High Security Lab
Engineer job

Graduate engineer at the Loria High Security lab (LHS)
see job offer in french

The aim of this project is to construct a High security lab at Loria (www.loria.fr) whose purpose it to conduct experiments on computer security.

Contact
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

 

 
Inauguration: covering of the event
 
Inauguration

Inauguration of High Sec Lab on July, 1st 2010 !

Visit for Loria members on July 2n, 2010 (morning)

 
Uncovering self-modifying code

yp-1As part of the malware analysis effort of the High Security Lab, researchers work on the analysis and visualization of self-modifying code (SMC). Most malware samples in the wild employ SMC as a polymorphism technique to evade signature-based antiviruses, and it provides the additional benefit to make static analysis harder.

A first step towards defeating self-modifying code is understanding its behaviour. Our visualization, obtained automatically from a trace, considerably speeds up this process. We represent the trace as a graph with the following attributes:
- nodes are code layers: the first one is static, every other are dynamically generated
- edges are relations between nodes:
    - plain black edges represent decryption
    - dashed black edges represent simple code generation
    - red edges are for code scrambling (erasing from memory)
    - green edges are for self-checking
   
For most normal programs, the obtained graph would be only one node with no edges. Unsophisticated malware samples would be two nodes with a decryption arrow:

rlpack-hostname

The real challenge is defeating more sophisticated samples, which can get really complex. Such as this one:

themida_1.2

 

You can see additional graphs online. The tools used are available at http://code.google.com/p/tartetatintools/, and an optimised version will be released for the SSTIC conference.

 

 
<< Start < Prev 1 2 3 4 Next > End >>

Page 1 of 4