Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter,...
19
Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter,...
Steganography for Executables and
Code Transformation Signatures
Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere
2
Problem
Alice Bob
WendyEmbedder Extractor
3
Location of the Secret Message
o Media
• human senses• redundant bits
o Executables
• processors• single-bit failure
NOISE ⇒ CHOICE
4
0 1
7n
Embedding Bits in a Choice
00 01 10 11
)(log2 n
5
Embedding Bits in a Choice
)(log2 n
5
4
3
2
1
01 2 4 8 16 32
)(log2 n
alternatives
bits
n=7 ⇒ 3 unused
n=31 ⇒ 15 unused
6
1)(log
1)(log
2 2
2
2
21)(log)(
n
nnnnb
00 01 1000 01 10 11
7n
000 010 100 11 001 011 101
Embedding Bits in a Choice
7
Embedding Bits in a Choice
)(log2 n
5
4
3
2
1
01 2 4 8 16 32
)(log2 n
alternatives
bits )(nb
8
Instruction Selection
Alice Bob
Selection Selection
9
Instruction Selection
mov 0,
regsub reg,reg
and 0,reg
xor reg,reg
lea 0,reg
imul 0,reg
operation: reg=0
sub -1,reg
add 1,reg
inc reg
lea 1(reg),reg
operation: reg=reg+1
…
neg reg
imul -1,reg,
reg
operation: reg=-reg
10
Alice Bob
Scheduling
Selection
Scheduling
Selection
11
Instruction Scheduling & Code Layout
source
sink
o Instruction Scheduling
o Code Layout• pieces of code that can be placed in any order
12
Layout
Interactions
Alice Bob
Scheduling
Selection
Layout
Scheduling
Selection
Canonicalize
Canonicalize
13
Evaluation: i386 (1)
bzip2 crafty gap gzip mcf parser twolf vortex vpr total0.000
(1/200) 0.005
(1/100) 0.010
0.015
(1/50) 0.020
(1/40) 0.025
0.030
0.035
(1/25) 0.040
instruction selectioninstruction schedulingcode layout
Benchmarks
Em
bedd
ing
Rat
e
Hydan
14
Layout
Code Transformation Signatures
Alice Bob
Scheduling
Selection
Layout
Scheduling
Selection
Wendy
sub 0x8,ebp (3 byte) ⇒ lea -0x8(,ebp,1),ebp (7byte)
15
CTS: Instruction Selection
mov 0,
regsub reg,reg
and 0,reg
xor reg,reg
lea 0,reg
imul 0,reg
operation: reg=0
Wendy
16
o CTS: unusual code property introduced by the applied code transformation
o Detection:1. quantify property through metric2. build statistical model of expected behavior3. compare observed to expected behavior4. classify code into clean and suspect
Detection of CTSs
17
Layout
Code Transformation Signatures
Scheduling
SelectionUnusual
Instructions
Unusual Frequencies
Diverse Schedules
Suboptimal Schedules
Unusual Jump Behaviour
18
Evaluation: i386 (2)
instruction selectioninstruction schedulingcode layout
bzip2 crafty gap gzip mcf parser twolf vortex vpr total
Benchmarks
0.000
(1/200) 0.005
(1/100) 0.010
0.015
(1/50) 0.020
(1/40) 0.025
0.030
0.035
(1/25) 0.040
Em
bedd
ing
Rat
e
Hydan
Questions?
