Publicação: Context-sensitive analysis of obfuscated x86 executables
| dc.contributor.author | Lakhotia, Arun | |
| dc.contributor.author | Boccardo, Davidson R. [UNESP] | |
| dc.contributor.author | Singh, Anshuman | |
| dc.contributor.author | Manacero Jr., Aleardo [UNESP] | |
| dc.contributor.institution | University of Louisiana | |
| dc.contributor.institution | Universidade Estadual Paulista (Unesp) | |
| dc.date.accessioned | 2014-05-27T11:24:40Z | |
| dc.date.available | 2014-05-27T11:24:40Z | |
| dc.date.issued | 2010-04-20 | |
| dc.description.abstract | A method for context-sensitive analysis of binaries that may have obfuscated procedure call and return operations is presented. Such binaries may use operators to directly manipulate stack instead of using native call and ret instructions to achieve equivalent behavior. Since definition of context-sensitivity and algorithms for context-sensitive analysis have thus far been based on the specific semantics associated to procedure call and return operations, classic interprocedural analyses cannot be used reliably for analyzing programs in which these operations cannot be discerned. A new notion of context-sensitivity is introduced that is based on the state of the stack at any instruction. While changes in 'calling'-context are associated with transfer of control, and hence can be reasoned in terms of paths in an interprocedural control flow graph (ICFG), the same is not true of changes in 'stack'-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of call-strings based methods for the context-sensitive analysis using stack-context. The method presented is used to create a context-sensitive version of Venable et al.'s algorithm for detecting obfuscated calls. Experimental results show that the context-sensitive version of the algorithm generates more precise results and is also computationally more efficient than its context-insensitive counterpart. Copyright © 2010 ACM. | en |
| dc.description.affiliation | Center for Advanced Computer Studies University of Louisiana, Lafayette, LA | |
| dc.description.affiliation | Electrical Engineering Dept. Paulista State University (UNESP) | |
| dc.description.affiliationUnesp | Electrical Engineering Dept. Paulista State University (UNESP) | |
| dc.format.extent | 131-140 | |
| dc.identifier | http://dx.doi.org/10.1145/1706356.1706381 | |
| dc.identifier.citation | Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, p. 131-140. | |
| dc.identifier.doi | 10.1145/1706356.1706381 | |
| dc.identifier.scopus | 2-s2.0-77950882873 | |
| dc.identifier.uri | http://hdl.handle.net/11449/71657 | |
| dc.language.iso | eng | |
| dc.relation.ispartof | Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation | |
| dc.rights.accessRights | Acesso aberto | |
| dc.source | Scopus | |
| dc.subject | Analysis of bianries | |
| dc.subject | Context-sensitive analysis | |
| dc.subject | Deobfuscation | |
| dc.subject | Obfuscation | |
| dc.subject | Abstract interpretations | |
| dc.subject | Context sensitivity | |
| dc.subject | Context-sensitive | |
| dc.subject | Control flow graphs | |
| dc.subject | Executables | |
| dc.subject | Inter-procedural | |
| dc.subject | Inter-procedural analysis | |
| dc.subject | Procedure call | |
| dc.subject | Specific semantics | |
| dc.subject | Mathematical operators | |
| dc.subject | Program interpreters | |
| dc.subject | Technical presentations | |
| dc.subject | Java programming language | |
| dc.title | Context-sensitive analysis of obfuscated x86 executables | en |
| dc.type | Trabalho apresentado em evento | |
| dcterms.license | http://www.acm.org/publications/copyright-statement | |
| dspace.entity.type | Publication |