Partial Evaluation for Java Malware Detection

Singh, Ranjeet; King, Andy

doi:10.1007/978-3-319-17822-6_8

Ranjeet Singh¹⁵ &
Andy King¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8981))

Included in the following conference series:

International Symposium on Logic-Based Program Synthesis and Transformation

577 Accesses
1 Citations

Abstract

The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. To circumvent detection by anti-virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Rapid 7. Java Applet JMX Remote Code Execution (2013)
Google Scholar
Rapid 7. Metasploit (2014)
Google Scholar
Andersen, L.: Binding-time analysis and the taming of C pointers. In: PEPM, pp. 47–58. ACM (1993)
Google Scholar
Braux, M., Noyé, J.: Towards partially evaluating reflection in Java. In: PEPM, pp. 2–11. ACM (2000)
Google Scholar
Christodorescu, M., Jha, S., Kinder, J., Katzenbeisser, S., Veith, H.: Software transformations to improve malware detection. J. Comput. Virol. 3(4), 253–265 (2007)
Article Google Scholar
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley, Boston (2009)
Google Scholar
Dalla Preda, M., Christodorescu, M., Jha, S., Debray, S.: A Semantics-based Approach to Malware Detection. ACM TOPLAS, 30 (2008)
Google Scholar
Einarsson, A., Nielsen, J.D.: A Survivor’s Guide to Java Program Analysis with Soot. Technical report (2008)
Google Scholar
Flexeder, A., Petter, M., Seidl, H.: Side-effect analysis of assembly code. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 77–94. Springer, Heidelberg (2011)
Chapter Google Scholar
Giacobazzi, R., Jones, N.D., Mastroeni, I.: Obfuscation by partial evaluation of distorted interpreters. In: PEPM, pp. 63–72. ACM (2012)
Google Scholar
Hirzel, M., Diwan, A., Hind, M.: Pointer analysis in the presence of dynamic class loading. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 96–122. Springer, Heidelberg (2004)
Chapter Google Scholar
Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005)
Chapter Google Scholar
McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2(4), 308–320 (1976)
Article MATH MathSciNet Google Scholar
National Institute of Standards and Technology. Vulnerability Summary for CVE-2013-3346 (2013)
Google Scholar
OWASP. Metasploit Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681) (2013)
Google Scholar
Park, J.-G., Lee, A.H.: Removing reflection from Java Programs using partial evaluation. In: Matsuoka, S. (ed.) Reflection 2001. LNCS, vol. 2192, pp. 274–275. Springer, Heidelberg (2001)
Chapter Google Scholar
Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead: analysis and detection of malicious Java applets. In: ACSAC, pp. 249–257. ACM (2012)
Google Scholar
Shali, A., Cook, W.R.: Hybrid partial evaluation. In: OOPSLA, pp. 375–390. ACM (2011)
Google Scholar
Sistemas, H.: VirusTotal Analyses Suspicious Files and URLs (2014). https://www.virustotal.com/
Valleé Rai, R., Hendren, L.J.: Jimple: Simplifying Java Bytecode for Analyses and Transformations. Technical report TR-1998-4. McGill University (1998)
Google Scholar

Download references

Author information

Authors and Affiliations

School of Computing, University of Kent, Kent, CT2 7NF, UK
Ranjeet Singh & Andy King

Authors

Ranjeet Singh
View author publications
You can also search for this author in PubMed Google Scholar
Andy King
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andy King .

Editor information

Editors and Affiliations

IASI-CNR, Rome, Italy
Maurizio Proietti
Nagoya Institute of Technology, Nagoya, Japan
Hirohisa Seki

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Singh, R., King, A. (2015). Partial Evaluation for Java Malware Detection. In: Proietti, M., Seki, H. (eds) Logic-Based Program Synthesis and Transformation. LOPSTR 2014. Lecture Notes in Computer Science(), vol 8981. Springer, Cham. https://doi.org/10.1007/978-3-319-17822-6_8

Download citation

DOI: https://doi.org/10.1007/978-3-319-17822-6_8
Published: 23 April 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17821-9
Online ISBN: 978-3-319-17822-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics