1 / 19

Steganography for Executables and Code Transformation Signatures

Steganography for Executables and Code Transformation Signatures. Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere. Alice. Bob. Wendy. Embedder. Extractor. Problem. Location of the Secret Message. Media human senses redundant bits. Executables processors

amie
Télécharger la présentation

Steganography for Executables and Code Transformation Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere

  2. Alice Bob Wendy Embedder Extractor Problem

  3. Location of the Secret Message • Media • human senses • redundant bits • Executables • processors • single-bit failure NOISE ⇒ CHOICE

  4. 00 01 10 11 0 1 Embedding Bits in a Choice

  5. n=31 ⇒ 15 unused n=7 ⇒ 3 unused Embedding Bits in a Choice 5 4 bits 3 2 1 0 1 2 4 8 16 32 alternatives

  6. 00 01 10 11 00 01 10 000 010 100 11 001 011 101 Embedding Bits in a Choice

  7. Embedding Bits in a Choice 5 4 bits 3 2 1 0 1 2 4 8 16 32 alternatives

  8. Alice Bob Instruction Selection Selection Selection

  9. add 1,reg lea 1(reg),reg sub -1,reg inc reg operation: reg=reg+1 neg reg imul -1,reg,reg operation: reg=-reg Instruction Selection sub reg,reg mov 0,reg xor reg,reg imul 0,reg and 0,reg lea 0,reg operation: reg=0 …

  10. Alice Bob Scheduling Scheduling Selection Selection

  11. Instruction Scheduling Instruction Scheduling & Code Layout source sink • Code Layout • pieces of code that can be placed in any order

  12. Alice Bob Canonicalize Canonicalize Interactions Layout Layout Scheduling Scheduling Selection Selection

  13. Evaluation: i386 (1) instruction selection instruction scheduling code layout (1/25) 0.040 0.035 0.030 (1/40) 0.025 (1/50) 0.020 Embedding Rate 0.015 (1/100) 0.010 (1/200) 0.005 0.000 bzip2 crafty gap gzip mcf parser twolf vortex vpr total Hydan Benchmarks

  14. Alice Bob Wendy Code Transformation Signatures Layout Layout Scheduling Scheduling Selection Selection sub 0x8,ebp (3 byte)⇒ lea -0x8(,ebp,1),ebp (7byte)

  15. Wendy CTS: Instruction Selection sub reg,reg mov 0,reg xor reg,reg imul 0,reg and 0,reg lea 0,reg operation: reg=0

  16. Detection of CTSs • CTS: unusual code property introduced by the applied code transformation • Detection: • quantify property through metric • build statistical model of expected behavior • compare observed to expected behavior • classify code into clean and suspect

  17. Code Transformation Signatures Unusual Jump Behaviour Layout Diverse Schedules Scheduling Suboptimal Schedules Unusual Instructions Selection Unusual Frequencies

  18. Evaluation: i386 (2) instruction selection instruction scheduling code layout (1/25) 0.040 0.035 0.030 (1/40) 0.025 (1/50) 0.020 Embedding Rate 0.015 (1/100) 0.010 (1/200) 0.005 0.000 Hydan bzip2 crafty gap gzip mcf parser twolf vortex vpr total Benchmarks

  19. Questions?

More Related