Mihai Christodorescu: main / work / projects / wisa project Calendar Contact info

Mihai's Project
Malicious Code Detection

WiSA official website: http://www.cs.wisc.edu/wisa

Goal: develop a set of methods and techniques to detect the presence of malicious code.

We are in process of developing several methods for

Paper and Presentations:

Static Analysis of Executables to Detect Malicious Patterns
Date: 6 February 2003
Abstract: 
Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers and researchers working on malicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as anti-virus software. We tested the resilience of three commercial virus scanners against code obfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables).
Authors:  Mihai Christodorescu, Somesh Jha
Conference:  12th USENIX Security Symposium (Security'03), August 4-8, 2003, Washington, DC, USA
Project:  WiSA
Technical Report:  University of Wisconsin, Madison, Computer Sciences Department Technical Report # 1467


PDF:  20030206 - SAFE Static Analysis for Executables.pdf (21 pages, 334 kB)
PS:  safe_2003-02-06.ps (21 pages, 416 kB)
Compressed PS:  safe-tr_2003-02-10.ps.gz (21 pages, 104 kB)
(or copy on the UW CS tech report server: tr1467.ps.Z )
[UW CS technical report version]
PDF:  20030807-StaticAnalysisOfExecutables... .pdf (18 pages, 303 kB)
[12th USENIX Security Symposium version]
HTML:  index.html (259 kB)
[12th USENIX Security Symposium version]

Detection of Malicious Code Patterns in Executables
via Model Checking
Date: 12 July 2002
Abstract:  A description of a malicious code detection tool that uses model checking ideas. We apply this tool to detecting viruses and explain our results.
Conference:  MURI Meeting, July 2002, Harpers Ferry, WV, USA
Project:  WiSA


PDF:  20020114 - Detection of Malicious Code Patterns in Executables via Model Checking.pdf (29 slides, 1.2 MB)

Virus Scanning as Model Checking
Date: 14 January 2002
Abstract:  A description of a virus scanner that uses model checking ideas.
Conference:  MURI Meeting, January 2002, Washington DC
Project:  WiSA


PDF:  20020114 - Virus Scanning as Model Checking.pdf (37 slides + 61 transition slides, 386 kB)

Model Checking for Binaries
Date: 11 November 2001
Abstract:  A quick look into model checking of binaries, with an interesting application: virus scanning.
Project:  WiSA


PDF:  20011108 - Model Checking for Binaries.pdf (19 slides, 88 kB)


Copyright 1998-2005 Mihai Christodorescu. All rights reserved.
Maintained by Mihai Christodorescu (http://mihai.christodorescu.org).
Created: Mon Dec 21 21:12:13 PST 1998
Last modified: Thu Nov 17 23:30:11 CST 2005