Weihao Huang,Chaoyang Lin,Qiucun Yan,Lu Xiang,Zhiyu Zhang,Guozhu Meng,Kai Chen

DOI: https://doi.org/10.1109/cscwd57460.2023.10151998

2023-01-01

Abstract:In recent years, binary malware detection has attracted extensive attention from industry and academia. However, most of the existing work focuses on determining whether a sample is malicious or not, rather than identifying the malicious essence in malware. Few studies aim at locating malicious code at function granularity and suffer from inaccuracy. In this paper, we solve the problem by dividing malware into Functional Module (FM), which is a better granularity for locating malicious code, as it combines certain functions to express malicious behaviors in malware. We design a tool called FMDiv to automatically unpack and disassemble binary malware and then divide them into FMs based on the function call graph (CG). Meanwhile, one novel feature extraction and embedding method has been adopted to validate the effect of the FM division algorithm and provide one alternative method of characterization for subsequent malicious FM location. We evaluate FMDiv’s performance on 10,440 real-world samples from VIRUSSHARE. The results show that FMDiv can correctly characterize and make FM division of malware, outperforming current state-of-the-art work.

Iftakhar Ahmad,Lannan Luo

2024-04-30

Abstract:Binary code analysis has immense importance in the research domain of software security. Today, software is very often compiled for various Instruction Set Architectures (ISAs). As a result, cross-architecture binary code analysis has become an emerging problem. Recently, deep learning-based binary analysis has shown promising success. It is widely known that training a deep learning model requires a massive amount of data. However, for some low-resource ISAs, an adequate amount of data is hard to find, preventing deep learning from being widely adopted for binary analysis. To overcome the data scarcity problem and facilitate cross-architecture binary code analysis, we propose to apply the ideas and techniques in Neural Machine Translation (NMT) to binary code analysis. Our insight is that a binary, after disassembly, is represented in some assembly language. Given a binary in a low-resource ISA, we translate it to a binary in a high-resource ISA (e.g., x86). Then we can use a model that has been trained on the high-resource ISA to test the translated binary. We have implemented the model called UNSUPERBINTRANS, and conducted experiments to evaluate its performance. Specifically, we conducted two downstream tasks, including code similarity detection and vulnerability discovery. In both tasks, we achieved high accuracies.

Software Engineering,Cryptography and Security

Haoran Guo,Jianmin Pang,Yichi Zhang,Feng Yue

DOI: https://doi.org/10.1109/icicisys.2010.5658586

2010-01-01

Abstract:Malware has become one of the most serious threats to computer information system. In this paper, we describe HERO (Hybrid security extension of binary translation), a novel framework that exploits static and dynamic binary translation features to detect broad spectrum malware and prevent its execution. By operating directly on binary code without any assumption on the availability of source code, HERO is appropriate for translating low-level binary code to high-level proper representation, obtaining CFG (Control Flow Graph) and other high-level Control Structure by static binary translation-based analyzer. Then Critical API Graph based on CFG is generated to do sub-graph matching with the defined Malware Behavior Template. If static analysis cannot finish generating CFG because of code obfuscation used in malware, the dynamic binary translation based analyzer in HERO is called to undertake the process to take on the remaining code analysis. Compared with other detection approaches, HERO is found to be very efficient in terms of detection capability and false alarm rate.

Fan Xu,Li Shen,Zhiying Wang

DOI: https://doi.org/10.1109/cit.2010.394

2010-01-01

Abstract:Dynamic binary translation and optimization is one of the most important essential techniques for computing system virtualization. This paper proposes a new dynamic translation framework for co-designed virtual machines. It generates and handles translation requests based on page fault mechanism provided in Linux kernel. In this new framework, the translation of guest codes and the execution of translated codes can be performed on different processors in parallel. The framework support the coprocessor translating guest code pages and the host CPU executing translated pages simultaneously, thus the translator becomes more efficient. The paper also presents a qualitative analysis of the time cost in our framework on an x86-ARM co-designed dynamic binary translation system, and suggests that the performance of this framework can be further improved if shared memory between host CPU and coprocessor is used. The framework can also be used in a dynamic binary translator on multi-core platforms.

