代码迷惑可以使恶意代码绕过基于特征匹配的恶意代码检测器的检测.本文利用抽象解释理论,从程序语义的角度对高鹰等人提出的基于语义的恶意代码检测算法处理代码迷惑的能力进行了分析.在对该算法形式化描述的基础上,建立了一个与其等价的基于迹语义的检测器,并通过证明基于迹语义的检测器对于保持变体关系的代码迷惑算法的谕示可靠性和谕示完备性,从理论上阐述了高鹰等人的恶意代码检测算法的谕示可靠性和谕示完备性.%Code obfuscation can alter the syntactic properties of the malware byte sequences without significantly affecting their execution behaviors. Thus it can easily foil signature-based detections. In this paper, the ability to handle obfuscating transformations of the semantics-based malware detection algorithm proposed by Gao et al. Is discussed by the abstract interpretation theory from a semantic point of view. First, a formal description of the algorithm is proposed. Then an equivalent trace-based detector is developed. After that, the oracle-soundness and oracle-completeness of the semantics-based malware detection algorithm proposed by Gao et al. For a restricted class of obfuscating transformations which preserve variation relationships is proved by showing that the equivalent trace-based detector is oracle-sound and oracle-complete for the obfuscating transformations which preserve variation relationships.
展开▼
