Disasm

Disassembly of obfuscated binary code

Description

The disasm project investigates the use of binary analysis techniques to statically detect malicious behavior or vulnerable code in binary objects. The application of analysis techniques at the binary level— as opposed to the source code level—is motivated by a number of reasons. First, it is not always the case that the source code of an application is available. For example, most proprietary applications are distributed in binary form only. Second, even when the source code for compiled languages is available, transformations performed by compilers and optimizer tools may subtly alter the actual behavior of an application, and, consequently, invalidate the results of the analysis performed at the source code level. In the disasm project, we explored different uses of binary analysis. In particular, we used binary analysis:
  • To extended basic disassembly techniques in order to effectively deal with obfuscated code.
  • To statically detect malicious behavior in executables. We applied this idea to identify polymorphic worms and Linux kernel-level rootkits.
  • To automatically mount "mimicry" attacks against system calls-based intrusion detection systems and evade them.

Publications

2005 (2 publications)

Automating Mimicry Attacks Using Static Binary Analysis C. Kruegel, E. Kirda, D. Mutz, W. Robertson, G. Vigna Proceedings of the USENIX Security Symposium (USENIX Security 2005) BibTeX

Polymorphic Worm Detection Using Structural Information of Executables C. Kruegel, E. Kirda, D. Mutz, W. Robertson, G. Vigna Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID 2005) BibTeX

2004 (2 publications)

Detecting Kernel-Level Rootkits Through Binary Analysis C. Kruegel, W. Robertson, G. Vigna Proceedings of the Annual Computer Security Applications Conference (ACSAC 2004) BibTeX PDF (788.3 KB)

Static Disassembly of Obfuscated Binaries C. Kruegel, W. Robertson, F. Valeur, G. Vigna Proceedings of the USENIX Security Symposium (USENIX Security 2004) BibTeX PDF (211.9 KB)

This research was supported by the Army Research Office under agreement DAAD19-01-1-0484 and by the National Science Foundation under grants CCR-0209065 and CCR-0238492.

Research topics

People involved

Faculty

Post-doctoral Researchers

PhD Students

Last update
May 24, 2011, 11 a.m.