Semantics-aware malware detection

TL;DR: Experimental evaluation demonstrates that the malware-detection algorithm can detect variants of malware with a relatively low run-time overhead and the semantics-aware malware detection algorithm is resilient to common obfuscations used by hackers.

Abstract: A malware detector is a system that attempts to determine whether a program has malicious intent. In order to evade detection, malware writers (hackers) frequently use obfuscation to morph malware. Malware detectors that use a pattern-matching approach (such as commercial virus scanners) are susceptible to obfuscations used by hackers. The fundamental deficiency in the pattern-matching approach to malware detection is that it is purely syntactic and ignores the semantics of instructions. In this paper, we present a malware-detection algorithm that addresses this deficiency by incorporating instruction semantics to detect malicious program traits. Experimental evaluation demonstrates that our malware-detection algorithm can detect variants of malware with a relatively low run-time overhead. Moreover our semantics-aware malware detection algorithm is resilient to common obfuscations used by hackers.

Full text

Randal E. Bryant
Publications
Books and Book Chapters
R. E. Bryant, “Binary Decision Diagrams,” Handbook of Model Checking, E. M. Clarke, T. A. Henzinger,
H. Veith, and R. Bloem, eds., Springer, 2018, pp. 191–218, Available as
http://www.cs.cmu.edu/˜bryant/pubdir/hmc-bdd18.pdf.
R. E. Bryant, and D. R. O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition,
Prentice-Hall, 2015. More information available at http://csapp.cs.cmu.edu/.
R. E. Bryant, and D. R. O’Hallaron, Computer Systems: A Programmer’s Perspective, Second Edition,
Prentice-Hall, 2011. More information available at http://csapp.cs.cmu.edu/.
R. E. Bryant, and J. H. Kukula, “Formal Methods for Functional Verification,” in The Best of ICCAD: 20
Years of Excellence in Computer-Aided Design, A. Kuehlmann, ed. Kluwer Academic Publishers, 2003,
pp. 3–16. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/iccad-best02.pdf.
R. E. Bryant, and D. R. O’Hallaron, Computer Systems: A Programmer’s Perspective, Prentice-Hall, 2003.
R. E. Bryant, and C. Meinel, “Ordered Binary Decision Diagrams,” in Logic Synthesis and Verification, S.
Hassoun and T. Sasao, eds., Kluwer Academic Publishers, 2001.
R. E. Bryant, ed., Proceedings of the Third Caltech Conference on Very Large Scale Integration, Computer
Science Press, March, 1983.
R. E. Bryant and J. B. Dennis, “Concurrent Programming,” in Research Directions in Software Technology,
P. Wegner, ed., MIT Press, June, 1979, pp. 584–610. Revised version in Operating Systems Engineer-
ing, Lecture Notes in Computer Science 143, M. Maekawa and L. A. Belady, eds., Springer-Verlag, 1982,
pp. 426–451. Electronic version available as
http://www.cs.cmu.edu/˜bryant/pubdir/MIT-CSG-148-2.pdf.
Refereed Journal and Book Articles
R. E. Bryant, “Chain Reduction for Binary and Zero-Suppressed Decision Diagrams,” Journal of Automated
Reasoning, Vol. 64, No. 7 (2020), pp. 81–98. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/jar20.pdf.
R. E. Bryant, “Data-Intensive Scalable Computing for Scientific Applications,” IEEE Computing in Science
and Engineering, Vol. 13, No. 6 (2011), pp. 25–33.
R. E. Bryant, D. Kroening, J. Ouaknine, S. A. Seshia, O. Strichman, and B. Brady, “An Abstraction-Based
Decision Procedure for Bit-Vector Arithmetic,” International Journal of Software Tools for Technology,
Springer-Verlag Vol. 11, No. 2 (April, 2009), pp. 95–104.
R. M. Jensen, M. M. Veloso, and R. E. Bryant, “State-Set Branching: Leveraging BDDs for Heuristic
Search,” Artificial Intelligence, Vol. 172, Issues 2–3 (February, 2008), pp. 103–139. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/aij07.pdf.
1

