The University of Arizona
banner image

  A Semantics-Based Approach to Malware Detection

Mila Dalla Preda[1],   Mihai Christodorescu[2],   Somesh Jha[2],   Saumya Debray[3],
[1] Dipartimento di Informatica
University of Verona
37134 Verona, Italy

[2] Department of Computer Science
University of Wisconsin
Madison, WI 53706, U.S.A.

[2] Department of Computer Science
University of Arizona
Tucson, AZ 85721, U.S.A.

 

Abstract
Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of such detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.