Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

Návrh rekonfigurovatelného dekompilátoru pro statickou, platformě nezávislou analýzu škodlivého kódu

conference paper

English

Ďurfina Lukáš, Ing., Ph.D.
Křoustek Jakub, Ing., Ph.D.
Zemek Petr, Ing., Ph.D.
Kolář Dušan, doc. Dr. Ing. (DIFS)
Hruška Tomáš, prof. Ing., CSc. (DIFS)
Masařík Karel, Ing., Ph.D. (CM-SDE)
Meduna Alexandr, prof. RNDr., CSc. (DIFS)

• http://link.springer.com/chapter/10.1007%2F978-3-642-23141-4_8

decompilation, reverse engineering, malware, LLVM, Lissom, ISAC

Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platform-specific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application - the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.

2011

72–86

The 5th International Conference on Information Security and Assurance

Communications in Computer and Information Science, Volume 200

978-3-642-23140-7

Springer Verlag

Brno

10.1007/978-3-642-23141-4_8