Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

9-2011

Abstract

Trigger-based code (malicious in many cases, but not necessarily) only executes when specific inputs are received. Symbolic execution has been one of the most powerful techniques in discovering such malicious code and analyzing the trigger condition. We propose a novel automatic malware obfuscation technique to make analysis based on symbolic execution difficult. Unlike previously proposed techniques, the obfuscated code from our tool does not use any cryptographic operations and makes use of only linear operations which symbolic execution is believed to be good in analyzing. The obfuscated code incorporates unsolved conjectures and adds a simple loop to the original code, making it less than one hundred bytes longer and hard to be differentiated from normal programs. Evaluation shows that applying symbolic execution to the obfuscated code is inefficient in finding the trigger condition. We discuss strengths and weaknesses of the proposed technique.

Keywords

Software obfuscation, symbolic execution, malware analysis

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

Computer Security - ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14: Proceedings

Volume

6879

First Page

210

Last Page

226

ISBN

9783642238222

Identifier

10.1007/978-3-642-23822-2_12

Publisher

Springer Verlag

City or Country

Leuven, Belgium

Additional URL

http://flyer.sis.smu.edu.sg/esorics11.pdf

Download

Share

COinS