Covert Computation - Hiding Code in Code for Obfuscation Purposes

S. Schrittwieser, M. Huber, M. Leithner, M. Mulazzani, S. Katzenbeisser, E. Weippl, P. Kieseberg:
"Covert Computation - Hiding Code in Code for Obfuscation Purposes";
Vortrag: ASIA CCS'13 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou; 08.05.2013 - 10.05.2013; in:"Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security", 1 (2013), ISBN: 978-1-4503-1767-2.

[ Publication Database ]


As malicious software gets increasingly sophisticated and re-
silient to detection, new concepts for the identi cation of
malicious behavior are developed by academia and industry
alike. While today's malware detectors primarily focus on
syntactical analysis (i.e., signatures of malware samples), the
concept of semantic-aware malware detection has recently
been proposed. Here, the classi cation is based on models
that represent the underlying machine and map the e ects of
instructions on the hardware. In this paper, we demonstrate
the incompleteness of these models and highlight the threat
of malware, which exploits the gap between model and ma-
chine to stay undetectable. To this end, we introduce a
novel concept we call covert computation, which implements
functionality in side e ects of microprocessors. For instance,
ags register can be used to calculate basic arithmetical
and logical operations. Our paper shows how this technique
could be used by malware authors to hide malicious code in
a harmless-looking program. Furthermore, we demonstrate
the resilience of covert computation against semantic-aware
malware scanners.