Guillaume Bonfante

CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions

Fighting malware involves analyzing large numbers of suspicious binary files. In this context, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instructions from binary machine code. Correct disassembly of binaries is necessary to produce a higher level representation of the code and thus allow the analysis to develop high-level understanding of its behavior and purpose. Nonetheless, it can be problematic in the case of malicious code, as malware writers often employ techniques to thwart correct disassembly by standard tools. In this paper, we focus on the disassembly of x86 self-modifying binaries with overlapping instructions. Current state-of-the-art disassemblers fail to interpret these two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disassembly method, called concatic disassembly, that combines CONCrete path execution with stATIC disassembly. We have developed a standalone disassembler called CoDisasm that implements this approach. Our approach substantially improves the success of disassembly when confronted with both self-modification and code overlap in analyzed binaries. To our knowledge, no other disassembler thwarts both of these obfuscations methods together.

Code synchronization by morphological analysis

Reverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSLs use within waledac.

Gorille sniffs code similarities, the case study of qwerty versus regin

In the last decade, our group has developed a tool called Gorille which implements morphological analysis, roughly speaking control graph comparison of malware. Our first intention was to use it for malware detection, and this works quite well as already presented. However, morphological analysis outputs a more refine output than yes or no. In the current contribution, we show that it can be used in several ways for retro-engineering. First, we describe a rapid triggering process that enlighten code similarities. Second, we present a function identification mechanism which aim is to reveal some key code in a malware. Finally, we supply a procedure which separate different families of code given some samples. All these tasks are done (almost) automatically seen from a retro-engineering perspective.

Complexity invariance of real interpretations

In the field of implicit computational complexity, we are considering in this paper the fruitful branch of interpretation methods In this area, the synthesis problem is solved by Tarskis decision procedure, and consequently interpretations are usually chosen over the reals rather than over the integers Doing so, one cannot use anymore the (good) properties of the natural (well-) ordering of N employed to bound the complexity of programs We show that, actually, polynomials over the reals benefit from some properties that allow their safe use for complexity We illustrate this by two characterizations, one of PTIME and one of PSPACE.

Non-simplifying Graph Rewriting Termination

So far, a very large amount of work in Natural Language Processing (NLP) rely on trees as the coremathematical structure to represent linguistic informations (e.g. in Chomsky’s work). However,some linguistic phenomena do not cope properly with trees. In a former paper, we showed thebenefit of encoding linguistic structures by graphs and of using graph rewriting rules to compute onthose structures. Justified by some linguistic considerations, graph rewriting is characterized by twofeatures: first, there is no node creation along computations and second, there are non-local edgemodifications. Under these hypotheses, we show that uniform termination is undecidable and thatnon-uniform termination is decidable. We describe two termination techniques based on weights andwe give complexity bound on the derivation length for these rewriting systems.

Proceedings 8th Workshop on Developments in Implicit Computational Complexity and 5th Workshop on Foundational and Practical Aspects of Resource Analysis

The DICE workshop explores the area of Implicit Computational Complexity (ICC), which grew out from several proposals to use logic and formal methods to provide languages for complexity-bounded computation (e.g. Ptime, Logspace computation). It aims at studying the computational complexity of programs without referring to external measuring conditions or a particular machine model, but only by considering language restrictions or logical/computational principles entailing complexity properties. nThe FOPARA workshop serves as a forum for presenting original research results that are relevant to the analysis of resource (e.g. time, space, energy) consumption by computer programs. The workshop aims to bring together the researchers that work on foundational issues with the researchers that focus more on practical results. Therefore, both theoretical and practical contributions are encouraged. We also encourage papers that combine theory and practice. nGiven the complementarity and the synergy between these two communities, and following the successful experience of co-location of DICE-FOPARA 2015 in London at ETAPS 2015, we hold these two workshops together at ETAPS 2017, which takes place in Uppsala, Sweden. The provided proceedings collect the papers accepted at the workshop.

Immune Systems in Computer Virology

The analogy between computer viruses and biological viruses, from which computer viruses get their name [7], has been clear for the past several decades. During that time there has been progress in both understanding the vast diversity of biological viruses, and in abstract approaches to understanding computer viruses.

Real or natural number interpretation and their effect on complexity

Interpretation methods have been introduced in the 70s by Lankford 1] in rewriting theory to prove termination. Actually, as shown by Bonfante et al. 2], an interpretation of a program induces a bound on its complexity. However, Lankfords original analysis depends deeply on the Archimedean property of natural numbers. This goes against the fact that finding a real interpretation can be solved by Tarskis decision procedure over the reals (as described by Dershowitz in 3]), and consequently interpretations are usually chosen over the reals rather than over the integers. Doing so, one cannot use anymore the (good) properties of the natural (well-)ordering of N used to bound the complexity of programs. We prove that one may take benefit from the best of both worlds: the complexity analysis still holds even with real numbers. The reason lies in a deep algebraic property of polynomials over the reals. We illustrate this by two characterizations, one of polynomial time and one of polynomial space.

Course of value distinguishes the intentionality of programming languages

In this contribution, we propose to study the transformation of first order programs by course of value recursion. Our motivation is to show that this transformation provides a separation criterion for the intentionality of sets of programs. As an illustration, we consider two variants of the multiset path ordering, for the first, terms in recursive calls are compared with respect to the subterm property, for the second with respect to embedding. Under a quasi-interpretation, both characterize Ptime, the latter characterization being a new result. Once applied the transformation, we get respectively Ptime and Pspace thus proving that the latter set of programs contains more algorithms.