Title: Steganography for Executables and Code Transformation Signatures
1Steganography for Executables and Code
Transformation Signatures
- Bertrand Anckaert, Bjorn De Sutter,
- Dominique Chanet and Koen De Bosschere
2Problem
3Location of the Secret Message
- Media
- human senses
- redundant bits
-
- Executables
- processors
- single-bit failure
NOISE ? CHOICE
4Embedding Bits in a Choice
5Embedding Bits in a Choice
5
4
bits
3
2
1
0
1
2
4
8
16
32
alternatives
6Embedding Bits in a Choice
7Embedding Bits in a Choice
5
4
bits
3
2
1
0
1
2
4
8
16
32
alternatives
8Instruction Selection
Selection
Selection
9Instruction Selection
sub reg,reg
mov 0,reg
xor reg,reg
imul 0,reg
and 0,reg
lea 0,reg
operation reg0
10Scheduling
Scheduling
Selection
Selection
11Instruction Scheduling Code Layout
source
sink
- Code Layout
- pieces of code that can be placed in any order
12Interactions
Layout
Layout
Scheduling
Scheduling
Selection
Selection
13Evaluation i386 (1)
instruction selection instruction scheduling code
layout
(1/25) 0.040
0.035
0.030
(1/40) 0.025
(1/50) 0.020
Embedding Rate
0.015
(1/100) 0.010
(1/200) 0.005
0.000
bzip2
crafty
gap
gzip
mcf
parser
twolf
vortex
vpr
total
Hydan
Benchmarks
14Code Transformation Signatures
Layout
Layout
Scheduling
Scheduling
Selection
Selection
sub 0x8,ebp (3 byte) ? lea -0x8(,ebp,1),ebp
(7byte)
15CTS Instruction Selection
sub reg,reg
mov 0,reg
xor reg,reg
imul 0,reg
and 0,reg
lea 0,reg
operation reg0
16Detection of CTSs
- CTS unusual code property introduced by the
applied code transformation - Detection
- quantify property through metric
- build statistical model of expected behavior
- compare observed to expected behavior
- classify code into clean and suspect
17Code Transformation Signatures
Unusual Jump Behaviour
Layout
Diverse Schedules
Scheduling
Suboptimal Schedules
Unusual Instructions
Selection
Unusual Frequencies
18Evaluation i386 (2)
instruction selection instruction scheduling code
layout
(1/25) 0.040
0.035
0.030
(1/40) 0.025
(1/50) 0.020
Embedding Rate
0.015
(1/100) 0.010
(1/200) 0.005
0.000
bzip2
crafty
gap
gzip
mcf
parser
twolf
vortex
vpr
total
Hydan
Benchmarks
19Questions?