Leave it to Weaver

William Mahoney; Joseph Franco; Greg Hoff; J. Todd McDonald

doi:10.1145/3289239.3291459

Leave it to Weaver

William Mahoney, Joseph Franco, Greg Hoff, J. Todd McDonald

Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Malware authors make use of several techniques to obfuscate code from reverse engineering tools such as IdaPro. Typically, these techniques tend to be effective for about three to six instructions, but eventually the tools can properly disassemble the remaining code once the tool is again synchronized with the operation codes. But this loss of synchronization can be used to hide information within the instructions – steganography. Our research explores an approach to this by presenting “Weaver”, a framework for executable steganography. “Weaver” differs from other techniques in how it hides malicious instructions: the hiding instructions are prepared by generating an assembly listing of the program and finding candidate hiding locations, the steganography instructions are prepared by creating an assembly listing of the program to obtain the operation codes to be hidden, and the “weaving” process merges the two. This “weaving” attempts to place all the steganography instructions into candidate locations found in the hiding instructions.

Original language	English (US)
Title of host publication	Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450360968
DOIs	https://doi.org/10.1145/3289239.3291459
State	Published - Dec 3 2018
Event	8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018 - San Juan, United States Duration: Dec 3 2018 → Dec 4 2018

Publication series

Name	ACM International Conference Proceeding Series

Other

Other	8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018
Country/Territory	United States
City	San Juan
Period	12/3/18 → 12/4/18

Keywords

Information retrieval
Reverse engineering
Steganography

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/3289239.3291459

Cite this

Mahoney, W, Franco, J, Hoff, G & McDonald, JT 2018, Leave it to Weaver. in Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018. ACM International Conference Proceeding Series, Association for Computing Machinery, 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018, San Juan, United States, 12/3/18. https://doi.org/10.1145/3289239.3291459

@inproceedings{cc6826179b17429fa94bdbdd9a763799,

title = "Leave it to Weaver",

abstract = "Malware authors make use of several techniques to obfuscate code from reverse engineering tools such as IdaPro. Typically, these techniques tend to be effective for about three to six instructions, but eventually the tools can properly disassemble the remaining code once the tool is again synchronized with the operation codes. But this loss of synchronization can be used to hide information within the instructions – steganography. Our research explores an approach to this by presenting “Weaver”, a framework for executable steganography. “Weaver” differs from other techniques in how it hides malicious instructions: the hiding instructions are prepared by generating an assembly listing of the program and finding candidate hiding locations, the steganography instructions are prepared by creating an assembly listing of the program to obtain the operation codes to be hidden, and the “weaving” process merges the two. This “weaving” attempts to place all the steganography instructions into candidate locations found in the hiding instructions.",

keywords = "Information retrieval, Reverse engineering, Steganography",

author = "William Mahoney and Joseph Franco and Greg Hoff and McDonald, {J. Todd}",

note = "Funding Information: This work is partially funded by National Science Foundation awards 1811560 and 1811578 in the NSF 17-576 Secure and Trustworthy Cyberspace (SaTC) program. Publisher Copyright: {\textcopyright} 2018 Association for Computing Machinery.; 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018 ; Conference date: 03-12-2018 Through 04-12-2018",

year = "2018",

month = dec,

day = "3",

doi = "10.1145/3289239.3291459",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018",

}

TY - GEN

T1 - Leave it to Weaver

AU - Mahoney, William

AU - Franco, Joseph

AU - Hoff, Greg

AU - McDonald, J. Todd

N1 - Funding Information: This work is partially funded by National Science Foundation awards 1811560 and 1811578 in the NSF 17-576 Secure and Trustworthy Cyberspace (SaTC) program. Publisher Copyright: © 2018 Association for Computing Machinery.

PY - 2018/12/3

Y1 - 2018/12/3

N2 - Malware authors make use of several techniques to obfuscate code from reverse engineering tools such as IdaPro. Typically, these techniques tend to be effective for about three to six instructions, but eventually the tools can properly disassemble the remaining code once the tool is again synchronized with the operation codes. But this loss of synchronization can be used to hide information within the instructions – steganography. Our research explores an approach to this by presenting “Weaver”, a framework for executable steganography. “Weaver” differs from other techniques in how it hides malicious instructions: the hiding instructions are prepared by generating an assembly listing of the program and finding candidate hiding locations, the steganography instructions are prepared by creating an assembly listing of the program to obtain the operation codes to be hidden, and the “weaving” process merges the two. This “weaving” attempts to place all the steganography instructions into candidate locations found in the hiding instructions.

AB - Malware authors make use of several techniques to obfuscate code from reverse engineering tools such as IdaPro. Typically, these techniques tend to be effective for about three to six instructions, but eventually the tools can properly disassemble the remaining code once the tool is again synchronized with the operation codes. But this loss of synchronization can be used to hide information within the instructions – steganography. Our research explores an approach to this by presenting “Weaver”, a framework for executable steganography. “Weaver” differs from other techniques in how it hides malicious instructions: the hiding instructions are prepared by generating an assembly listing of the program and finding candidate hiding locations, the steganography instructions are prepared by creating an assembly listing of the program to obtain the operation codes to be hidden, and the “weaving” process merges the two. This “weaving” attempts to place all the steganography instructions into candidate locations found in the hiding instructions.

KW - Information retrieval

KW - Reverse engineering

KW - Steganography

UR - http://www.scopus.com/inward/record.url?scp=85059910230&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85059910230&partnerID=8YFLogxK

U2 - 10.1145/3289239.3291459

DO - 10.1145/3289239.3291459

M3 - Conference contribution

AN - SCOPUS:85059910230

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018

PB - Association for Computing Machinery

T2 - 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2018

Y2 - 3 December 2018 through 4 December 2018

ER -

Leave it to Weaver

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this