LPSOHPHQWHGXVLQJWKHERROHDQORJLFKHQFHZHQHHGWRHQKDQFHWKHWHFKQLTXHIRUWKHXQFRQGLWLRQDOEUDQFKHV $FNQRZOHGJHPHQWV 7KH$XWKRUVZRXOGOLNHWRWKDQNWKHLUFRUUHVSRQGLQJXQLYHUVLWLHV&HQWUDO8QLYHUVLW\RI5DMDVWKDQ,QGLD 8UPLD 8QLYHUVLW\,UDQ IRUWKHIDFLOLWLHVSURYLGHGWRH[HFXWHWKLVZRUN References 1. Bruschi D, Martignoni L, and Monga M. Detecting self-mutating malware using control-flow graph matching. In R. B¨uschkes and P. Laskov, editors, Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2006;4064: 129–143 2. Chouchane MR, Lakhotia A. Using engine signature to detect metamorphic malware. Fourth ACM Workshop on Recurring Malcode; 2006. p 73–78. 3. Dalla PM, Christodorescu M, Jha S and Debray S. A semantics-based approach to malware detection. 34th ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages 2007. 4. Bruschi D, Martignoni L and Monga M. Using code normalization for fighting self-mutating malware, International Symposium on. Secure Software Engineering; 2006. 5. Anderson B, Quist D, Neil J and Lane T.Graph-based malware detection using dynamic analysis. Journal of Computer Virology and Hacking Techniques 2011. 6. Canfora G, Iannaccone AN, Visaggio CA, Static analysis for the detection of metamorphic computer viruses using repeated instructions counting heuristics. Computer Virology and Hacking Techniques Journal 2013. 7. Christodorescu M and Jha S. Static analysis of executables to detect malicious patterns. 12th Conference on USENIX Security Symposium; 2013, p. 12. 8. Runwal N, Low RM and Stamp M. Opcode graph similarity and metamorphic detection.Journal of Computer Virology and Hacking Techniques 2012. 9. Saleh ME, Mohamed AB and Nabi AA. Eigenviruses for metamorphic virus recognition. IET Information Security 2011. 10. COSEINC. www.coseinc.org. 11. Low Level Virtual Machine (LLVM) compiler infrastructure. www.llvm.org 12. Wong W, Stamp M. Hunting for Metamorphic Engines, Journal in Computer Virology; 3:211-229.