Instruction subsets in software diversity
1 / 28

Instruction Subsets in Software Diversity - PowerPoint PPT Presentation

  • Uploaded on

Instruction Subsets in Software Diversity. Malware Project Nguyet Nguyen Nov. 30 th 2004. Motivation: Visit the company Computer. CPU is the main worker of the company Computer CPU joins a set of parts called Insts into robots called Softs.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Instruction Subsets in Software Diversity' - duante

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Instruction subsets in software diversity

Instruction Subsets in Software Diversity

Malware Project

Nguyet Nguyen

Nov. 30th 2004

Motivation visit the company computer
Motivation: Visit the company Computer

  • CPU is the main worker of the company Computer

  • CPU joins a set of parts called Insts into robots called Softs

  • Softs work at the Computer office

  • Computer stores some gold boxes in the office

  • Insts are delivered by Developers

  • Gold boxes have some holes on it

  • The office door is opened

Computer s office
Computer’s Office


Gold boxes






Motivation meet evil
Motivation: meet Evil

  • Mr Evil knows how CPU works

  • Mr Evil knows the holes of gold boxes

  • Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms

  • Worms can steal gold via the holes

Problems occur in computer office
Problems occur In Computer Office



Gold boxes






Current solutions
Current Solutions

  • Using a Gatekeeper before CPU

  • Dye the Insts with dying solution Key

  • Gatekeeper applies rev-Key to dyed Insts


Instruction DIALECTS


Hu hu, I cannot do anything







Is it good
Is it good?

  • Portable? No

  • Performance? reduce

  • Security?

    • Rely on the enforcement environment

    • Key can be guessed


Hu hu, I cannot do anything





Is instruction subset better
Is Instruction Subset better?

  • Portable

  • Performance: Hardware Gatekeeper

  • Security:

    • work without the enforcement environment

    • Difference size of versions

Groups of instructions
Groups of Instructions

  • Divide the Instruction Set in to Groups:

    • Group of unique instructions (UI)

    • Groups of equivalent instructions (EIs)

  • New IS = UI + new EI

    • EI’s members are selected from each of old EIs

Unique instructions
Unique Instructions

  • Call

  • Int/Ret

  • Convert Instructions: Cbw, Cdq

  • Set/Clear Interrupt Flag: CLI, SLI

  • Ascii and Decimal Adjust: Aaa, Aad

  • ESC, Halt

  • Lea

  • Lock

  • Nop

  • Push/Pop, PushF/PopF

  • Wait/FWait

  • In/Out

Groups of eis
Groups of EIs

  • Load instructions: lds, lodsb, lodsw

  • Store instructions: sodsb, sodw

  • Branch instructions: jump, loop, repeat 35+5+5=45 insts

  • Move instructions: Mov, Movs, Movsx, Movsz

  • Add/Sub: Add, Inc, Dec, Sub

  • Mul/Div: imul, mul, idiv, div

  • Test: ;

  • Interchange: Cmp and Change

  • Flags set:

  • Logical Operation: and, or, xor, not (4 insts)


  • Some transformation is easy, others are not

  • Transformation complexity depends from other groups


    • dec and sub

    • Jmp 

      Mov ax,0

      Je ax;

Instruction selecting in ei sets
Instruction selecting in EI sets

  • Insts with transformation complexity are statically omitted or allowed (50% of allowing)

    • Inc, dec, mov, jmp

  • Pick randomly 1 of remaining instructions

  • Does it work
    Does it work?

    • 3 questions:

      • Is it possible for a worm to use only UI to complete its work?

      • How many diverse subsets we have?

      • How long should a worm be to ensure an acceptable rate of protection?

    Question 1 ui is enough
    Question 1: UI is enough?

    • NO

    • Why?

      • A worm should use a Jump

      • A worm should use a load

    • Verification?

      • CodeRed

      • Shapphire

      • Nimda

      • Unix worms: ADM Worm v1

    Question 2 how diverse this approach is
    Question 2: How diverse this approach is?

    • The number of difference version we have is:

      2number_of_static_instx number_of_EI1x…

    • Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set

    Question 3 performance
    Question 3: Performance?

    • Not depends on how long a worm is

    • It is how many different instruction a worm uses

    • Using only opcode limits opportunities of subset diversity

    Example sapphire
    Example: Sapphire

    • push

    • mov

    • xor

    • loop

    • lea

    • call

    • cmp

    • jz

    • or

    • shl

    • jmp

    UI: push, call, lea

    • OI:

      • Logical Operation: or,xor, cmp, shl

      • Branch Operation: loop, jz, jmp

      • Move Operation: mov


    P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2)


    Anything wrong?

    How to enhance diversity
    How to enhance Diversity?

    • Determine how many instructions needed to complete a worm?

    • Enhance diversity of UI by adding addressing mode/operant mode

      • Complicated? Yes

      • How to reduce costs: apply with only “important instructions”

    High level hypothesis about worms
    High Level Hypothesis about worms

    • Every worm needs to use a call

    • Every worm needs to use a push

    • Every worm needs communication instructions?

    • Every worm needs a load or a store

    • Every worm needs at least one of arithmetic instructions

    What are we need?

    Push and call
    Push and Call

    • Push: 6 Operant Modes

    • Call: 30 Operant Modes

      • 6 near

      • 8 far

      • 4 task

      • 12 gate

    Example sapphire ii
    Example: Sapphire (II)

    • Call

      call eax

      call dword ptr [esi]

    • Push:

      push 42B0C9DCh

      push eax

      call esi


    P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)


    • Instruction Guessing?

      • Worms may not be fast enough

      • People can try to guess from simple to complicated instruction

    • Hypothesis proof

      • Disassembled code

      • Static Analysis


    Nothing is perfect

    More solutions of diversity  better diversity