from one binary • Plus a bit of steganography • Exploit overlaps in instruction set binary formats • First work done by DJB Research team at Carnegie Mellon University Wednesday, 13 June 12
Compile list of semantic NOP instructions • Instructions which are semantically equivalent to a sequence of NOP instructions • Get list of jump instructions Wednesday, 13 June 12
form semantic NOP then jump • Find their binary form • Find the ones which match between architectures • Focussed on safe sequences • No modification of state Wednesday, 13 June 12
MIPS, X86 and XS1 • XS1 is novel • Recreated part of the existing PIP research • Created new PIP headers • Looked at steganographic effectiveness Wednesday, 13 June 12
not care about what value that nibble contains • If we do not use don’t care symbols complexities get horrific • KB becomes MB becomes GB • Hours become days Wednesday, 13 June 12
If we make rt register zero this is always a semantic NOP • If we enumerated each we’d have 2,097,152 semantic NOPs • Or we use don’t cares and this becomes 16 • 2 bits in second nibble • 3 bits in third nibble Wednesday, 13 June 12
in: • Obfuscation (dead code addition) • Polymorphic malware (and anti-malware) • Assemblers (GAS) • No publicly available database • Now there is one on Github Wednesday, 13 June 12
very rarely in the wild • No more than random code • If a program were constructed from repeated gadgets it would stick out • Detector counts PIP headers • If significant number suspect program is PIP Wednesday, 13 June 12
I always used safe PIPs • No modification of state • But if you were to allow modifying state you would get more PIPs • Should be harder to write a detector • Requires static analysis Wednesday, 13 June 12