Section: New Results

Computer virology

Participants : Philippe Beaucamps, Guillaume Bonfante, Joan Calvet, Wadie Guizani, Matthieu Kaczmarek, Jean-Yves Marion, Daniel Reynaud.

The morphological analysis is a new methods of malware detection that we propose . It is based on signature recognition of abstraction of the control flow graphs of binaries. We provide fast rooted and directed acyclic graph pattern matching algorithm based on tree automata. Compare to other (industrial) approaches, the morphological analysis based detection engines have at least two advantage. First, there are quite robust wrt malware code mutation. Second, signatures may be automatically extracted. There is a running implementation that we currently test on thousand of samples coming from honeypots and the telescope which is operated by Madynes EPI in the context of LHS. This detector may run in two modes: (i) it analyses statically binaries and (ii) it analyses dynamically binaries using an instrumentation method based on PIN and related to our second main software developement TraceSurfer.

Most of the malware are nowadays packed in order to protect themselves against analysis performed by computers or by humans. In order to cope with packing techniques, we begin studies on self-modifying programs from both a theoretical and a practical perspective. In particular, packers are a particular case of self-modifying programs. We build a tool, TraceSurfer [31] , [37] , [43] , based on instruction-level trace analysis and a theoretical framework. In order to model self-modifying programs, we introduce the notion of pseudo-programs, for which the program text is not fixed wrt semantics. We then develop a type system which collects information at runtime (like tainting), but which also has the ability to predict information-flow properties (like traditional type systems). This leads us to explain a self-modifying program execution as a sequence of code waves. Next, we study non-interference like properties. Then, we use this typing information to define behavior patterns, which give a high level description of decrypted or scrambled code for example. With these behavior patterns we are able to classify binaries, to detect suspect runs, and to design security policies. TraceSurfer has been tested on thousand of binaries on large scale experiments and using the cluster of LHS.

On a more theoretical aspect and related to  [52] , Guillaume Bonfante, Jean-Yves Marion and Daniel Reynaud have proposed a new formalization of the notion of self-rewriting. To hide themselves from antivirus software, malware heavily use self-modification. In [24] , we provide an operational semantics for an abstract programming language. We prove that both compilations, from non self-modifying programs to self-modifying programs, and conversely from self-modifying programs to self-modifying programs can be performed. These compilation procedures are based on two theoretical constructions: the Rogers isomorphism and the Futamura projection.

We work on behavioral analysis in order to detect malware. The idea is to detect a behavior like a keylogger. Again our approach is to have a sound theory in order to try to give solutions [20] . Lastly, we also propose an attack on electronic vote based on web browsers [21] , [34] .

In 2009, we pursue the construction of the high security lab (LHS) in order to make experiments about computer security on a safe platform The EPI Madynes is working with us on this project. There are currently two operational modules : A telescope and a "baby" cluster. There will be two equipped and secure rooms inside Loria building devoted to LHS.