Steganography for Executables and Code Transformation Signatures - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Steganography for Executables and Code Transformation Signatures

Description:

Steganography for Executables. and. Code Transformation Signatures. Bertrand ... Dominique Chanet and Koen De Bosschere. 2. Problem. Alice. Bob. Wendy. Embedder ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 20
Provided by: bertrand2
Category:

less

Transcript and Presenter's Notes

Title: Steganography for Executables and Code Transformation Signatures


1
Steganography for Executables and Code
Transformation Signatures
  • Bertrand Anckaert, Bjorn De Sutter,
  • Dominique Chanet and Koen De Bosschere

2
Problem
3
Location of the Secret Message
  • Media
  • human senses
  • redundant bits
  • Executables
  • processors
  • single-bit failure

NOISE ? CHOICE
4
Embedding Bits in a Choice
5
Embedding Bits in a Choice
5
4
bits
3
2
1
0
1
2
4
8
16
32
alternatives
6
Embedding Bits in a Choice
7
Embedding Bits in a Choice
5
4
bits
3
2
1
0
1
2
4
8
16
32
alternatives
8
Instruction Selection
Selection
Selection
9
Instruction Selection
sub reg,reg
mov 0,reg
xor reg,reg
imul 0,reg
and 0,reg
lea 0,reg
operation reg0

10
Scheduling
Scheduling
Selection
Selection
11
Instruction Scheduling Code Layout
  • Instruction Scheduling

source
sink
  • Code Layout
  • pieces of code that can be placed in any order

12
Interactions
Layout
Layout
Scheduling
Scheduling
Selection
Selection
13
Evaluation i386 (1)
instruction selection instruction scheduling code
layout
(1/25) 0.040
0.035
0.030
(1/40) 0.025
(1/50) 0.020
Embedding Rate
0.015
(1/100) 0.010
(1/200) 0.005
0.000
bzip2
crafty
gap
gzip
mcf
parser
twolf
vortex
vpr
total
Hydan
Benchmarks
14
Code Transformation Signatures
Layout
Layout
Scheduling
Scheduling
Selection
Selection
sub 0x8,ebp (3 byte) ? lea -0x8(,ebp,1),ebp
(7byte)
15
CTS Instruction Selection
sub reg,reg
mov 0,reg
xor reg,reg
imul 0,reg
and 0,reg
lea 0,reg
operation reg0
16
Detection of CTSs
  • CTS unusual code property introduced by the
    applied code transformation
  • Detection
  • quantify property through metric
  • build statistical model of expected behavior
  • compare observed to expected behavior
  • classify code into clean and suspect

17
Code Transformation Signatures
Unusual Jump Behaviour
Layout
Diverse Schedules
Scheduling
Suboptimal Schedules
Unusual Instructions
Selection
Unusual Frequencies
18
Evaluation i386 (2)
instruction selection instruction scheduling code
layout
(1/25) 0.040
0.035
0.030
(1/40) 0.025
(1/50) 0.020
Embedding Rate
0.015
(1/100) 0.010
(1/200) 0.005
0.000
bzip2
crafty
gap
gzip
mcf
parser
twolf
vortex
vpr
total
Hydan
Benchmarks
19
Questions?
Write a Comment
User Comments (0)
About PowerShow.com