Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter,...

Steganography for Executables and

Code Transformation Signatures

Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere

Problem

Alice Bob

WendyEmbedder Extractor

Location of the Secret Message

o Media

• human senses• redundant bits

o Executables

• processors• single-bit failure

NOISE ⇒ CHOICE

Embedding Bits in a Choice

00 01 10 11

)(log2 n

01 2 4 8 16 32

)(log2 n

alternatives

n=7 ⇒ 3 unused

n=31 ⇒ 15 unused

1)(log

21)(log)(

00 01 1000 01 10 11

000 010 100 11 001 011 101

)(log2 n

01 2 4 8 16 32

)(log2 n

alternatives

bits )(nb

Instruction Selection

Alice Bob

Selection Selection

Instruction Selection

mov 0,

regsub reg,reg

and 0,reg

xor reg,reg

lea 0,reg

imul 0,reg

operation: reg=0

sub -1,reg

add 1,reg

inc reg

lea 1(reg),reg

operation: reg=reg+1

neg reg

imul -1,reg,

operation: reg=-reg

Alice Bob

Scheduling

Selection

Scheduling

Selection

Instruction Scheduling & Code Layout

source

o Instruction Scheduling

o Code Layout• pieces of code that can be placed in any order

Layout

Interactions

Alice Bob

Scheduling

Selection

Layout

Scheduling

Selection

Canonicalize

Evaluation: i386 (1)

bzip2 crafty gap gzip mcf parser twolf vortex vpr total0.000

(1/200) 0.005

(1/100) 0.010

(1/50) 0.020

(1/40) 0.025

(1/25) 0.040

instruction selectioninstruction schedulingcode layout

Benchmarks

Layout

Alice Bob

Scheduling

Selection

Layout

Scheduling

Selection

sub 0x8,ebp (3 byte) ⇒ lea -0x8(,ebp,1),ebp (7byte)

CTS: Instruction Selection

mov 0,

regsub reg,reg

and 0,reg

xor reg,reg

lea 0,reg

imul 0,reg

operation: reg=0

o CTS: unusual code property introduced by the applied code transformation

o Detection:1. quantify property through metric2. build statistical model of expected behavior3. compare observed to expected behavior4. classify code into clean and suspect

Detection of CTSs

Layout

Scheduling

SelectionUnusual

Instructions

Unusual Frequencies

Diverse Schedules

Suboptimal Schedules

Unusual Jump Behaviour

Evaluation: i386 (2)

instruction selectioninstruction schedulingcode layout

bzip2 crafty gap gzip mcf parser twolf vortex vpr total

Benchmarks

(1/200) 0.005

(1/100) 0.010

(1/50) 0.020

(1/40) 0.025

(1/25) 0.040

Questions?

Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter,...

Documents

Transcript of Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter,...

Endogenous antibody interference in immunoassays€¦ · Endogenous antibody interference in immunoassays Ellen Anckaert, ... electrochemiluminescence FT3 assay ... l Prevalence of

Portfolio Simon Anckaert

DELPHINE CHANET - image/imatge

PALLIATIVE CARE IN BELGIUMmedia.voog.com/0000/0042/3679/files/Christine De Bosschere .pdf · more facts! 17. 14/3/2019 International Conference - Tartu / Estonia Symptoms in last

WORKSHOP MULTIMEDIA Lieselot Anckaert. Beeld 2 Woord 3.

forniture & brokeraggi - Ri.Tecnologie Industriali · 2020. 1. 31. · cevisa cf gomma cfc cfe cfw cge cgm chanet peintures charles austen charles maire charmilles chatillon chauvin

LAURENCE BREYSSE-CHANET et INA SALAZAR INSTITUTO … · José Lezama Lima en Espagne, sous la direction de JAVIER FORNIELES TEN Ensayos completos, Edición Conmemorativa por el Centenario

Macro-TSH and endogeneous antibody interference in immunoassays Ellen Anckaert, M.D., Ph.D. Laboratorium Hormonologie & Tumormarkers UZ Brussel.

Performance/Energy Optimization of DSP Transforms on the ...users.ece.cmu.edu/~franzf/papers/hipeac07.pdf · K. De Bosschere et al. (Eds.): HiPEAC 2007, LNCS 4367, pp. 201–214,

EDCampus - imagair.imag.fr/images/7/7c/EDCampus-Final-CHANET-CHARLOT.pdf · 2019-03-19 · CHARLOT Servan - Chef de groupe CHANET Zoran - Responsable DevOps L’équipe 2. Le sujet

Trace Substitution Hans Vandierendonck, Hans Logie, Koen De Bosschere Ghent University EuroPar 2003, Klagenfurt.

Besoins ontologiques d’un système d’irrigation intelligent ... · Octobre 2018. 4 Capteurs et RCSF Réseau de capteurs sans fils ... Roussey, C., Chanet, J.-P., Pinet, F., &

AADEBUG 2000 - MUNCHEN Non-intrusive on-the-fly data race detection using execution replay Michiel Ronsse - Koen De Bosschere Ghent University - Belgium.

cv Lien Anckaert - Kunstwerkplaats De Zandberg€¦ · • Transformator, 100 jaar transfo, Zwevegem, september 2013 • Art for Groep Ubuntu, i.s.m. Deweer gallery, Ambasador club

Enseigner l’Evolution à l’Ecole primaire Séminaire Main à la pâte 2 avril 2008 Bruno Chanet CNED de Vanves Correspondant MNHN, département Systématique.

Linux-oefening Operationele Aspecten van Besturingssystemen Prof. Koen De Bosschere ir. Ronny Blomme.

Bibliography - Framework Literary Translation · Bibliography Abdellah, A. (2010). ... translation and interpreting in honour of Ian Mason. Anckaert, Ph., ... CETRA. pp. 273-85.

Opaque Predicates Detection by Abstract Interpretation · Opaque Predicates Detection by Abstract Interpretation Mila Dalla Preda 1, Matias Madou 2, Koen De Bosschere , and Roberto

Evaluation of the Gini-index for Studying Branch Prediction Features Veerle Desmet Lieven Eeckhout Koen De Bosschere.

Nucleo Projectair.imag.fr/images/c/c0/Nucleo_Final_Presentation.pdf · CHANET Zoran & CHARLOT Servan Final Presentation. Project Description → Hacking Jeelabs’ ESP-Link → Flash