S. K. Lahiri, and R. E. Bryant, “Predicate Abstraction with Indexed Predicates,” ACM Transactions on
Computational Logic, Vol. 9, No. 1 (Dec., 2007). Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tocl06.pdf.
S. A. Seshia, K. Subramani, and R. E. Bryant, “On Solving Boolean Combinations of UTVPI Constraints,”
Journal of Satisfiability, Boolean Modeling and Computation, Vol. 3 (2007), pp. 67–90. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/jsat07.pdf.
M. N. Velev, and R. E. Bryant, “TLSim and EVC: A Term-Level Symbolic Simulator and an Efficient
Decision Procedure for the Logic of Equality with Uninterpreted Functions and Memories,” International
Journal of Embedded Systems, Vol. 1, No. 1/2 (2005), pp. 134–149. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/ijes05.pdf.
S. A. Seshia, and R. E. Bryant, “Deciding Quantifier-Free Presburger Formulas Using Parameterized Solu-
tion Bounds,” Logical Methods in Computer Science, Vol. 1, Issue 2, Paper 7 (December, 2005). Available
as
http://www.cs.cmu.edu/˜bryant/pubdir/lmcs05.pdf.
M. N. Velev, and R. E. Bryant, “Effective Use of Boolean Satisfiability Procedures in the Formal Verification
of Superscalar and VLIW Microprocessors,” Journal of Symbolic Computation. Vol. 35, No. 2 (February,
2003), pp. 73–106. Submitted version available as
http://www.cs.cmu.edu/˜bryant/pubdir/jsc03.pdf.
R. E. Bryant and M. N. Velev, “Boolean Satisfiability with Transitivity Constraints,” ACM Transactions on
Computational Logic, Vol. 3, No. 4 (October, 2002). Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tocl-trans01.pdf.
Y.-A. Chen, and R. E. Bryant, “An Efficient Graph Representation for Arithmetic Circuit Verification,” IEEE
Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 20, No. 12 (December,
2001), pp. 1442–1454. Winner of 2003 IEEE CAD Transactions Best Paper Award. Preprint version avail-
able as
http://www.cs.cmu.edu/˜bryant/pubdir/tcad01-chen.pdf.
R. E. Bryant, and Y.-A. Chen, “Verification of Arithmetic Circuits Using Binary Moment Diagrams,” Soft-
ware Tools for Technology Transfer, Springer-Verlag, Vol. 3, No. 2 (May, 2001), pp. 137–155. Submitted
version available as
http://www.cs.cmu.edu/˜bryant/pubdir/sttt-submit.pdf.
C. B. McDonald and R. E. Bryant, “CMOS Circuit Verification with Symbolic Switch-Level Timing Sim-
ulation,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 20, No. 3
(March , 2001), pp. 458–474. Preprint version available as
http://www.cs.cmu.edu/˜bryant/pubdir/tcad01.pdf.
R. E. Bryant, S. German, M. N. Velev, “Processor Verification Using Efficient Reductions of the Logic of
Uninterpreted Functions to Propositional Logic,” ACM Transactions on Computational Logic, Vol. 2, No. 1
(January, 2001). Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tocl01.pdf.
M. Pandey, and R. E. Bryant, “Exploiting symmetry when verifying transistor-level circuits by symbolic
trajectory evaluation,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,
Vol. 18, No. 7 (July, 1999), pp. 918–935. Winner of 2001 IEEE Circuits and Systems Society Outstanding
Young Author Award. Preprint version available as
2

http://www.cs.cmu.edu/˜bryant/pubdir/tcad99.pdf.
C.-J. H. Seger, and R. E. Bryant, “Formal Verification by Symbolic Evaluation of Partially-Ordered Tra-
jectories,” Formal Methods in System Design, Vol. 6, No. 2 (March, 1995), pp. 147–190. Preprint version
available as
http://www.cs.cmu.edu/˜bryant/pubdir/fmsd95.pdf.
R. E. Bryant, J. D. Tygar, and L. P. Huang, “Geometric Characterization of Series-Parallel Variable Resistor
Networks,” IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, Vol. 41,
No. 11 (November, 1994), pp. 686–698. Manuscript version available as
http://www.cs.cmu.edu/˜bryant/pubdir/tcas94.pdf.
L. P. Huang, and R. E. Bryant, “Intractability in Linear Switch-Level Simulation,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, Vol. 12, No. 6 (June, 1993), pp. 829–836.
R. E. Bryant, “Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams,” ACM Computing
Surveys, Vol. 24, No. 3 (September, 1992), pp. 293–318. Preprint version published as CMU Technical
Report CMU-CS-92-160,
http://www.cs.cmu.edu/˜bryant/pubdir/CMU-CS-92-160.pdf. Also available
as
http://www.cs.cmu.edu/˜bryant/pubdir/acmcs92.pdf
S. A. Kravitz, R. E. Bryant, and R. A. Rutenbar, “Massively Parallel Switch-Level Simulation: A Feasibility
Study,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 10, No. 7
(July, 1991) pp. 871–894.
R. E. Bryant, “A Methodology for Hardware Verification Based on Logic Simulation,” J.ACM, Vol. 38,
No. 2 (April, 1991), pp. 299–328. Preprint available as
http://www.cs.cmu.edu/˜bryant/pubdir/jacm91.pdf.
R. E. Bryant, “On the Complexity of VLSI Implementations and Graph Representations of Boolean Func-
tions with Application to Integer Multiplication,” IEEE Transactions on Computers, Vol. 40, No. 2 (Febru-
ary, 1991), pp. 205–213. Preprint available as
http://www.cs.cmu.edu/˜bryant/pubdir/ieeetc91.pdf.
R. E. Bryant, “Formal Verification of Memory Circuits by Switch-Level Simulation,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, Vol. 10, No. 1 (January, 1991), pp. 94–102.
Preprint available as
http://www.cs.cmu.edu/˜bryant/pubdir/tcad91.pdf.
D. L. Beatty, and R. E. Bryant, “Incremental Switch-Level Analysis,” IEEE Design and Test of Computers,
Vol. 5, No. 6 (December, 1988), pp. 33–42.
R. E. Bryant, “A Survey of Switch-Level Algorithms,” IEEE Design and Test of Computers, Vol. 4, No. 4
(August, 1987), pp. 26–40.
R. E. Bryant, “Algorithmic Aspects of Symbolic Switch Network Analysis,” IEEE Transactions on Computer-
Aided Design of Integrated Circuits and Systems, Vol. CAD-6, No. 4 (July, 1987), pp. 618–633. Winner of
1987 IEEE CAD Transactions Best Paper Award, and the 1989 IEEE W. R. G. Baker Award. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tcad87a.pdf.
R. E. Bryant, “Boolean Analysis of MOS Circuits,” IEEE Transactions on Computer-Aided Design of Inte-
grated Circuits and Systems, Vol. CAD-6, No. 4 (July, 1987), pp. 634–649. Winner of the IEEE W. R. G.
Baker Award. Available as
3

