Presentation is loading. Please wait.

Presentation is loading. Please wait.

Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007.

Published byDelphia Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007."— Presentation transcript:

1 Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007

2 Motivation Virus Signatures  Database of hexadecimals  Definitive registers Alter the registers and it is another signature

3 Register Manipulation Different registers give different signatures

4 BCSR Program generator to recognize context- sensitive binary signatures General representation of signatures, not dependent on registers The signatures are specified by the user in the source specification

5 Source Specification A signature  Binary signature  actions Variable construct  [name, size, values]  Global / Local Ambiguous source rules {definitions} % {rules} % {user subroutines}

6 Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne58942345

7 Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne58942345 mov %eax, $1 inc$1 jne$2

8 Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne58942345 mov %eax, $1 inc$1 jne$2 % 1000 1001 1100 0 [a, 3, *] 1111 1111 1100 0 [a] 0111 0101 [b, 8, *] {}

9 BCSR Process int bcsr_scan( char* addr, int num_bits )

10 Strata Software dynamic translator Fragment creation  Conditional or indirect control transfer  trampoline

11 Experiments Protocol  Scanning Strata fragments  Spec Int Benchmarks  Red Hat Linux  X86_64 Statistics  Overhead

12 Results ???

13 Issue 1 Specs are too general !!!

14 Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx

15 Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx pop$1 push $2 add$1, %ebx add $2, $1 push$2

16 Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx pop$1 push $2 add$1, %ebx add $2, $1 push$2 pop%eax push %eax add%eax, %ebx add %eax, %eax push %eax

17 Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx False positives pop$1 push $2 add$1, %ebx add $2, $1 push$2 pop%eax push %eax add%eax, %ebx add %eax, %eax push %eax

18 Issue 2 Multiple fragments

19 Issue 2 Multiple fragments Signatures contains the following:  Conditional or indirect control transfers

20 Issue 2 Multiple fragments Signatures contains the following:  Conditional or indirect control transfers False negatives

21 Future Work Address Issue 1 and 2 Extend the language  Star, functionality, … Symbolic code  Write in assembly rather than binary

22 Questions??

Download ppt "Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
Compiler construction in4020 – lecture 10 Koen Langendoen Delft University of Technology The Netherlands.

Compiler construction in4020 – lecture 10 Koen Langendoen Delft University of Technology The Netherlands.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 2 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 2 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Introduction to X86 assembly by Istvan Haller

Introduction to X86 assembly by Istvan Haller
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Chapter 4 Basic Instructions. 4.1 Copying Data mov Instructions mov (“move”) instructions are really copy instructions, like simple assignment statements.

Chapter 4 Basic Instructions. 4.1 Copying Data mov Instructions mov (“move”) instructions are really copy instructions, like simple assignment statements.
Practical Session 8 Computer Architecture and Assembly Language.

Practical Session 8 Computer Architecture and Assembly Language.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola 68000.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.

Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
Apache Exploits

Apache Exploits
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Chapter 8 Intermediate Code Zhang Jing, Wang HaiLing College of Computer Science & Technology Harbin Engineering University.

Chapter 8 Intermediate Code Zhang Jing, Wang HaiLing College of Computer Science & Technology Harbin Engineering University.

Similar presentations

Ads by Google