Detecting traditional packers, decisively

Denis Bueno; Kevin J. Compton; Karem A. Sakallah; Michael Bailey

doi:10.1007/978-3-642-41284-4_10

Detecting traditional packers, decisively

Denis Bueno, Kevin J. Compton, Karem A. Sakallah, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Many of the important decidability results in malware analysis are based Turing machine models of computation. We exhibit computational models which use more realistic assumptions about machine and attacker resources. While seminal results such as [1-5] remain true for Turing machines, we show under more realistic assumptions, important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior - in which a payload is decompressed or decrypted and subsequently executed - is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems. We look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.

Original language	English (US)
Title of host publication	Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings
Pages	184-203
Number of pages	20
DOIs	https://doi.org/10.1007/978-3-642-41284-4_10
State	Published - 2013
Externally published	Yes
Event	16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013 - Rodney Bay, Saint Lucia Duration: Oct 23 2013 → Oct 25 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8145 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013
Country/Territory	Saint Lucia
City	Rodney Bay
Period	10/23/13 → 10/25/13

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Online availability

10.1007/978-3-642-41284-4_10

Library availability

Discover UIUC Full Text

Cite this

Bueno, D., Compton, K. J., Sakallah, K. A., & Bailey, M. (2013). Detecting traditional packers, decisively. In Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings (pp. 184-203). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8145 LNCS). https://doi.org/10.1007/978-3-642-41284-4_10

Detecting traditional packers, decisively. / Bueno, Denis; Compton, Kevin J.; Sakallah, Karem A. et al.
Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings. 2013. p. 184-203 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8145 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bueno, D, Compton, KJ, Sakallah, KA & Bailey, M 2013, Detecting traditional packers, decisively. in Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8145 LNCS, pp. 184-203, 16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013, Rodney Bay, Saint Lucia, 10/23/13. https://doi.org/10.1007/978-3-642-41284-4_10

Bueno D, Compton KJ, Sakallah KA, Bailey M. Detecting traditional packers, decisively. In Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings. 2013. p. 184-203. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-41284-4_10

@inproceedings{9398ed9770604913a3dbbcd5333f44c3,

title = "Detecting traditional packers, decisively",

abstract = "Many of the important decidability results in malware analysis are based Turing machine models of computation. We exhibit computational models which use more realistic assumptions about machine and attacker resources. While seminal results such as [1-5] remain true for Turing machines, we show under more realistic assumptions, important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior - in which a payload is decompressed or decrypted and subsequently executed - is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems. We look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.",

author = "Denis Bueno and Compton, {Kevin J.} and Sakallah, {Karem A.} and Michael Bailey",

year = "2013",

doi = "10.1007/978-3-642-41284-4_10",

language = "English (US)",

isbn = "9783642412837",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "184--203",

booktitle = "Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings",

note = "16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013 ; Conference date: 23-10-2013 Through 25-10-2013",

}

TY - GEN

T1 - Detecting traditional packers, decisively

AU - Bueno, Denis

AU - Compton, Kevin J.

AU - Sakallah, Karem A.

AU - Bailey, Michael

PY - 2013

Y1 - 2013

N2 - Many of the important decidability results in malware analysis are based Turing machine models of computation. We exhibit computational models which use more realistic assumptions about machine and attacker resources. While seminal results such as [1-5] remain true for Turing machines, we show under more realistic assumptions, important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior - in which a payload is decompressed or decrypted and subsequently executed - is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems. We look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.

AB - Many of the important decidability results in malware analysis are based Turing machine models of computation. We exhibit computational models which use more realistic assumptions about machine and attacker resources. While seminal results such as [1-5] remain true for Turing machines, we show under more realistic assumptions, important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior - in which a payload is decompressed or decrypted and subsequently executed - is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems. We look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.

UR - http://www.scopus.com/inward/record.url?scp=84888323889&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84888323889&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-41284-4_10

DO - 10.1007/978-3-642-41284-4_10

M3 - Conference contribution

AN - SCOPUS:84888323889

SN - 9783642412837

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 184

EP - 203

BT - Research in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings

T2 - 16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013

Y2 - 23 October 2013 through 25 October 2013

ER -

Detecting traditional packers, decisively

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this