SUN Ming,GU Da-wu,LI Juan-ru,LUO Yu-hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.02.068

2012-01-01

Abstract:Static binary analysis methods cannot meet the demand for malicious code analysis,and the traditional dynamic analysis approaches cannot effectively find the critical information among the huge amount of dynamic binary code.This paper gave a kind of differential analysis approach on dynamic binary code and provided its model and method.This approach could effectively extract the sensitive information from malicious code and make the function module or data spread understood.Finally,it provided an experiment based on differential binary analysis system,which validated the capability and efficiency of the approach.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Yuan Yao,Zhongyong Lu,Qingsong Shi,Wenzhi Chen

DOI: https://doi.org/10.1109/FPL.2013.6645554

2013-01-01

Abstract:Binary translation is used to allow applications of one instruction set architecture (ISA) to run on another, thereby maintaining the binary level compatibility across ISAs. Conventional software binary translation systems suffer performance loss because of architectural heterogeneity amongst ISAs, control flow translation and context switches. In this paper, we propose an FPGA based hardware-software co-designed dynamic binary translation (DBT) system, which moderates these issues at a low level of hardware cost. In our DBT system, we propose a MIPS condition code flags register and a modest ISA extension to bridge the architectural gap, a hardware address mapping mechanism to accelerate the handling of control flow instructions, and a scratchpad memory to reduce performance loss during context switches. We implement the system on Xilinx XC5VLX110T. Quantitative experiments reveal that the overall performance improvement is 56.1% over the baseline configuration, with only extra 1.4% of slices and 5.4% of BRAMs of Xilinx XC5VLX110T occupied.

王荣华,孟建熠,陈志坚,严晓浪

DOI: https://doi.org/10.15514/ispras-2012-22-13

2014-01-01

Abstract:An efficient mapping method named compare and condition branch fast mapping algorithm was proposed in order to improve emulating and processing speed of condition flags. The algorithm mainly focuses on 'compare and condition branch' instruction pairs which occupy a large proportion of condition code defining and using instruction pair. The method dynamically identifies and extracts the "compare and condition branch" instruction pair in the source block and completes instruction mapping by using the inherent conditional dependencies of the target machine. By avoiding the complex and uniform traditional processes for these special instruction pairs, dynamic binary translator has achieved great performance improvement. Results of benchmark on QEMU emulator showed that the generated instruction number for translating condition code was reduced by 20% to 90% than that of traditional methods.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Jinhu Jiang,Chaoyi Liang,Rongchao Dong,Zhaohui Yang,Zhongjun Zhou,Wenwen Wang,Pen-Chung Yew,Weihua Zhang

2024-02-15

Abstract:System-level emulators have been used extensively for system design, debugging and evaluation. They work by providing a system-level virtual machine to support a guest operating system (OS) running on a platform with the same or different native OS that uses the same or different instruction-set architecture. For such system-level emulation, dynamic binary translation (DBT) is one of the core technologies. A recently proposed learning-based DBT approach has shown a significantly improved performance with a higher quality of translated code using automatically learned translation rules. However, it has only been applied to user-level emulation, and not yet to system-level emulation. In this paper, we explore the feasibility of applying this approach to improve system-level emulation, and use QEMU to build a prototype. ... To achieve better performance, we leverage several optimizations that include coordination overhead reduction to reduce the overhead of each coordination, and coordination elimination and code scheduling to reduce the coordination frequency. Experimental results show that it can achieve an average of 1.36X speedup over QEMU 6.1 with negligible coordination overhead in the system emulation mode using SPEC CINT2006 as application benchmarks and 1.15X on real-world applications.

Operating Systems,Performance

Jiunn-Yeu Chen,Wuu Yang,Wei-Chung Hsu,Bor-Yeh Shen,Quan-Huei Ou

DOI: https://doi.org/10.1145/2996458

2017-08-31

ACM Transactions on Embedded Computing Systems

Abstract:Code discovery has been a main challenge for static binary translation, especially when the source instruction set architecture has variable-length instructions, such as the x86 architectures. Due to embedded data such as PC (program counter)-relative data, jump tables, or paddings in the code section, a binary translator may be misled to translate data as instructions. For variable-length instructions, once a piece of data is mis-translated as instructions, decoding subsequent bytes could also go wrong. We are concerned with static binary translation for the very popular Advanced RISC Machine (ARM) architectures. Although ARM is considered a reduced instruction set computer architecture, it does allow the mix of 32-bit (ARM) instructions and 16-bit (Thumb) instructions in the same executables. In addition to different instruction lengths, the ARM and Thumb instructions are located at 4-byte or 2-byte aligned addresses, respectively. Furthermore, because ARM and Thumb instructions share the same encoding space, a 4-byte word could sometimes be decoded as one ARM instruction or two Thumb instructions. The correct decoding of this 4-byte word is actually determined at runtime by the least-significant bit of the program counter. For unstripped binaries, the mapping symbols can be used to identify ARM code regions and Thumb code regions. However, for stripped binaries, such mapping symbols are unavailable. We propose a novel solution to statically translate stripped ARM/Thumb mixed executables. Our solution is implemented in a static binary translator. The binary translator further generates multiple versions of translated code for the code regions whose types cannot be determined with our solution. One of the code versions is selected during runtime. The binary translator also includes a series of analyses that enable the removal of most useless code versions. Based on the experimental results on stripped ARM/Thumb mixed binaries in the SPEC2006 and Embedded Microprocessor Benchmark Consortium (EEMBC) benchmark suites, our static binary translator achieves impressive performance when migrating them to run on x86 machines and the space overhead is no more than 10%.

