binary context-sensitive recognizer (bcsr)

Binary Context-Sensitive Recognizer (BCSR)

Hong Pham

December 4, 2007

Motivation

Virus Signatures Database of hexadecimals Definitive registers

Alter the registers and it is another signature

Register Manipulation

Different registers give different signatures

Program generator to recognize context-sensitive binary signatures

General representation of signatures, not dependent on registers

The signatures are specified by the user in the source specification

Source Specification

A signature Binary signature actions

Variable construct [name, size, values] Global / Local

Ambiguous source rules

{definitions}

{rules}

{user subroutines}

Example

89 c3: mov %eax, %ebx

FF c3: inc %ebx

75 f2: jne 58942345

Example

89 c3: mov %eax, %ebx

FF c3: inc %ebx

75 f2: jne 58942345

mov %eax, $1

inc $1

jne $2

Example

89 c3: mov %eax, %ebxFF c3: inc %ebx75 f2: jne 58942345

mov %eax, $1inc $1jne $2

%%1000 1001 1100 0 [a, 3, *]1111 1111 1100 0 [a]0111 0101 [b, 8, *] {}

BCSR Process

int bcsr_scan( char* addr, int num_bits )

Strata

Software dynamic translator

Fragment creation Conditional or indirect

control transfer trampoline

Experiments

Protocol Scanning Strata fragments Spec Int Benchmarks Red Hat Linux X86_64

Statistics Overhead

Results

Issue 1

Specs are too general !!!

Issue 1

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

Issue 1

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

pop $1

push $2

add $1, %ebx

add $2, $1

push $2

Issue 1

Signature

pop %eax

push %ecx

add %eax, %ebx

add %ecx, %eax

push %ecx

pop $1push $2add $1, %ebxadd $2, $1push $2

pop %eaxpush %eaxadd %eax, %ebxadd %eax, %eaxpush %eax

Issue 1

Signature

pop %eaxpush %ecxadd %eax, %ebxadd %ecx, %eaxpush %ecx

False positives

pop $1push $2add $1, %ebxadd $2, $1push $2

pop %eaxpush %eaxadd %eax, %ebxadd %eax, %eaxpush %eax

Issue 2

Multiple fragments

Issue 2

Multiple fragments

Signatures contains the following: Conditional or indirect control transfers

Issue 2

Multiple fragments

Signatures contains the following: Conditional or indirect control transfers

False negatives

Future Work

Address Issue 1 and 2

Extend the language Star, functionality, …

Symbolic code Write in assembly rather than binary

Questions??

binary context-sensitive recognizer (bcsr)

xff c3

jne58942345example89

2example89 c3

x75 f2

multiple fragmentssignatures

multiple fragmentsissue

bcsr processint bcsr

int num

Documents

learning l2 pronunciation with a mobile speech recognizer:...

an interactive mathematical handwriting recognizer for the...

domain parking recognizer: an experimental study on web

a microprocessor based speech recognizer for isolated...

digit recognizer

an fficient holy quran recitation recognizer based on …

effect of motion-gesture recognizer error pattern on user

a microprocessor based speech recognizer for isolated...

an improved context-free recognizer - university of...

playing card recognizer

implementation of an optical character recognizer …

sudoku downloader and recognizer author: pedro evaristo...

neural network recognizer for hand-written zip code...

developing bengali speech corpus for phone recognizer using...

gestures as point clouds: a $p recognizer for user ... ·...

recognizer issues

bcsr final map - alamo area council final map.pdf · title:...

thebasecaonsaturaon$ ra/o$–bcsr

performance analysis of bangla speech recognizer model using...

diy stroke recognizer