1 / 22

Binary Context-Sensitive Recognizer (BCSR)

The Binary Context-Sensitive Recognizer (BCSR) utilizes a sophisticated approach to recognize binary signatures in virus detection. By manipulating registers, BCSR generates context-sensitive signatures, adaptable to various inputs defined by the user. This method improves the accuracy of malware identification and reduces false positives and negatives. The system integrates a flexible source specification language that supports ambiguous rules and local/global variables, thereby enhancing the adaptability and precision of malware scanning in diverse environments, including Red Hat Linux on x86_64 architecture.

jordan-morrow
Télécharger la présentation

Binary Context-Sensitive Recognizer (BCSR)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007

  2. Motivation • Virus Signatures • Database of hexadecimals • Definitive registers • Alter the registers and it is another signature

  3. Register Manipulation • Different registers give different signatures

  4. BCSR • Program generator to recognize context-sensitive binary signatures • General representation of signatures, not dependent on registers • The signatures are specified by the user in the source specification

  5. A signature Binary signature actions Variable construct [name, size, values] Global / Local Ambiguous source rules {definitions} %% {rules} %% {user subroutines} Source Specification

  6. Example 89 c3: mov %eax, %ebx FF c3: inc %ebx 75 f2: jne 58942345

  7. Example 89 c3: mov %eax, %ebx FF c3: inc %ebx 75 f2: jne 58942345 mov %eax, $1 inc $1 jne $2

  8. Example 89 c3: mov %eax, %ebx FF c3: inc %ebx 75 f2: jne 58942345 mov %eax, $1 inc $1 jne $2 %% 1000 1001 1100 0 [a, 3, *] 1111 1111 1100 0 [a] 0111 0101 [b, 8, *] {}

  9. BCSR Process int bcsr_scan( char* addr, int num_bits )

  10. Strata • Software dynamic translator • Fragment creation • Conditional or indirect control transfer • trampoline

  11. Experiments • Protocol • Scanning Strata fragments • Spec Int Benchmarks • Red Hat Linux • X86_64 • Statistics • Overhead

  12. Results • ???

  13. Specs are too general !!! Issue 1

  14. Specs are too general !!! Signature pop %eax push %ecx add %eax, %ebx add %ecx, %eax push %ecx Issue 1

  15. Specs are too general !!! Signature pop %eax push %ecx add %eax, %ebx add %ecx, %eax push %ecx pop $1 push $2 add $1, %ebx add $2, $1 push $2 Issue 1

  16. Specs are too general !!! Signature pop %eax push %ecx add %eax, %ebx add %ecx, %eax push %ecx pop $1 push $2 add $1, %ebx add $2, $1 push $2 pop %eax push %eax add %eax, %ebx add %eax, %eax push %eax Issue 1

  17. Specs are too general !!! Signature pop %eax push %ecx add %eax, %ebx add %ecx, %eax push %ecx False positives pop $1 push $2 add $1, %ebx add $2, $1 push $2 pop %eax push %eax add %eax, %ebx add %eax, %eax push %eax Issue 1

  18. Issue 2 • Multiple fragments

  19. Issue 2 • Multiple fragments • Signatures contains the following: • Conditional or indirect control transfers

  20. Issue 2 • Multiple fragments • Signatures contains the following: • Conditional or indirect control transfers • False negatives

  21. Future Work • Address Issue 1 and 2 • Extend the language • Star, functionality, … • Symbolic code • Write in assembly rather than binary

  22. Questions??

More Related