Modelling Metamorphism by Abstract Interpretation

By Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray, Kevin Coogan and Gregg Townsend.

Mila Dalla Preda
Dipartimento di Scienze dell'Informazione
Universita' di Bologna
Mura Anteo Zamboni, 7
40127 Bologna - Italy

Roberto Giacobazzi
Dipartimento di Informatica
Universita' di Verona
Strada Le Grazie a Ca' Vignal 2
I-37134 Verona, Italy

Saumya Debray
Department of Computer Science
University of Arizona, Tucson
AZ 85721, USA

Kevin Coogan
Department of Computer Science
University of Arizona, Tucson
AZ 85721, USA

Gregg Townsend
Department of Computer Science
University of Arizona, Tucson
AZ 85721, USA


Abstract:
Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.