Summary
The classification of an unknown binary program as malicious or benign requires two steps. In the first step, the stream of bytes that constitutes the program has to be transformed (or disassembled) into the corresponding sequence of machine instructions. In the second step, based on this machine code representation, static or dynamic code analysis techniques can be applied to determine the properties and function of the program.
Both the disassembly and code analysis steps can be foiled by techniques that obfuscate the binary representation of a program. Thus, robust techniques are required that deliver reliable results under such adverse circumstances. In this chapter, we introduce a disassemble technique that can deal with obfuscated binaries. Also, we introduce a static code analysis approach that can identify high-level semantic properties of code that are difficult to conceal.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
R. Bagnara, E. Ricci, E. Zaffanella, and P. M. Hill. Possibly not closed convex polyhedra and the Parma Polyhedra Library. In 9th International Symposium on Static Analysis, 2002.
M. Christodorescu and S. Jha. Static Analysis of Executables to Detect Malicious Patterns. In Proceedings of the 12th USENIXSecurity Symposium, 2003.
C. Cifuentes and M. V. Emmerik. UQBT Adaptable binary translation at low cost. IEEE Computer, 40(2-3), 2000.
C. Cifuentes and K. Gough. Decompilation of Binary Programs. Software Practice & Experience, 25(7):811–829, July 1995.
F. B. Cohen. Operating System Protection through Program Evolution. http://all.net/books/IP/evolve.html.
P. Cousot and R. Cousot. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In 4th ACM Symposium on Principles of Programming Languages (POPL), 1977.
Data Rescure. IDA Pro: Disassembler and Debugger. http://www.datarescue.com/idabase/, 2004.
Free Software Foundation. GNU Binary Utilities, Mar 2002. http://www.gnu.org/software/binutils/manual/.
J. Giffin, S. Jha, and B. Miller. Detecting manipulated remote call streams. In In Proceedings of 11th USENIX Security Symposium, 2002.
J. King. Symbolic Execution and Program Testing. Communications of the ACM, 19(7), 1976.
C. Kruegel, F. Valeur, W. Robertson, and G. Vigna. Static Analysis of Obfuscated Binaries. In Usenix Security Symposium, 2004.
T. Lengauer and R. Tarjan. A Fast Algorithm for Finding Dominators in a Flowgraph. ACM Transactions on Programming Languages and Systems, 1(1), 1979.
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 290–299, Washington, DC, October 2003.
F. Nielson, H. Nielson, and C. Hankin. Principles of Program Analysis. Springer Verlag, 1999.
R. Sites, A. Chernoff, M. Kirk, M. Marks, and S. Robinson. Binary Translation. Digital Technical Journal, 4(4), 1992.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Vigna, G. (2007). Static Disassembly and Code Analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_2
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)