BCARET Model Checking for Malware Detection

Nguyen, Huu-Vu; Touili, Tayssir

doi:10.1007/978-3-030-32505-3_16

Huu-Vu Nguyen¹⁰ &
Tayssir Touili¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11884))

Included in the following conference series:

International Colloquium on Theoretical Aspects of Computing

356 Accesses

Abstract

The number of malware is growing fast recently. Traditional malware detectors based on signature matching and code emulation are easy to bypass. To overcome this problem, model-checking appears as an efficient approach that has been extensively applied for malware detection in recent years. Pushdown systems were proposed as a natural model for programs, as they allow to take into account the program’s stack into the model. CARET and BCARET were proposed as formalisms for malicious behavior specification since they can specify properties that require matchings of calls and returns which is crucial for malware detection. In this paper, we propose to use BCARET for malicious behavior specification. Since BCARET formulas for malicious behaviors are huge, we propose to extend BCARET with variables, quantifiers and predicates over the stack. Our new logic is called SBPCARET. We reduce the malware detection problem to the model checking problem of PDSs against SBPCARET formulas, and we propose an efficient algorithm to model check SBPCARET formulas for PDSs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
\(Abs_x(B_1)\) is as defined in Sect. 3.1.

References

Alur, R., Etessami, K., Madhusudan, P.: A temporal logic of nested calls and returns. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 467–481. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_35
Chapter MATH Google Scholar
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. Int. J. Req. Eng. 184–189, 79 (2001)
Google Scholar
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM 2003, Berkeley, CA, USA, p. 12. USENIX Association (2003)
Google Scholar
Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_11
Chapter Google Scholar
Lakhotia, A., Kumar, E.U., Venable, M.: A method for detecting obfuscated calls in malicious binaries. IEEE Trans. Softw. Eng. 31(11), 955–968 (2005)
Article Google Scholar
Nguyen, H.-V., Touili, T.: CARET model checking for malware detection. In: SPIN 2017 (2017)
Google Scholar
Nguyen, H.-V., Touili, T.: CARET model checking for pushdown systems. In: SAC 2017 (2017)
Google Scholar
Nguyen, H.-V., Touili, T.: Branching temporal logic of calls and returns for pushdown systems. In: Furia, C.A., Winter, K. (eds.) IFM 2018. LNCS, vol. 11023, pp. 326–345. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98938-9_19
Chapter Google Scholar
Schwoon, S.: Model-checking pushdown systems. Dissertation, Technische Universität München, München (2002)
Google Scholar
Song, F., Touili, T.: Pushdown model checking for malware detection. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 110–125. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5_9
Chapter MATH Google Scholar
Song, F., Touili, T.: Efficient malware detection using model-checking. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 418–433. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32759-9_34
Chapter Google Scholar
Song, F., Touili, T.: LTL model-checking for malware detection. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 416–431. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_29
Chapter MATH Google Scholar
Song, F., Touili, T.: PoMMaDe: pushdown model-checking for malware detection. In: SIGSOFT 2013 (2013)
Google Scholar

Download references

Author information

Authors and Affiliations

LIPN, CNRS and University Paris 13, Villetaneuse, France
Huu-Vu Nguyen & Tayssir Touili

Authors

Huu-Vu Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Tayssir Touili
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Huu-Vu Nguyen or Tayssir Touili .

Editor information

Editors and Affiliations

University of Sheffield, Sheffield, UK
Robert Mark Hierons
University of Bordeaux, Talence, France
Mohamed Mosbah

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nguyen, HV., Touili, T. (2019). BCARET Model Checking for Malware Detection. In: Hierons, R., Mosbah, M. (eds) Theoretical Aspects of Computing – ICTAC 2019. ICTAC 2019. Lecture Notes in Computer Science(), vol 11884. Springer, Cham. https://doi.org/10.1007/978-3-030-32505-3_16

Download citation

DOI: https://doi.org/10.1007/978-3-030-32505-3_16
Published: 22 October 2019
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32504-6
Online ISBN: 978-3-030-32505-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics