opcode statistics for detecting compiler settings
play

Opcode statistics for detecting compiler settings Kenneth van - PowerPoint PPT Presentation

Jan 08, 2023 •282 likes •622 views

Introduction Methodology Results Discussion Conclusion Opcode statistics for detecting compiler settings Kenneth van Rijsbergen 1 1 MSc student System and Network Engineering Faculty of Science University of Amsterdam 5 February 2018

  1. Introduction Methodology Results Discussion Conclusion Opcode statistics for detecting compiler settings Kenneth van Rijsbergen 1 1 MSc student System and Network Engineering Faculty of Science University of Amsterdam 5 February 2018 Kenneth van Rijsbergen RP2 #20 5 February 2018 1 / 26

  2. Build-environment Used tool-chains, version of the compiler, compiler flags Lost after compilation and stripping Opcode statistics Main approach Related work in metamorphic malware detection Introduction Methodology Results Discussion Conclusion Introduction Reproducible builds How to match the binary with the source code? Reproducible builds : binaries that can be reproduced from source code byte-for-byte Kenneth van Rijsbergen RP2 #20 5 February 2018 2 / 26

  3. Opcode statistics Main approach Related work in metamorphic malware detection Introduction Methodology Results Discussion Conclusion Introduction Reproducible builds How to match the binary with the source code? Reproducible builds : binaries that can be reproduced from source code byte-for-byte Build-environment Used tool-chains, version of the compiler, compiler flags Lost after compilation and stripping Kenneth van Rijsbergen RP2 #20 5 February 2018 2 / 26

  4. Introduction Methodology Results Discussion Conclusion Introduction Reproducible builds How to match the binary with the source code? Reproducible builds : binaries that can be reproduced from source code byte-for-byte Build-environment Used tool-chains, version of the compiler, compiler flags Lost after compilation and stripping Opcode statistics Main approach Related work in metamorphic malware detection Kenneth van Rijsbergen RP2 #20 5 February 2018 2 / 26

  5. Hidden Markov Model, Graph embedding, ML classifiers Wong & Stamp [2006], Santos et al., and many others. Mohammad et al [2016] : Using Feature extraction and DT (Random Forest) scored 100% accuracy. N-gram analysis N-gram is a sequence of n-items or larger Santos et al [2010]. Santos et al [2013]. Kang et al [2016]. Kang et al [2016] : Showed using a 4-gram was best, detecting Android Malware, using SVM (Support vector machine). Introduction Methodology Results Discussion Conclusion Related work / Background Bilar [2007] : Distribution of opcodes and statistical differences between goodware and malware Austin et al [2013] : 90% accuracy in distinguishing different compilers, using Hidden Markov models (HMM). Kenneth van Rijsbergen RP2 #20 5 February 2018 3 / 26

  6. N-gram analysis N-gram is a sequence of n-items or larger Santos et al [2010]. Santos et al [2013]. Kang et al [2016]. Kang et al [2016] : Showed using a 4-gram was best, detecting Android Malware, using SVM (Support vector machine). Introduction Methodology Results Discussion Conclusion Related work / Background Bilar [2007] : Distribution of opcodes and statistical differences between goodware and malware Austin et al [2013] : 90% accuracy in distinguishing different compilers, using Hidden Markov models (HMM). Hidden Markov Model, Graph embedding, ML classifiers Wong & Stamp [2006], Santos et al., and many others. Mohammad et al [2016] : Using Feature extraction and DT (Random Forest) scored 100% accuracy. Kenneth van Rijsbergen RP2 #20 5 February 2018 3 / 26

  7. Introduction Methodology Results Discussion Conclusion Related work / Background Bilar [2007] : Distribution of opcodes and statistical differences between goodware and malware Austin et al [2013] : 90% accuracy in distinguishing different compilers, using Hidden Markov models (HMM). Hidden Markov Model, Graph embedding, ML classifiers Wong & Stamp [2006], Santos et al., and many others. Mohammad et al [2016] : Using Feature extraction and DT (Random Forest) scored 100% accuracy. N-gram analysis N-gram is a sequence of n-items or larger Santos et al [2010]. Santos et al [2013]. Kang et al [2016]. Kang et al [2016] : Showed using a 4-gram was best, detecting Android Malware, using SVM (Support vector machine). Kenneth van Rijsbergen RP2 #20 5 February 2018 3 / 26

  8. Introduction Methodology Results Discussion Conclusion Research questions Research questions : 1 How significant are the differences in the opcode frequencies when using different compiler versions? 2 How significant are the differences in the opcode frequencies when using different compiler flags? 3 What opcodes are responsible for the differences in the opcode frequencies? 4 Are differences significant enough to detect what compiler flag or version is used for a binary? Kenneth van Rijsbergen RP2 #20 5 February 2018 4 / 26

  9. Introduction Methodology Results Discussion Conclusion Methodology Approach : Compiled a collection of applications 6 different optimisation flags 8 different GCC versions Count the opcodes of the collections Single opcodes (1-gram) Opcode pairs (2-gram) Statistical analysis Kenneth van Rijsbergen RP2 #20 5 February 2018 5 / 26

  10. Introduction Methodology Results Discussion Conclusion Compiled programs Compiled programs : barcode - part of barcode-0.99 bash - part of bash-4.4 cp - part of coreutils-8.28 enscript - part of enscript-1.6.6 find - part of findutils-4.6.0 gap * - part of gap-4.8.9 gcal2txt - part of gcal-4 gcal - part of gcal-4 git-shell - part of git 2.7.4 git - part of git 2.7.4 lighttpd - part of lighttpd-1.4.48 locate - part of findutils-4.6.0 ls - part of coreutils-8.28 mv - part of coreutils-8.28 openssl * - part of openssl-1.0.2n postgresql * - part of postgresql-10.1 sha256sum - part of coreutils-8.28 sha384sum - part of coreutils-8.28 units - part of units-2.16 vim - part of vim version 8.0.1391 (Not included in the flag dataset (*) ) Kenneth van Rijsbergen RP2 #20 5 February 2018 6 / 26

  11. Introduction Methodology Results Discussion Conclusion Sizes of programs Figure – Sizes of programs Kenneth van Rijsbergen RP2 #20 5 February 2018 7 / 26

  12. Introduction Methodology Results Discussion Conclusion Compiler versions Compiler versions : GCC : (Ubuntu/Linaro 4.4.7-8ubuntu7) 4.4.7 GCC : (Ubuntu/Linaro 4.6.4-6ubuntu6) 4.6.4 GCC : (Ubuntu/Linaro 4.7.4-3ubuntu12) 4.7.4 GCC : (Ubuntu 4.8.5-4ubuntu2) 4.8.5 GCC : (Ubuntu 4.9.4-2ubuntu1 16.04) 4.9.4 GCC : (Ubuntu 5.4.1-2ubuntu1 16.04) 5.4.1 20160904 GCC : (Ubuntu/Linaro 6.3.0-18ubuntu2 16.04) 6.3.0 20170519 GCC : (Ubuntu 7.2.0-1ubuntu1 16.04) 7.2.0 Kenneth van Rijsbergen RP2 #20 5 February 2018 8 / 26

  13. Introduction Methodology Results Discussion Conclusion Optimization flags Table – Optimization flags Flag Description -O0 Default -O1 Light optimization Acts as a macro. All optimization of -O1 -O2 Increased optimization Plus additional flags without space trade-off. All optimizations of -O2 -O3 Additional optimization Plus additional flags. All the -O2 optimizations -Os Optimize for size Plus other flags that reduce the size. All the -O3 optimizations -Ofast Optimize for speed Plus other flags such as -fast-math. Some program refuse to compile. Kenneth van Rijsbergen RP2 #20 5 February 2018 9 / 26

  14. Cramer’s V : Indicates strength of relationship between 0 and 1 <0.10 indicates a weak relationship between the variables 0.10 - 0.30 indicates a moderate relationship >0.30 indicates a strong relationship Z-scores : Number of std.dev an observation deviates from the mean 0 = no deviation. -2 or 2 = deviates 2 std.dev. from the mean The greater the Z-score, the more a value deviates from the mean Introduction Methodology Results Discussion Conclusion Statistical analysis Chi-squared test : Measures the difference or fit of data Difference between the actual data and the expected data Need Cramer’s V due to large dataset Kenneth van Rijsbergen RP2 #20 5 February 2018 10 / 26

  15. Z-scores : Number of std.dev an observation deviates from the mean 0 = no deviation. -2 or 2 = deviates 2 std.dev. from the mean The greater the Z-score, the more a value deviates from the mean Introduction Methodology Results Discussion Conclusion Statistical analysis Chi-squared test : Measures the difference or fit of data Difference between the actual data and the expected data Need Cramer’s V due to large dataset Cramer’s V : Indicates strength of relationship between 0 and 1 <0.10 indicates a weak relationship between the variables 0.10 - 0.30 indicates a moderate relationship >0.30 indicates a strong relationship Kenneth van Rijsbergen RP2 #20 5 February 2018 10 / 26

