Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Zhe Fang,Minglu Li,Chuliang Weng,Yuan Luo

DOI: https://doi.org/10.1007/978-3-642-10665-1_8

2009-01-01

Abstract:The binary translator is a software component of a computer system. It converts binary code of one ISA into binary code of another ISA. Recent trends show that binary translators have been used to save CPU power consumption and CPU die size, which makes binary translators a possible indispensable component of future computer systems. And such situation would give new opportunities to the security of these computer systems. One of the opportunities is that we can perform malicious code checking dynamically in the layer of binary translators. This approach has many advantages, both in terms of capability of detection and checking overhead. In this paper, we proposed a working dynamic malicious code checking module integrated to an existent open-source binary translator, QEMU, and explained that our module's capability of detection is superior to other malicious code checking methods while acceptable performance is still maintained.

Hongfa Xue,Shaowen Sun,Guru Venkataramani,Tian Lan

DOI: https://doi.org/10.1109/access.2019.2917668

IF: 3.9

2019-01-01

IEEE Access

Abstract:Binary code analysis is crucial in various software engineering tasks, such as malware detection, code refactoring, and plagiarism detection. With the rapid growth of software complexity and the increasing number of heterogeneous computing platforms, binary analysis is particularly critical and more important than ever. Traditionally adopted techniques for binary code analysis are facing multiple challenges, such as the need for cross-platform analysis, high scalability and speed, and improved fidelity, to name a few. To meet these challenges, machine learning-based binary code analysis frameworks attract substantial attention due to their automated feature extraction and drastically reduced efforts needed on large-scale programs. In this paper, we provide the taxonomy of machine learning-based binary code analysis, describe the recent advances and key findings on the topic, and discuss the key challenges and opportunities. Finally, we present our thoughts for future directions on this topic.

DENG Chao-guo,GU Da-wu,LI Juan-ru,SUN Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.04.066

2011-01-01

Abstract:This paper proposed an approach of binary analysis based on full-system emulation and instruction-flow analysis technology.This approach ran executable binary code on a virtual machine which used full-system emulation technology,and then captured and analyzed runtime instruction-flow information to figure out this program's feature.This paper covered design and implement of such a binary code analysis system.Experiment result illustrates that it is more efficient and general to capture,extract and analyze runtime instruction-flow information by using this system.This approach is particularly effective to analyze binary code which uses anti-analysis technology.

Zian Liu,Chao Chen,Ahmed Ejaz,Dongxi Liu,Jun Zhang

DOI: https://doi.org/10.1007/978-3-031-22677-9_21

2022-01-01

Abstract:Binary code analysis is a process of analyzing the software or operating system when source code is inaccessible. This scenario occurs when one needs to analyze malware, a compiled software, or a closed-sourced operating system such as Windows, IOS, etc. In these scenarios, the source codes are deliberately made inaccessible by the vendor or programmer for various reasons. Binary analysis contains a wide range of analysis aims, techniques and methodologies. We concluded the methodologies into two categories: data-driven analysis and software-engineering-based analysis. Each category has a similar process in their methodology. We also concluded their limitation and summaries the challenges and future work.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Meng Li,Xiaoqi Jia,Rui Wang,Dongdai Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.08.063

2015-01-01

Abstract:In malicious code analysis and detection, the static analysis techniques are not effective to detect metamorphic/polymorphic ma-licious codes.Aiming at this problem, this paper proposes an approach for extracting the dynamic features of malicious code semantics.The method extracts the dynamic features of malicious codes in virtual environment so as to achieve the purpose of protecting physical machine. The primitive features extracted are then further sifted and processed to obtain API calling sequence information in regard to various code sam-ples.In order to make the features more effective, the traditional n-gram model is improved and the n-gram frequency information and the de-pendencies between APIs are added, the improved n-gram model is built as well.The analysis part in experimental result uses the machine learning methods, the decision trees, k-nearest neighbour, support vector machine and Bayesian networks are employed separately to perform a 10-fold crossover validation on the selected sample features.Experimental results show that this feature selection has best detection effect using decision tree J48, it can effectively detect the malicious codes using confusion and polymorphism technologies.

Yilun Wu,Bofeng Zhang,Zhiquan Lai,Jinshu Su

DOI: https://doi.org/10.1109/icsess.2012.6269469

2012-01-01

Abstract:Malware is a tremendous threat on the Internet. Current malware analysis systems focus on listing the malware behaviors, but make no mention of malware network behaviors which results in malware's self-duplication and self-propagation on the Internet. In this paper, we present a new method to extract malware network behaviors. Our method is based on dynamic binary analysis and dynamic taint analysis. With the dynamic binary analysis, we can extract the malware network behavior and the self-duplication behavior. We also present a method to catch malware self-propagation behavior by using dynamic taint analysis. Finally, we evaluate our method and the results show that our method is successful in extracting malware network behavior and identifying the malware self-duplication behavior.

Jinxin Zhong -,Wenqing Fan -,Jing An -,Miao Zhang -,Yixian Yang -

DOI: https://doi.org/10.4156/jdcta.vol6.issue4.15

2012-01-01

International Journal of Digital Content Technology and its Applications

Abstract:Nowadays, Vulnerability exploiting has become a major means of malicious code communication. In order to solve the problem that polymorphic and metamorphic vulnerability exploit variants is difficult to detect, it presents a method of detecting vulnerability exploits based on binary behavior analysis in this paper. The method track and monitor the memory and register changes the binary file's behavior results, and have a formal verification on application's behavior through intermediate‐level language. In this paper, we examine the performance of binary analysis by taking two sets of experiments for separate targets, one is 13 local file vulnerabilities, the other is web browser vulnerabilities. The results show that the exploits detection method based on binary behavior analysis can be effectively used for analysis and detection of the vulnerabilities, also with significantly reduced time and space complexity.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

TIAN Shuo,LIANG Hong-liang

DOI: https://doi.org/10.3969/j.issn.1002-137X.2009.07.002

2009-01-01

Computer Science

Abstract:A survey of static analysis methods for binary code vulnerabilities was provided.Based on summing up exis-ting static detect methods for vulnerabilities,the general procedural of binary static analysis was modeled,and transforming program information into expressive and generic intermediate representation was regarded as the key component of the analysis and as a important research direction.

