Presentation is loading. Please wait.

Presentation is loading. Please wait.

Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere."— Presentation transcript:

1 Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere

2 2 Problem Alice Bob Wendy Embedder Extractor

3 3 Location of the Secret Message oMedia human senses redundant bits oExecutables processors single-bit failure NOISE ⇒ CHOICE

4 4 01 Embedding Bits in a Choice 00011011

5 5 Embedding Bits in a Choice 5 4 3 2 1 0 12481632 alternatives bitsbits n=7 ⇒ 3 unused n=31 ⇒ 15 unused

6 6 00011000011011 00001010011001011101 Embedding Bits in a Choice

7 7 5 4 3 2 1 0 12481632 alternatives bitsbits

8 8 Instruction Selection Alice Bob Selection

9 9 Instruction Selection mov 0,reg sub reg,reg and 0,reg xor reg,reg lea 0,reg imul 0,reg operation: reg=0 sub -1,reg add 1,reg inc reg lea 1(reg),reg operation: reg=reg+1 … neg reg imul -1,reg,reg operation: reg=-reg

10 10 Alice Bob Scheduling Selection Scheduling Selection

11 11 Instruction Scheduling & Code Layout source sink oInstruction Scheduling oCode Layout pieces of code that can be placed in any order

12 12 Layout Interactions Alice Bob Scheduling Selection Layout Scheduling Selection Canonicalize

13 13 Evaluation: i386 (1) bzip2craftygapgzipmcfparsertwolfvortexvprtotal 0.000 (1/200) 0.005 (1/100) 0.010 0.015 (1/50) 0.020 (1/40) 0.025 0.030 0.035 (1/25) 0.040 instruction selection instruction scheduling code layout Benchmarks Embedding Rate Hydan

14 14 Layout Code Transformation Signatures Alice Bob Scheduling Selection Layout Scheduling Selection Wendy sub 0x8,ebp (3 byte) ⇒ lea -0x8(,ebp,1),ebp (7byte)

15 15 CTS: Instruction Selection mov 0,reg sub reg,reg and 0,reg xor reg,reg lea 0,reg imul 0,reg operation: reg=0 Wendy

16 16 oCTS: unusual code property introduced by the applied code transformation oDetection: 1.quantify property through metric 2.build statistical model of expected behavior 3.compare observed to expected behavior 4.classify code into clean and suspect Detection of CTSs

17 17 Layout Code Transformation Signatures Scheduling Selection Unusual Instructions Unusual Frequencies Diverse Schedules Suboptimal Schedules Unusual Jump Behaviour

18 18 Evaluation: i386 (2) instruction selection instruction scheduling code layout bzip2craftygapgzipmcfparsertwolfvortexvprtotal Benchmarks 0.000 (1/200) 0.005 (1/100) 0.010 0.015 (1/50) 0.020 (1/40) 0.025 0.030 0.035 (1/25) 0.040 Embedding Rate Hydan

19 Questions?

Download ppt "Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Steganography - A review Lidan Miao 11/03/03. Outline History Motivation Application System model Steganographic methods Steganalysis Evaluation and benchmarking.

Steganography - A review Lidan Miao 11/03/03. Outline History Motivation Application System model Steganographic methods Steganalysis Evaluation and benchmarking.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 5 Program Design and Analysis.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 5 Program Design and Analysis.
Whole-Program Linear-Constant Analysis with Applications to Link-Time Optimization Ludo Van Put – Dominique Chanet – Koen De Bosschere Ghent University.

Whole-Program Linear-Constant Analysis with Applications to Link-Time Optimization Ludo Van Put – Dominique Chanet – Koen De Bosschere Ghent University.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
80x86 Instruction Set Dr. Qiang Lin.

80x86 Instruction Set Dr. Qiang Lin.
Computer Organization And Assembly Language

Computer Organization And Assembly Language
Binary Program Rewriting with Diablo – Bjorn De Sutter – 2006-6-11 Engineering Sciences Faculty – Electronics and Information Systems Department p. 1 Binary.

Binary Program Rewriting with Diablo – Bjorn De Sutter – Engineering Sciences Faculty – Electronics and Information Systems Department p. 1 Binary.
-Archana Sapkota -Deepti Reddy Steganography 1 CS691 Summer 2009.

-Archana Sapkota -Deepti Reddy Steganography 1 CS691 Summer 2009.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
9-1 ECE 424 Design of Microprocessor-Based Systems Haibo Wang ECE Department Southern Illinois University Carbondale, IL 62901 80x86 Instructions Part.

9-1 ECE 424 Design of Microprocessor-Based Systems Haibo Wang ECE Department Southern Illinois University Carbondale, IL x86 Instructions Part.
CSCI 530L Steganography and Steganalysis. Administrative issues If you have not yet signed up for a Lab Section, do so now. Most lab sections are full.

CSCI 530L Steganography and Steganalysis. Administrative issues If you have not yet signed up for a Lab Section, do so now. Most lab sections are full.
STEGANOGRPAHY [APPLICATION – I]

STEGANOGRPAHY [APPLICATION – I]
Evaluation of the Gini-index for Studying Branch Prediction Features Veerle Desmet Lieven Eeckhout Koen De Bosschere.

Evaluation of the Gini-index for Studying Branch Prediction Features Veerle Desmet Lieven Eeckhout Koen De Bosschere.
A Model for Self-Modifying Code Bertrand Anckaert, Matias Madou and Koen De Bosschere 8 th Information Hiding Conference, July 11 th 2006.

A Model for Self-Modifying Code Bertrand Anckaert, Matias Madou and Koen De Bosschere 8 th Information Hiding Conference, July 11 th 2006.
Flag Control instructions CLC clear carry flag CF = 0 STC set carry flag CF= 1 CMC complement carry flag [CF] CF.

Flag Control instructions CLC clear carry flag CF = 0 STC set carry flag CF= 1 CMC complement carry flag [CF] CF.
SSGRR 20031 A Taxonomy of Execution Replay Systems Frank Cornelis Andy Georges Mark Christiaens Michiel Ronsse Tom Ghesquiere Koen De Bosschere Dept. ELIS.

SSGRR A Taxonomy of Execution Replay Systems Frank Cornelis Andy Georges Mark Christiaens Michiel Ronsse Tom Ghesquiere Koen De Bosschere Dept. ELIS.
LAB Flag Bits and Register

LAB Flag Bits and Register
Part 2: Packet Transmission Packets, frames Local area networks (LANs) Wide area networks (LANs) Hardware addresses Bridges and switches Routing and protocols.

Part 2: Packet Transmission Packets, frames Local area networks (LANs) Wide area networks (LANs) Hardware addresses Bridges and switches Routing and protocols.
Telecommunications Networking II Lecture 41f Viruses and Worms.

Telecommunications Networking II Lecture 41f Viruses and Worms.

Similar presentations

Ads by Google