[llvm-commits] CVS: llvm-www/pubs/2008-02-ImpedingMalwareAnalysis.html 2008-02-ImpedingMalwareAnalysis.pdf index.html
Chris Lattner
sabre at nondot.org
Tue Mar 18 12:59:01 PDT 2008
Changes in directory llvm-www/pubs:
2008-02-ImpedingMalwareAnalysis.html added (r1.1)
2008-02-ImpedingMalwareAnalysis.pdf added (r1.1)
index.html updated: 1.64 -> 1.65
---
Log message:
Add a paper.
---
Diffs of the changes: (+63 -0)
2008-02-ImpedingMalwareAnalysis.html | 56 +++++++++++++++++++++++++++++++++++
2008-02-ImpedingMalwareAnalysis.pdf | 0
index.html | 7 ++++
3 files changed, 63 insertions(+)
Index: llvm-www/pubs/2008-02-ImpedingMalwareAnalysis.html
diff -c /dev/null llvm-www/pubs/2008-02-ImpedingMalwareAnalysis.html:1.1
*** /dev/null Tue Mar 18 14:58:48 2008
--- llvm-www/pubs/2008-02-ImpedingMalwareAnalysis.html Tue Mar 18 14:58:37 2008
***************
*** 0 ****
--- 1,56 ----
+ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+ <html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <link rel="stylesheet" href="../llvm.css" type="text/css" media="screen" />
+ <title>Impeding Malware Analysis Using Conditional Code Obfuscation</title>
+ </head>
+ <body>
+
+ <div class="pub_title">
+ Impeding Malware Analysis Using Conditional Code Obfuscation
+ </div>
+ <div class="pub_author">
+ Monirul Sharif, Andrea Lanzi, Jonathon Giffin and Wenke Lee
+ </div>
+
+ <h2>Abstract:</h2>
+ <blockquote>
+
+ Malware programs that incorporate trigger-based behavior
+ initiate malicious activities based on conditions satisfied
+ only by specific inputs. State-of-the-art malware analyzers
+ discover code guarded by triggers via multiple path
+ exploration, symbolic execution, or forced conditional execution,
+ all without knowing the trigger inputs. We present
+ a malware obfuscation technique that automatically conceals specific
+ trigger-based behavior from these malware
+ analyzers. Our technique automatically transforms a program
+ by encrypting code that is conditionally dependent on an input
+ value with a key derived from the input and then
+ removing the key from the program. We have implemented
+ a compiler-level tool that takes a malware source program
+ and automatically generates an obfuscated binary. Experiments
+ on various existing malware samples show that our
+ tool can hide a significant portion of trigger based code. We
+ provide insight into the strengths, weaknesses, and possible
+ ways to strengthen current analysis approaches in order to
+ defeat this malware obfuscation technique.
+ </blockquote>
+
+ <h2>Published:</h2>
+
+ <p>
+ "Impeding Malware Analysis Using Conditional Code Obfuscation"<br>
+ Monirul Sharif, Andrea Lanzi, Jonathon Giffin and Wenke Lee<br>
+ In the <i>Proceedings of the 15th Annual Network and Distributed System
+ Security Symposium (NDSS'08)</i>, San Diego, CA, February 2008
+ </p>
+
+ <h2>Download:</h2>
+ <ul>
+ <li><a href="2008-02-ImpedingMalwareAnalysis.pdf">Impeding Malware Analysis Using Conditional Code Obfuscation</a> (PDF)</li>
+ </ul>
+
+ </body>
+ </html>
Index: llvm-www/pubs/2008-02-ImpedingMalwareAnalysis.pdf
Index: llvm-www/pubs/index.html
diff -u llvm-www/pubs/index.html:1.64 llvm-www/pubs/index.html:1.65
--- llvm-www/pubs/index.html:1.64 Tue Feb 12 13:36:35 2008
+++ llvm-www/pubs/index.html Tue Mar 18 14:58:37 2008
@@ -2,6 +2,13 @@
<div class="www_sectiontitle">LLVM Related Publications</div>
<ol>
+
+<li>"<a href="2008-02-ImpedingMalwareAnalysis.html">Impeding Malware
+Analysis Using Conditional Code Obfuscation</a>"<br>
+Monirul Sharif, Andrea Lanzi, Jonathon Giffin and Wenke Lee<br>
+<i>Network and Distributed System Security Symposium (NDSS'08)</i>, San Diego, CA, February 2008</li>
+
+
<li>"<a href="2008-02-23-TRANSACT-TangerObjBased.html">Making Object-Based STM Practical in Unmanaged Environments</a>"<br>
Torvald Riegel and Diogo Becker de Brum<br>
<i>ACM SIGPLAN Workshop on Transactional Computing (TRANSACT 2008)</i>, Salt Lake City, Utah, 2008</li>
More information about the llvm-commits
mailing list