Yongjun Wang,Peidai Xie,Meijian Li

DOI: https://doi.org/10.1109/ICOIN.2013.6496707

2013-01-01

Abstract:Generally there are several versions of implementations for a network protocol specification. However, these protocol implementations inevitably contain deviations, which are usually introduced by errors in engineering development process or different interpretations of software developers for the same protocol specification. Thus, discovery of protocol deviations in implementation binaries is significant for several applications, such as exploiting vulnerability and generating fingerprint from a series of protocol implementations. In this paper, we propose an approach to discover deviations based on dynamic binary analysis technique and semantic-based active testing technique. Comparing with previous similar works, the proposed approach has the following advantages: (1) It works on the binaries of protocol implementations under test, thus do not have to require source code for each implementation; (2) By observing how protocol implementation parses encrypted messages, it is able to discover deviations in cryptographic protocol implementations. We have developed a prototype system to evaluate the proposed approach, and use this system to discover deviations in several implementations of two kinds of protocols: text-based HTTP protocol and cryptography-based FTPS protocol. The results show that the prototype system can successfully discover deviations between their different implementations, and verifies the feasibility of the proposed approach.

Zheng SONG,Yongjian WANG,Bo JIN,Jiuchuan LIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.013

2016-01-01

Abstract:With the network security situation becoming increasingly worsening, detection technology that can timely and effectivly discover exploits and related advanced persistent threat(APT) attacks is of vital importance for network security. Dynamic taint analysis, which is one of the reliable exploit detection solutions, is a method that marks the non-trusted input source as tainted data, and tracks its spread with the execution of program to get the key position and data associated with the input. This paper ifrstly introduces the principle of dynamic taint analysis of binary programs and its development status in several typical systems, then analyzes existing problems with dynamic taint analysis of binary programs, and ifnally introduces the application of dynamic taint analysis. In this paper, the dynamic taint analysis technology of binary program is introduced in details, which is helpful to improve the network security protection level for important information system.

Jing Qiu,Xiaohong Su,Peijun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amm.577.852

2014-01-01

Applied Mechanics and Materials

Abstract:We present a new approach for disassembling executables with self-modifying code. Self-modifying code is very common in malware. Conventional static or dynamic approaches cannot handle self-modifying code very well. We combine static and dynamic analysis to fight against self-modifying code with the multiple-path exploration technique. The evaluation results indicate that our approach works well in disassembling executables with self-modifying code with high precision and code coverage compared with the state-of-art disassembler.

XU Tuan,QU Lei-lei,SHI Wen-chang

DOI: https://doi.org/10.11959/j.issn.2096-109x.2017.00200

2017-01-01

Abstract:Aiming at the shortcomings of the existing methods to detect the security flaws that have complex structures,a new analysis model and its application method was proposed.First,analysis models based on key information of code structures extracted from path subsets of characteristic element sets that are generated by source code element sets of code security flaws were constructed.Then the analysis model according to the statistical probability of each kind of IR statement was calculated,and the IR code group which matched the feature model was found.Finally,through the translating relation between binary codes and IR codes,various code security flaws of binary program were found out.The analysis models can be applied to both common single-process binary programs and binary parallel programs.Experimental results show that compared with the existing methods,the application of the analysis model can be more comprehensive and in-depth in detecting various types of complex binary code security flaws with higher accuracy.

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

Jinxin Liu,Hao Wu,Huabin Wang

DOI: https://doi.org/10.1049/ic.2014.0154

2014-01-01

Abstract:In recent years, the Android operating system for mobile terminals has developed very quickly. A variety of mobile devices which are using Android operating system are more than 60% in the domestic market share. With the number of Android application raising fast, a variety of information leakage, malicious chargeback, failure of operating system events occurred frequently; the safety of Android system also attracts wide attention of researchers. In this paper, combining static analysis and dynamic analysis, we present a malicious code detection method and implementation. Through the statistics of the sensitive API functions and tracking the flow of sensitive information, static analysis module uses the static analysis reverse technology to achieve the detection of malicious behaviors. And dynamic analysis module mainly uses system log analysis and records a variety of sensitive behaviors generated during the operation to discover intrusions. Furthermore, the ultimate combination of static analysis and dynamic analysis will determine whether the target software contains malicious codes.

AN Jing,YANG Yi-xian,LI Zhong-xian

DOI: https://doi.org/10.4304/jnw.9.5.1208-1214

2014-01-01

Journal of Networks

Abstract:Code obfuscation is one of the main methods to hide malicious code. This paper proposes a new dynamic method which can effectively detect obfuscated malicious code. This method uses ISR to conduct dynamic debugging. The constraint solving during debugging process can detect deeply hidden malicious code by covering different execution paths. Besides, for malicious code that reads external resources, usually the detection of abnormal behaviors can only be detected by taking the resources into consideration. The method in this paper has better accuracy by locating the external resources precisely and combining it with the analysis of original malicious code. According to the experiment result of some anti-virus software, our prototype system can obviously improve the detection efficiency.