Publication detail

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

ĎURFINA, L. KŘOUSTEK, J. ZEMEK, P. KOLÁŘ, D. HRUŠKA, T. MASAŘÍK, K. MEDUNA, A.

Original Title

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

English Title

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

Type

conference paper

Language

en

Original Abstract

Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application - the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.

English abstract

Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application - the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.

Keywords

decompilation, reverse engineering, malware, LLVM, Lissom, ISAC

RIV year

2011

Released

15.08.2011

Publisher

Springer Verlag

Location

Brno

ISBN

978-3-642-23140-7

Book

The 5th International Conference on Information Security and Assurance

Edition

Communications in Computer and Information Science, Volume 200

Edition number

NEUVEDEN

Pages from

72

Pages to

86

Pages count

15

URL

Documents

BibTex


@inproceedings{BUT76329,
  author="Lukáš {Ďurfina} and Jakub {Křoustek} and Petr {Zemek} and Dušan {Kolář} and Tomáš {Hruška} and Karel {Masařík} and Alexandr {Meduna}",
  title="Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis",
  annote="Together with the massive expansion of smartphones, tablets, and other smart
devices, we can notice a growing number of malware threats targeting these
platforms. Software security companies are not prepared for such diversity of
target platforms and there are only few techniques for platform-independent
malware analysis. This is a major security issue these days. In this paper, we
propose a concept of a retargetable reverse compiler (i.e. a decompiler), which
is in an early stage of development. The retargetable decompiler transforms
platform-specific binary applications into a high-level language (HLL)
representation, which can be further analyzed in a uniform way. This tool will
help with a static platform-independent malware analysis. Our unique solution is
based on an exploitation of two systems that were originally not intended for
such an application - the architecture description language (ADL) ISAC for
a platform description and the LLVM Compiler System as the core of the
decompiler. In this study, we show that our tool can produce highly readable HLL
code.",
  address="Springer Verlag",
  booktitle="The 5th International Conference on Information Security and Assurance",
  chapter="76329",
  doi="10.1007/978-3-642-23141-4_8",
  edition="Communications in Computer and Information Science, Volume 200",
  howpublished="print",
  institution="Springer Verlag",
  year="2011",
  month="august",
  pages="72--86",
  publisher="Springer Verlag",
  type="conference paper"
}