Home // VALID 2019, The Eleventh International Conference on Advances in System Testing and Validation Lifecycle // View article

Learning Metamorphic Rules from Widening Control Flow Graphs

Authors:
Marco Campion
Mila Dalla Preda
Roberto Giacobazzi

Keywords: Static binary analysis; Metamorphic malware detection; Program semantics; Widening automata; Learning grammars

Abstract:
Metamorphic malware are self-modifying programs which apply semantic preserving transformation rules to their own code in order to foil detection systems based on signature matching. Thus, a metamorphic malware is a malware equipped with a metamorphic engine that takes the malware, or parts of it, as input and morphs it at runtime to a syntactically different but semantically equivalent variant. Examples of code transformation rules used by the metamorphic engine are: dead code insertion, registers swap and substitution of small sequences of instructions with semantically equivalent ones. With the term metamorphic signature, we refer to an abstract program representation that ideally captures all the possible code variants that might be generated during the execution of a metamorphic program. In this paper, we consider the problem of automatically extracting metamorphic signatures from the analysis of metamorphic malware variants. For this purpose, we developed MetaWDN, a tool which takes as input a collection of simplified metamorphic code variants and extracts their control flow graphs. MetaWDN uses these graphs to build an approximated automaton, which overapproximates the considered code variants. Learning techniques are then applied in order to extract the code transformation rules used by the metamorphic engine to generate the considered code variants.

Pages: 7 to 12

Copyright: Copyright (c) IARIA, 2019

Publication date: November 24, 2019

Published in: conference

ISSN: 2308-4316

ISBN: 978-1-61208-755-9

Location: Valencia, Spain

Dates: from November 24, 2019 to November 28, 2019