190 likes | 368 Vues
Steganography for Executables and Code Transformation Signatures. Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere. Alice. Bob. Wendy. Embedder. Extractor. Problem. Location of the Secret Message. Media human senses redundant bits. Executables processors
E N D
Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere
Alice Bob Wendy Embedder Extractor Problem
Location of the Secret Message • Media • human senses • redundant bits • Executables • processors • single-bit failure NOISE ⇒ CHOICE
00 01 10 11 0 1 Embedding Bits in a Choice
n=31 ⇒ 15 unused n=7 ⇒ 3 unused Embedding Bits in a Choice 5 4 bits 3 2 1 0 1 2 4 8 16 32 alternatives
00 01 10 11 00 01 10 000 010 100 11 001 011 101 Embedding Bits in a Choice
Embedding Bits in a Choice 5 4 bits 3 2 1 0 1 2 4 8 16 32 alternatives
Alice Bob Instruction Selection Selection Selection
add 1,reg lea 1(reg),reg sub -1,reg inc reg operation: reg=reg+1 neg reg imul -1,reg,reg operation: reg=-reg Instruction Selection sub reg,reg mov 0,reg xor reg,reg imul 0,reg and 0,reg lea 0,reg operation: reg=0 …
Alice Bob Scheduling Scheduling Selection Selection
Instruction Scheduling Instruction Scheduling & Code Layout source sink • Code Layout • pieces of code that can be placed in any order
Alice Bob Canonicalize Canonicalize Interactions Layout Layout Scheduling Scheduling Selection Selection
Evaluation: i386 (1) instruction selection instruction scheduling code layout (1/25) 0.040 0.035 0.030 (1/40) 0.025 (1/50) 0.020 Embedding Rate 0.015 (1/100) 0.010 (1/200) 0.005 0.000 bzip2 crafty gap gzip mcf parser twolf vortex vpr total Hydan Benchmarks
Alice Bob Wendy Code Transformation Signatures Layout Layout Scheduling Scheduling Selection Selection sub 0x8,ebp (3 byte)⇒ lea -0x8(,ebp,1),ebp (7byte)
Wendy CTS: Instruction Selection sub reg,reg mov 0,reg xor reg,reg imul 0,reg and 0,reg lea 0,reg operation: reg=0
Detection of CTSs • CTS: unusual code property introduced by the applied code transformation • Detection: • quantify property through metric • build statistical model of expected behavior • compare observed to expected behavior • classify code into clean and suspect
Code Transformation Signatures Unusual Jump Behaviour Layout Diverse Schedules Scheduling Suboptimal Schedules Unusual Instructions Selection Unusual Frequencies
Evaluation: i386 (2) instruction selection instruction scheduling code layout (1/25) 0.040 0.035 0.030 (1/40) 0.025 (1/50) 0.020 Embedding Rate 0.015 (1/100) 0.010 (1/200) 0.005 0.000 Hydan bzip2 crafty gap gzip mcf parser twolf vortex vpr total Benchmarks