disasm

Description

The disasm project investigates the use of binary analysis techniques to statically detect malicious behavior or vulnerable code in binary objects.

The application of analysis techniques at the binary level—as opposed to the source code level—is motivated by a number of reasons. First, it is not always the case that the source code of an application is available. For example, most proprietary applications are distributed in binary form only. Second, even when the source code for compiled languages is available, transformations performed by compilers and optimizer tools may subtly alter the actual behavior of an application, and, consequently, invalidate the results of the analysis performed at the source code level.

In the disasm project, we explored different uses of binary analysis. In particular, we used binary analysis:

To extended basic disassembly techniques in order to effectively deal with obfuscated code.
To statically detect malicious behavior in executables. We applied this idea to identify polymorphic worms and Linux kernel-level rootkits.
To automatically mount "mimicry" attacks against system calls-based intrusion detection systems and evade them.

Software

disasm
The disasm program implements various static and binary analysis techniques.
- Coming soon!

Publications

C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Polymorphic Worm Detection Using Structural Information of Executables," in Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 207–226, Springer, ISBN 3-540-31778-3, Seattle, Washington, USA, September 2005.[PDF, BibTeX]
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Automating Mimicry Attacks Using Static Binary Analysis," in Proceedings of the 14th USENIX Security Symposium 2005, pp. 91–100, USENIX Association, ISBN 1-9319-7134-X, Baltimore, Maryland, USA, August 2005.[PDF, BibTeX]
C. Kruegel, W. Robertson, and G. Vigna, "Detecting Kernel-Level Rootkits Through Binary Analysis," in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04) , pp. 91–100, IEEE Computer Society, ISBN 0-7695-2252-1, Tucson, Arizona, December 2004.[PDF, BibTeX]
C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, "Static Disassembly of Obfuscated Binaries," in Proceedings of the 13th USENIX Security Symposium 2004, pp. 255–270, USENIX Association, San Diego, California, August 2004.[PDF, BibTeX]

People

E. Kirda.
C. Kruegel.
D. Mutz.
W. Robertson.
F. Valeur.
G. Vigna.

Acknowledgments

This research was supported by the Army Research Office under agreement DAAD19-01-1-0484 and by the National Science Foundation under grants CCR-0209065 and CCR-0238492.