JAIST Repository >
School of Information Science >
JAIST Research Reports >
Research Report - School of Information Science : ISSN 0918-7553 >
IS-RR-2014 >

Please use this identifier to cite or link to this item: http://hdl.handle.net/10119/12136

Title: Pushdown Model Generation of Malware
Authors: Nguyen, Minh Hai
Ogawa, Mizuhito
Quan, Thanh Tho
Keywords: concolic testing
pushdown system
malware detection
binary code analysis
self-modifying code
Issue Date: 2014-06-24
Publisher: 北陸先端科学技術大学院大学情報科学研究科
Magazine name: Research report (School of Information Science, Japan Advanced Institute of Science and Technology)
Volume: IS-RR-2014-003
Start page: 1
End page: 18
Abstract: Model checking software consists of two steps: model generation and model checking. A model is often generated statically by abstraction, and sometimes refined iteratively. However, model generation is not easy for malware, since malware is often distributed without source codes, but as binary executables. Worse, sophisticated malware tries to obfuscate its behavior, like self-modification, which dynamically modifies itself and destination of indirect jumps. This paper proposes a pushdown model generation of x86 binaries in an on-the-fly manner with concolic testing to decide the precise destinations of indirect jumps. A tool BE-PUM (Binary Emulation for Pushdown Model generation) is built on JakStab, and currently it covers 52 popular x86 instructions. Experiments are performed on 1700 malwares taken from malware database. Compared to JakStab and IDA Pro, two state-of-the-art tools in this field, BE-PUM shows better tracing ability, which sometimes shows significant differences.
URI: http://hdl.handle.net/10119/12136
Material Type: publisher
Appears in Collections:IS-RR-2014

Files in This Item:

File Description SizeFormat
IS-RR-2014-003.pdf545KbAdobe PDFView/Open

All items in DSpace are protected by copyright, with all rights reserved.


Contact : Library Information Section, Japan Advanced Institute of Science and Technology