  16. Introduction Methodology Results Discussion Conclusion Statistical analysis Chi-squared test : Measures the difference or fit of data Difference between the actual data and the expected data Need Cramer’s V due to large dataset Cramer’s V : Indicates strength of relationship between 0 and 1 <0.10 indicates a weak relationship between the variables 0.10 - 0.30 indicates a moderate relationship >0.30 indicates a strong relationship Z-scores : Number of std.dev an observation deviates from the mean 0 = no deviation. -2 or 2 = deviates 2 std.dev. from the mean The greater the Z-score, the more a value deviates from the mean Kenneth van Rijsbergen RP2 #20 5 February 2018 10 / 26

  17. Introduction Methodology Results Discussion Conclusion Results GCC versions 1-gram Kenneth van Rijsbergen RP2 #20 5 February 2018 11 / 26

  18. Introduction Methodology Results Discussion Conclusion GCC versions 1-gram Relative frequencies of opcodes for different GCC versions (1-gram). Kenneth van Rijsbergen RP2 #20 5 February 2018 12 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Detecting a Change of Style Using Text Statistics Kamil Safin Aleksandr Ogaltsov Antiplagiat

Detecting a Change of Style Using Text Statistics Kamil Safin Aleksandr Ogaltsov Antiplagiat

Detecting a Change of Style Using Text Statistics Kamil Safin Aleksandr Ogaltsov Antiplagiat Company Moscow Institute of Physics and Technology Higher School of Economics 1 / 10 PAN18 competition Tasks Author identification task.

206 views • 10 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Event Weighted Tests for Detecting Periodicity in Photon Arrival Times John Rice Statistics

Event Weighted Tests for Detecting Periodicity in Photon Arrival Times John Rice Statistics

Event Weighted Tests for Detecting Periodicity in Photon Arrival Times John Rice Statistics Department University of California, Berkeley Joint work with Peter Bickel and Bas Kleijn. Thanks to Seth Digel, Patrick Nolan Tom Loredo, Charlotte

548 views • 39 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Midterm Review Jason Mars Monday, February 11, 13 ISA - Instruction Length Fixed Length

Midterm Review Jason Mars Monday, February 11, 13 ISA - Instruction Length Fixed Length

Midterm Review Jason Mars Monday, February 11, 13 ISA - Instruction Length Fixed Length Variable Length 32 bits shift opcode rs rt rd funct amount 32 bits opcode rs rt immediate / offset 32 bits opcode target 32 bits shift

954 views • 73 slides
1 A Drivechain BIP enabling the OP_COUNT_ACKS opcode to add Bitcoin drivechain capabilities as a

1 A Drivechain BIP enabling the OP_COUNT_ACKS opcode to add Bitcoin drivechain capabilities as a

1 A Drivechain BIP enabling the OP_COUNT_ACKS opcode to add Bitcoin drivechain capabilities as a soft-fork. BUILDING ON BITCOIN Conference Lisboa, Portugal, 3-4 July 2018 Sergio Demian Lerner Chief Scientist, RSK Labs www. rsk .co 2 About

676 views • 39 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Com ompari rison on of of F Five C Commonly Used Ge Gene-Gene I Interaction Detecting

Com ompari rison on of of F Five C Commonly Used Ge Gene-Gene I Interaction Detecting

Com ompari rison on of of F Five C Commonly Used Ge Gene-Gene I Interaction Detecting Metho hods in S n Schi hizophr hrenia Chung-Keng Hsieh and Guan-Hua Huang Institute of Statistics National Chiao Tung University Outline

349 views • 30 slides
Detecting community structure in networks M.E.J. Newmans results 1 , 2 (presented by Botond

Detecting community structure in networks M.E.J. Newmans results 1 , 2 (presented by Botond

Detecting community structure in networks M.E.J. Newmans results 1 , 2 (presented by Botond Szabo) 1 Detecting community structure in networks (2004) 2 Finding community structure in networks using eigenvectors of matrices (2006) Statistics for

522 views • 38 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2

252-210: Compiler Design 1.1 Simple compiler model 1.2 Admin issues Thomas R. Gross Computer Science Department ETH Zurich, Switzerland 1.1

1.27k views • 46 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
iSCSI PDU Header Notes Octet 0 Octet 1 Octet 2 Octet 3 AHS Data Length Length Always 48

iSCSI PDU Header Notes Octet 0 Octet 1 Octet 2 Octet 3 AHS Data Length Length Always 48

iSCSI PDU Header Notes Octet 0 Octet 1 Octet 2 Octet 3 AHS Data Length Length Always 48 bytes Opcode Opcode-specific fields 1. AHS_length is given in 4 byte words allowing a maximum size of 1020 bytes for BHS all combined AHSes. 2.

