Guillaume Bonfante
University of Lorraine
Network
Latest external collaboration on country level. Dive into details by clicking on the dots.
Publication
Featured researches published by Guillaume Bonfante.
computer and communications security | 2015
Guillaume Bonfante; José M. Fernandez; Jean-Yves Marion; Benjamin Rouxel; Fabrice Sabatier; Aurélien Thierry
Fighting malware involves analyzing large numbers of suspicious binary files. In this context, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instructions from binary machine code. Correct disassembly of binaries is necessary to produce a higher level representation of the code and thus allow the analysis to develop high-level understanding of its behavior and purpose. Nonetheless, it can be problematic in the case of malicious code, as malware writers often employ techniques to thwart correct disassembly by standard tools. In this paper, we focus on the disassembly of x86 self-modifying binaries with overlapping instructions. Current state-of-the-art disassemblers fail to interpret these two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disassembly method, called concatic disassembly, that combines CONCrete path execution with stATIC disassembly. We have developed a standalone disassembler called CoDisasm that implements this approach. Our approach substantially improves the success of disassembly when confronted with both self-modification and code overlap in analyzed binaries. To our knowledge, no other disassembler thwarts both of these obfuscations methods together.
international conference on malicious and unwanted software | 2012
Guillaume Bonfante; Jean-Yves Marion; Fabrice Sabatier; Aurélien Thierry
Reverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSLs use within waledac.
international conference on malicious and unwanted software | 2015
Guillaume Bonfante; Jean-Yves Marion; Fabrice Sabatier
In the last decade, our group has developed a tool called Gorille which implements morphological analysis, roughly speaking control graph comparison of malware. Our first intention was to use it for malware detection, and this works quite well as already presented. However, morphological analysis outputs a more refine output than yes or no. In the current contribution, we show that it can be used in several ways for retro-engineering. First, we describe a rapid triggering process that enlighten code similarities. Second, we present a function identification mechanism which aim is to reveal some key code in a malware. Finally, we supply a procedure which separate different families of code given some samples. All these tasks are done (almost) automatically seen from a retro-engineering perspective.
theory and applications of models of computation | 2010
Guillaume Bonfante; Florian Deloup
In the field of implicit computational complexity, we are considering in this paper the fruitful branch of interpretation methods In this area, the synthesis problem is solved by Tarskis decision procedure, and consequently interpretations are usually chosen over the reals rather than over the integers Doing so, one cannot use anymore the (good) properties of the natural (well-) ordering of N employed to bound the complexity of programs We show that, actually, polynomials over the reals benefit from some properties that allow their safe use for complexity We illustrate this by two characterizations, one of PTIME and one of PSPACE.
TERMGRAPH | 2013
Guillaume Bonfante; Bruno Guillaume
So far, a very large amount of work in Natural Language Processing (NLP) rely on trees as the coremathematical structure to represent linguistic informations (e.g. in Chomsky’s work). However,some linguistic phenomena do not cope properly with trees. In a former paper, we showed thebenefit of encoding linguistic structures by graphs and of using graph rewriting rules to compute onthose structures. Justified by some linguistic considerations, graph rewriting is characterized by twofeatures: first, there is no node creation along computations and second, there are non-local edgemodifications. Under these hypotheses, we show that uniform termination is undecidable and thatnon-uniform termination is decidable. We describe two termination techniques based on weights andwe give complexity bound on the derivation length for these rewriting systems.
Electronic Proceedings in Theoretical Computer Science | 2017
Guillaume Bonfante; Georg Moser
The DICE workshop explores the area of Implicit Computational Complexity (ICC), which grew out from several proposals to use logic and formal methods to provide languages for complexity-bounded computation (e.g. Ptime, Logspace computation). It aims at studying the computational complexity of programs without referring to external measuring conditions or a particular machine model, but only by considering language restrictions or logical/computational principles entailing complexity properties. nThe FOPARA workshop serves as a forum for presenting original research results that are relevant to the analysis of resource (e.g. time, space, energy) consumption by computer programs. The workshop aims to bring together the researchers that work on foundational issues with the researchers that focus more on practical results. Therefore, both theoretical and practical contributions are encouraged. We also encourage papers that combine theory and practice. nGiven the complementarity and the synergy between these two communities, and following the successful experience of co-location of DICE-FOPARA 2015 in London at ETAPS 2015, we hold these two workshops together at ETAPS 2017, which takes place in Uppsala, Sweden. The provided proceedings collect the papers accepted at the workshop.
conference on computability in europe | 2015
Guillaume Bonfante; Mohamed El-Aqqad; Benjamin D. Greenbaum; Mathieu Hoyrup
The analogy between computer viruses and biological viruses, from which computer viruses get their name [7], has been clear for the past several decades. During that time there has been progress in both understanding the vast diversity of biological viruses, and in abstract approaches to understanding computer viruses.
Theoretical Computer Science | 2015
Guillaume Bonfante; Florian Deloup; Antoine Henrot
Interpretation methods have been introduced in the 70s by Lankford 1] in rewriting theory to prove termination. Actually, as shown by Bonfante et al. 2], an interpretation of a program induces a bound on its complexity. However, Lankfords original analysis depends deeply on the Archimedean property of natural numbers. This goes against the fact that finding a real interpretation can be solved by Tarskis decision procedure over the reals (as described by Dershowitz in 3]), and consequently interpretations are usually chosen over the reals rather than over the integers. Doing so, one cannot use anymore the (good) properties of the natural (well-)ordering of N used to bound the complexity of programs. We prove that one may take benefit from the best of both worlds: the complexity analysis still holds even with real numbers. The reason lies in a deep algebraic property of polynomials over the reals. We illustrate this by two characterizations, one of polynomial time and one of polynomial space.
symposium on information and communication technology | 2011
Guillaume Bonfante
In this contribution, we propose to study the transformation of first order programs by course of value recursion. Our motivation is to show that this transformation provides a separation criterion for the intentionality of sets of programs. As an illustration, we consider two variants of the multiset path ordering, for the first, terms in recursive calls are compared with respect to the subterm property, for the second with respect to embedding. Under a quasi-interpretation, both characterize Ptime, the latter characterization being a new result. Once applied the transformation, we get respectively Ptime and Pspace thus proving that the latter set of programs contains more algorithms.
international conference on malicious and unwanted software | 2017
Guillaume Bonfante; Hubert Godfroy; Jean-Yves Marion
Collaboration
Dive into the Guillaume Bonfante's collaboration.
French Institute for Research in Computer Science and Automation
View shared research outputs