Disassembly of obfuscated binary code
DescriptionThe disasm project investigates the use of binary analysis techniques to statically detect malicious behavior or vulnerable code in binary objects. The application of analysis techniques at the binary level— as opposed to the source code level—is motivated by a number of reasons. First, it is not always the case that the source code of an application is available. For example, most proprietary applications are distributed in binary form only. Second, even when the source code for compiled languages is available, transformations performed by compilers and optimizer tools may subtly alter the actual behavior of an application, and, consequently, invalidate the results of the analysis performed at the source code level. In the disasm project, we explored different uses of binary analysis. In particular, we used binary analysis:
- To extended basic disassembly techniques in order to effectively deal with obfuscated code.
- To statically detect malicious behavior in executables. We applied this idea to identify polymorphic worms and Linux kernel-level rootkits.
- To automatically mount "mimicry" attacks against system calls-based intrusion detection systems and evade them.
2005 (2 publications)
Automating Mimicry Attacks Using Static Binary Analysis Proceedings of the USENIX Security Symposium (USENIX Security 2005) BibTeX
Polymorphic Worm Detection Using Structural Information of Executables Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID 2005) BibTeX
2004 (2 publications)
Detecting Kernel-Level Rootkits Through Binary Analysis Proceedings of the Annual Computer Security Applications Conference (ACSAC 2004) BibTeX PDF (788.3 KB)