327 views • 3 slides
Response Surface Methods Response surface methodology (RSM) is a combination of statistics

Response Surface Methods Response surface methodology (RSM) is a combination of statistics

ST 516 Experimental Statistics for Engineers II Response Surface Methods Response surface methodology (RSM) is a combination of statistics (regression modeling) and mathematics (optimization) used to find factor settings that optimize the

355 views • 16 slides
Time plots In applications like process control, detecting trends and other changes in a process

Time plots In applications like process control, detecting trends and other changes in a process

ST 370 Probability and Statistics for Engineers Time plots In applications like process control, detecting trends and other changes in a process is important. Plotting data values against the time at which the observation was made is a key

403 views • 4 slides
Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and

Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and

Infection prevention and control Annette Jeanes Director of Infection Prevention and Control and Consultant nurse Summary History of infection prevention and control National issues UCLH Future Infection Control What is

290 views • 27 slides
Bringing True Novelty to the Anti-Infective Space New Class of Antibacterials Based on a Unique

Bringing True Novelty to the Anti-Infective Space New Class of Antibacterials Based on a Unique

Bringing True Novelty to the Anti-Infective Space New Class of Antibacterials Based on a Unique Mechanism of Action Dr Dawn Firmin SMis 17 th Annual Conference on Superbugs &amp; Superdrugs March 2015 1 Contents MGB Biopharma Limited

372 views • 15 slides
Presented by: Eric Paul &amp; Brad Rogers 1 canntrust.ca A focused medical approach to meet

Presented by: Eric Paul &amp; Brad Rogers 1 canntrust.ca A focused medical approach to meet

Improving the Quality of your Life Presented by: Eric Paul &amp; Brad Rogers 1 canntrust.ca A focused medical approach to meet the specific needs of the physicians and patients Standardized Products provide us the ability to Label

497 views • 30 slides
Digital Savings &amp; Payments Evidence from Recent RCTs Rebecca Rouse Director, Financial

Digital Savings &amp; Payments Evidence from Recent RCTs Rebecca Rouse Director, Financial

Digital Savings &amp; Payments Evidence from Recent RCTs Rebecca Rouse Director, Financial Inclusion Program Innovations for Poverty Action IPA: An international non- profit research &amp; policy organization founded in 2002 by Dean Karlan, a

560 views • 20 slides
LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015

LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015

LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015 Amine Ouesla8 - Group Leader Eric Bailey - Deputy Leader Allen Chang - Treasurer

270 views • 25 slides
Management of suspected bacterial urinary tract infections A team Approach Jane Lawson Senior

Management of suspected bacterial urinary tract infections A team Approach Jane Lawson Senior

Management of suspected bacterial urinary tract infections A team Approach Jane Lawson Senior Infection Prevention and Control Nurse Durham dales Easington Sedgefield , North Durham and Darlington CCGs IPCT team and the wider Health Economy

699 views • 49 slides
Approximate search in misuse detection-based IDS by using the q-gram distance Sverre Bakke

Approximate search in misuse detection-based IDS by using the q-gram distance Sverre Bakke

Approximate search in misuse detection-based IDS by using the q-gram distance Sverre Bakke Outline Topic Research questions q-gram distance Approximate search in IDS Experiments &amp; results Conclusions A typical misuse

455 views • 31 slides
Gram Swaraj Abhiyaan and Pradhan Mantri Ujjwala Yojana Pradhan Mantri Ujj jjwala Yoja jana

Gram Swaraj Abhiyaan and Pradhan Mantri Ujjwala Yojana Pradhan Mantri Ujj jjwala Yoja jana

Presentation on Gram Swaraj Abhiyaan and Pradhan Mantri Ujjwala Yojana Pradhan Mantri Ujj jjwala Yoja jana PMUY launched by Prime Minister on May 1st, 2016. 5 Cr LPG connections. Rs. 8000 Cr allocated. Enhanced Target - 8 Cr,

583 views • 8 slides

More recommend