12th USENIX Security Symposium Abstract
Pp. 169-186 of the Proceedings
Static Analysis of Executables to Detect Malicious Patterns
Mihai Christodorescu and Somesh Jha, University of Wisconsin, Madison
Malicious code detection is a crucial component of any defense
mechanism. In this paper, we present a unique viewpoint on
malicious code detection. We regard malicious code detection
as an obfuscation-deobfuscation game between malicious code
writers and researchers working on malicious code
detection. Malicious code writers attempt to obfuscate the
malicious code to subvert the malicious code detectors, such
as anti-virus software. We tested the resilience of three
commercial virus scanners against code-obfuscation
attacks. The results were surprising: the three commercial
virus scanners could be subverted by very simple obfuscation
transformations! We present an architecture for detecting
malicious patterns in executables that is resilient to common
obfuscation transformations. Experimental results demonstrate
the efficacy of our prototype tool, SAFE (a static
analyzer for executables).
- View the full text of this paper in HTML and
Until August 2004, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2003 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.