Partial Evaluation for Java Malware Detection

The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Java exploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products

Partial Evaluation of String Obfuscations for Java Malware Detection

The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Javaexploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include stringobfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is an intermediate language for JVM bytecode designed for optimisation and program analysis, and demonstrates how partially evaluated Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products

Characterizing A Property-Driven Obfuscation Strategy

n recent years, code obfuscation has attracted both researchers and software developers as a useful technique for protecting secret properties of proprietary programs. The idea of code obfuscation is to modify a program, while preserving its functionality, in order to make it more difficult to analyze. Thus, the aim of code obfuscation is to conceal certain properties to an attacker, while revealing its intended behavior. However, a general methodology for deriving an obfuscating transforma- tion from the properties to conceal and reveal is still missing. In this work, we start to address this problem by studying the existence and the characterization of function transformers that minimally or maximally modify a program in order to reveal or conceal a certain property. Based on this general formal framework, we are able to provide a characterization of the maximal obfuscating strategy for transformations concealing a given property while revealing the desired observational behavior. To conclude, we discuss the applicability of the proposed characterization by showing how some common obfuscation techniques can be interpreted in this framework. Moreover, we show how this approach allows us to deeply understand what are the behavioral properties that these transformations conceal, and therefore protect, and which are the ones that they reveal, and therefore disclose

Code obfuscation against abstraction refinement attacks

Code protection technologies require anti reverse engineering transformations to obfuscate programs in such a way that tools and methods for program analysis become ineffective. We introduce the concept of model deformation inducing an effective code obfuscation against attacks performed by abstract model checking. This means complicating the model in such a way a high number of spurious traces are generated in any formal verification of the property to disclose about the system under attack.We transform the program model in order to make the removal of spurious counterexamples by abstraction refinement maximally inefficient. Because our approach is intended to defeat the fundamental abstraction refinement strategy, we are independent from the specific attack carried out by abstract model checking. A measure of the quality of the obfuscation obtained by model deformation is given together with a corresponding best obfuscation strategy for abstract model checking based on partition refinement

Formal framework for reasoning about the precision of dynamic analysis

Dynamic program analysis is extremely successful both in code debugging and in malicious code attacks. Fuzzing, concolic, and monkey testing are instances of the more general problem of analysing programs by dynamically executing their code with selected inputs. While static program analysis has a beautiful and well established theoretical foundation in abstract interpretation, dynamic analysis still lacks such a foundation. In this paper, we introduce a formal model for understanding the notion of precision in dynamic program analysis. It is known that in sound-by-construction static program analysis the precision amounts to completeness. In dynamic analysis, which is inherently unsound, precision boils down to a notion of coverage of execution traces with respect to what the observer (attacker or debugger) can effectively observe about the computation. We introduce a topological characterisation of the notion of coverage relatively to a given (fixed) observation for dynamic program analysis and we show how this coverage can be changed by semantic preserving code transformations. Once again, as well as in the case of static program analysis and abstract interpretation, also for dynamic analysis we can morph the precision of the analysis by transforming the code. In this context, we validate our model on well established code obfuscation and watermarking techniques. We confirm the efficiency of existing methods for preventing control-flow-graph extraction and data exploit by dynamic analysis, including a validation of the potency of fully homomorphic data encodings in code obfuscation

Maximal incompleteness as obfuscation potency

Obfuscation is the art of making code hard to reverse engineer and understand. In this paper, we propose aformal model for specifying and understanding the strength of obfuscating transformations with respect toa given attack model. The idea is to consider the attacker as an abstract interpreter willing to extractinformation about the program\u2019s semantics. In this scenario, we show that obfuscating code is making theanalysis imprecise, namely making the corresponding abstract domain incomplete. It is known thatcompleteness is a property of the abstract domain and the program to analyse. We introduce a frameworkfor transforming abstract domains, i.e., analyses, towards incompleteness. The family of incompleteabstractions for a given program provides a characterisation of the potency of obfuscation employed in thatprogram, i.e., its strength against the attack specified by those abstractions. We show this characterisationfor known obfuscating transformations used to inhibit program slicing and automated disassembly

Obfuscator Evaluation System based on Static Analysis

학위논문 (석사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2015. 8. 이광근.정적 분석에 기반하여 난독화기를 비교평가하는 방법을 제안한다. 상업용 소프트웨어를 만드는 개발자들은 그들이 개발한 프로그램이 역공학(Reverse Engineering) 기법으로 분석되는 것을 막기 위해 프로그램 난독화기를 이용한다. 좋은 난독화기를 선정하여 사용하기 위해서는 난독화기들을 평가할 수 있는 방법이 필요하다. 이 논문에서는 난독화된 프로그램에 대해 의미기반 정적 분석을 시도하고 분석의 결과를 비교하는 방법을 통해 다양한 난독화기를 간단히 평가할 수 있는 방법을 제안한다. 그리고 실험을 통해, 제안된 방법으로 얻어진 평가 결과가 이미 알려진 난독화 기술들 간의 우열과 일치함을 보인다.제 1 장 서론 1 1.1 동기 1 1.2 기존평가방법들의한계 1 1.3 해결을위한아이디어 2 1.4 논문구성 3 제 2 장 난독화기술평가시스템 5 2.1 평가시스템설계 5 2.2 복잡도점수의계산방법 7 제 3 장 구현및실험 9 3.1 평가시스템구성요소들의선정 9 3.1.1 정적분석기 9 3.1.2 샘플프로그램 10 3.1.3 난독화기 11 3.2 실험결과 14 제 4 장 고찰 20 제 5 장 결론 22 참고문헌 23 Abstract 26Maste

Deep Learning Application On American Sign Language Database For Video-Based Gesture Recognition

ASL speaking individuals always bring a companion as a translator [1]. This creates barriers for those who wish to take part in activities alone. Online translators exist however, they are limited to the individual characters instead of the gestures which group characters in a meaningful way, and connectivity is not always accessible. Thus, this research tackles the limitations of existing technologies and presents a model, implemented in MATLAB 2020b, to be used for predicting and classifying American sign language gestures/characters. The proposed method looks further into current neural networks and how they can be utilized against our transformed World Largest { American Sign Language data set. Resourcing state of the art detection and segmentation algorithms, this paper analyzes the efficiency of pre-trained net-works against these various algorithms. Testing current machine learning strategies like Transfer Learning and their impact on training a model for recognition. Our research goals are 1. Manufacturing and augmenting our data set. 2. Apply transfer learning on our data sets to create various models. 3. Compare the various accuracies of each model. And finally, present a novel pattern for gesture recognition