Nuggets tagged software - [remove filter]
Sept. 1, 2014 (2 years, 9 months ago)
This paper proposes BYTEWEIGHT, a new automatic function identification algorithm for binary code. The approach automatically learns key features for recognizing functions and can therefore be adapted to different platforms, new compilers, and new optimizations. Byteweight was evaluated against three currently used tools that feature function dentification: IDA, BAP, and Dyninst, and showed considerable performance enhancements across different measures. Binary analysis has applications such as protecting binaries with control flow integrity, extracting binary code sequences from malware or untrusted ode, and hot patching of vulnerabilities.
July 22, 2014 (2 years, 11 months ago)
Unfortunately this paper is behind a paywall but a short preview is accessible. It claims a 97% success rate in detecting metamorphic malware. Metamorphic malware have been around for a number of years and change their code as they propagate in order to avoid anti-virus defences (which work by detecting previously seen code signatures). This approach identifies characteristic features of this type of malware assembly code, such as instructions that change registers, instructions that change control flow, and code fragmentation. Metamorphic code is rarely used in non-malware so features that are indicative of such behaviour should yield a low false positive rate. However, although metamorphic malware is a key tactic for virus writers who want widely distributed attacks it is actually less important in Advanced Persistent Threats as they are not designed to propagate too extensively to avoid the risk of detection by anti-malware tools and researchers in the first place.