computer science, software engineering, hardware & architecture

Yong Wang,Hailin Yan,Zhenyan Liu,Jingfeng Xue,Changzhen Hu,Ming Li

DOI: https://doi.org/10.1109/3pgcic.2015.102

2015-01-01

Abstract:Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

Huihui Shi,Yi Wang,Haibing Guan,Alei Liang

DOI: https://doi.org/10.1145/1286341.1286342

2007-01-01

Abstract:This paper presents an intermediate language level optimization framework for dynamic binary translation. Performance is important to a dynamic binary translation system, so there has been a growing interest in exploring new optimization algorithms. The framework proposed in this paper includes efficient profiling, hot code recognition and smart code cache management policies. Profiling is responsible for collecting runtime information, which will be used by hot code recognition and code cache management algorithms. We only focus on recognizing the hottest code, and assign priorities to basic blocks according to their hotness to facilitate code cache management.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

LIU Yi,ZANG Hong-wei,XIE Ke-jia,YANG Jin-xing

DOI: https://doi.org/10.3321/j.issn:1000-274x.2004.06.010

2004-01-01

Abstract:Aim To meet the need of engineering application, the technology of binary-translation is introduced, which deals with key problem of Avionics system-Reusing of complied software in the updated processor. Methods By building up a virtual machine, translatate the complied executive code of the older processor into new processor′s. Then give the description of principle and realization of the system of Dynamic Binary-Translation(BTASUP).Results It keeps pace of the processor′s update frequently in the Avionics system.Conclusion This work has very important engineering value.

AN Jing,YANG Yi-xian,LI Zhong-xian

DOI: https://doi.org/10.4304/jnw.9.5.1208-1214

2014-01-01

Journal of Networks

Abstract:Code obfuscation is one of the main methods to hide malicious code. This paper proposes a new dynamic method which can effectively detect obfuscated malicious code. This method uses ISR to conduct dynamic debugging. The constraint solving during debugging process can detect deeply hidden malicious code by covering different execution paths. Besides, for malicious code that reads external resources, usually the detection of abnormal behaviors can only be detected by taking the resources into consideration. The method in this paper has better accuracy by locating the external resources precisely and combining it with the analysis of original malicious code. According to the experiment result of some anti-virus software, our prototype system can obviously improve the detection efficiency.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

GUAN Xiao-feng,LIANG A-lei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.27.029

2008-01-01

Abstract:Dynamic binary translation is widely used technology applied to virtual machine system.Binary translation has a good performance because of the support of techniques such as code caching,native code execution,code block linking,dynamic hot-path superblock generation,etc.This paper is the research about optimizing CrossBit,which is a resourceable and retargetable binary translation system.Via some analyses,some general ideas and solution to the optimization method of dynamic translation system are introduced.By experiment,the strategy of implementing optimization method to dynamic binary translation systems is gotten with different system configurations and different workloads.

Fathi H. Amsaad,Junjie Zhang,M. Pk,Al Amin Hossain

DOI: https://doi.org/10.1109/NAECON61878.2024.10670668

2024-07-15

Abstract:The rapid evolution of cyber threats raises the inevitability of the advancement of innovative and effective approaches in cybersecurity. There are numerous cyber threats; among these threats, malicious code, including viruses, worms, and sophisticated malware, poses significant risks to digital systems. The existing threat detection methods often rely on signature-based techniques and need help to keep pace with the dynamic and evolving characteristics of malware. Large language models (LLMs) such as GPT-4, renowned for their ability to perform natural language processing, offer a promising alternative for enhancing malicious code detection. This research paper proposes a novel approach using large language models (LLMs) to detect unwanted malicious code in Java source code, leveraging the Mixtral architecture. The Mixtral model is trained on a diverse dataset of benign and malicious Java code, enabling it to learn complex patterns and characteristics of malicious code. Experimental results validate the efficiency of the proposed in identifying malicious code, outperforming existing static analysis tools.

Computer Science