A semantics-based approach to malware detection

Luca Fulchir

Corso di "Analisi e Verifica mediante Interpretazione Astratta"

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for signatures, which attempt to capture the syntactic characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes current detectors vulnerable to code obfuscations, that alter the syntactic properties of the malware byte sequence without significantly affecting their execution behavior. The semantics of malware is much more important. We will analyse a trace semantics approach to characterize the behaviour of malware as well as that of the program being checked for infection. We will then analyse the completeness and soundness of malware identification techniques based on abstract interpretation of such programs, to show how malware tries to hide himself and how detectors can work around such techniques, generalizing on conservative and non-conservative malware obfuscations.