TU Darmstadt / ULB / TUbiblio

Covert Computation: Hiding Code in Code for Obfuscation Purposes

Kieseberg, Peter ; Huber, Markus ; Leithner, Manuel ; Mulazzani, Martin ; Weippl, Edgar (2013)
Covert Computation: Hiding Code in Code for Obfuscation Purposes.
Hangzhou, China
doi: 10.1145/2484313.2484384
Conference or Workshop Item, Bibliographie

Abstract

As malicious software gets increasingly sophisticated and resilient to detection, new concepts for the identification of malicious behavior are developed by academia and industry alike. While today’s malware detectors primarily focus on syntactical analysis (i.e., signatures of malware samples), the concept of semantic-aware malware detection has recently been proposed. Here, the classification is based on models that represent the underlying machine and map the effects of instructions on the hardware. In this paper, we demonstrate the incompleteness of these models and highlight the threat of malware, which exploits the gap between model and machine to stay undetectable. To this end, we introduce a novel concept we call covert computation, which implements functionality in side effects of microprocessors. For instance, the flags register can be used to calculate basic arithmetical and logical operations. Our paper shows how this technique could be used by malware authors to hide malicious code in a harmless-looking program. Furthermore, we demonstrate the resilience of covert computation against semantic-aware malware scanners.

Item Type: Conference or Workshop Item
Erschienen: 2013
Creators: Kieseberg, Peter ; Huber, Markus ; Leithner, Manuel ; Mulazzani, Martin ; Weippl, Edgar
Type of entry: Bibliographie
Title: Covert Computation: Hiding Code in Code for Obfuscation Purposes
Language: German
Date: May 2013
Publisher: ACM
Book Title: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security table of contents
Series: ASIA CCS '13
Event Location: Hangzhou, China
DOI: 10.1145/2484313.2484384
Abstract:

As malicious software gets increasingly sophisticated and resilient to detection, new concepts for the identification of malicious behavior are developed by academia and industry alike. While today’s malware detectors primarily focus on syntactical analysis (i.e., signatures of malware samples), the concept of semantic-aware malware detection has recently been proposed. Here, the classification is based on models that represent the underlying machine and map the effects of instructions on the hardware. In this paper, we demonstrate the incompleteness of these models and highlight the threat of malware, which exploits the gap between model and machine to stay undetectable. To this end, we introduce a novel concept we call covert computation, which implements functionality in side effects of microprocessors. For instance, the flags register can be used to calculate basic arithmetical and logical operations. Our paper shows how this technique could be used by malware authors to hide malicious code in a harmless-looking program. Furthermore, we demonstrate the resilience of covert computation against semantic-aware malware scanners.

Uncontrolled Keywords: code obfuscation, malware detection, side effects
Identification Number: TUD-CS-2013-0480
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Date Deposited: 28 Aug 2017 12:40
Last Modified: 22 Jan 2019 11:20
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details