binary context sensitive recognizer bcsr
Download
Skip this Video
Download Presentation
Binary Context-Sensitive Recognizer (BCSR)

Loading in 2 Seconds...

play fullscreen
1 / 22

Binary Context-Sensitive Recognizer (BCSR) - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

Binary Context-Sensitive Recognizer (BCSR). Hong Pham December 4, 2007. Motivation. Virus Signatures Database of hexadecimals Definitive registers Alter the registers and it is another signature. Register Manipulation. Different registers give different signatures. BCSR.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Binary Context-Sensitive Recognizer (BCSR)' - jordan-morrow


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
motivation
Motivation
  • Virus Signatures
    • Database of hexadecimals
    • Definitive registers
      • Alter the registers and it is another signature
register manipulation
Register Manipulation
  • Different registers give different signatures
slide4
BCSR
  • Program generator to recognize context-sensitive binary signatures
  • General representation of signatures, not dependent on registers
  • The signatures are specified by the user in the source specification
source specification
A signature

Binary signature

actions

Variable construct

[name, size, values]

Global / Local

Ambiguous source rules

{definitions}

%%

{rules}

%%

{user subroutines}

Source Specification
example
Example

89 c3: mov %eax, %ebx

FF c3: inc %ebx

75 f2: jne 58942345

example1
Example

89 c3: mov %eax, %ebx

FF c3: inc %ebx

75 f2: jne 58942345

mov %eax, $1

inc $1

jne $2

example2
Example

89 c3: mov %eax, %ebx

FF c3: inc %ebx

75 f2: jne 58942345

mov %eax, $1

inc $1

jne $2

%%

1000 1001 1100 0 [a, 3, *]

1111 1111 1100 0 [a]

0111 0101 [b, 8, *] {}

bcsr process
BCSR Process

int bcsr_scan( char* addr, int num_bits )

strata
Strata
  • Software dynamic translator
  • Fragment creation
    • Conditional or indirect control transfer
    • trampoline
experiments
Experiments
  • Protocol
    • Scanning Strata fragments
    • Spec Int Benchmarks
    • Red Hat Linux
    • X86_64
  • Statistics
    • Overhead
issue 11
Specs are too general !!!

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

Issue 1
issue 12
Specs are too general !!!

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

pop $1

push $2

add $1, %ebx

add $2, $1

push $2

Issue 1
issue 13
Specs are too general !!!

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

pop $1

push $2

add $1, %ebx

add $2, $1

push $2

pop %eax

push %eax

add %eax, %ebx

add %eax, %eax

push %eax

Issue 1
issue 14
Specs are too general !!!

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

False positives

pop $1

push $2

add $1, %ebx

add $2, $1

push $2

pop %eax

push %eax

add %eax, %ebx

add %eax, %eax

push %eax

Issue 1
issue 2
Issue 2
  • Multiple fragments
issue 21
Issue 2
  • Multiple fragments
  • Signatures contains the following:
    • Conditional or indirect control transfers
issue 22
Issue 2
  • Multiple fragments
  • Signatures contains the following:
    • Conditional or indirect control transfers
  • False negatives
future work
Future Work
  • Address Issue 1 and 2
  • Extend the language
    • Star, functionality, …
  • Symbolic code
    • Write in assembly rather than binary
ad