http://www.cs.cmu.edu/˜bryant/pubdir/tcad87b.pdf.
R. E. Bryant, “Graph-Based Algorithms for Boolean Function Manipulation,” IEEE Transactions on Com-
puters, Vol. C-35, No. 8 (August, 1986), pp. 677–691. Reprinted in M. Yoeli, Formal Verification of Hard-
ware Design, IEEE Computer Society Press, 1990, pp. 253–267. Electronic version with annotations avail-
able as
http://www.cs.cmu.edu/˜bryant/pubdir/ieeetc86.pdf.
W. J. Dally and R. E. Bryant, “A Hardware Architecture for Switch-Level Simulation,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, Vol. CAD-4, No. 3 (July, 1985), pp. 239–
249.
R. E. Bryant, “A Switch-Level Model and Simulator for MOS Digital Systems,” IEEE Transactions on
Computers, Vol. C-33, No. 2 (February, 1984), pp. 160–177.
Refereed Conference Articles
R. E. Bryant, A. Biere, and M. J. H. Heule, “Clausal Proofs for Pseudo-Boolean Reasoning,” Tools and
Algorithms for the Construction and Analysis of Systems TACAS 2022, LNCS 12651, April, 2022. Available
as
http://www.cs.cmu.edu/˜bryant/pubdir/tacas22-bbh.pdf.
J. E. Reeves, M. J. H. Heule, and R. E. Bryant, “Moving Definition Variables in Quantified Boolean Formu-
las,” Tools and Algorithms for the Construction and Analysis of Systems TACAS 2022, LNCS 12651, April,
2022. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tacas22-rhb.pdf.
R. E. Bryant and M. J. H. Heule, “Dual Proof Generation for Quantified Boolean Formulas with a BDD-
Based Solver,” Computer-Aided Deduction CADE 2021, LNAI 12699, July, 2021, pp. 433–449. Available
as
http://www.cs.cmu.edu/˜bryant/pubdir/cade21.pdf.
R. E. Bryant and M. J. H. Heule, “Generating Extended Resolution Proofs with a BDD-Based SAT Solver,”
Tools and Algorithms for the Construction and Analysis of Systems TACAS 2021, LNCS 12651, April, 2021,
pp. 76–93. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tacas21.pdf.
R. E. Bryant, “Chain Reduction for Binary and Zero-Suppressed Decision Diagrams,” Tools and Algorithms
for the Construction and Analysis of Systems TACAS 2018, LNCS 10805, April, 2018, pp. 81–98. Available
as
http://www.cs.cmu.edu/˜bryant/pubdir/tacas18.pdf.
B. P. Railing, and R. E. Bryant, “Implementing Malloc: Students and Systems Programming,” 49th ACM
Technical Symposium on Computer Science Education SIGCSE 2018, February, 2018. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/sigcse18.pdf.
R. M. Fujimoto, R. Bagrodia, R. E. Bryant, K. M. Chandy, D. Jefferson, J. Misra, D. Nicol, and B. Unger,
“Parallel Discrete Event Simulation: The Making of a Field,” Winter Simulation Conference 2017, Decem-
ber, 2017. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/wsc17.pdf
H. Cui, J.
ˇ
Sim
ˇ
sa, Y.-H. Ling, H. Li, B. Blum, X. Xu, J. Yang, G. A. Gibson, and R. E. Bryant, “PARROT:
4

A Practical Runtime for Deterministic, Stable, and Reliable Threads,” 24th ACM Symposium on Operating
Systems Principles, 2013.
J.
ˇ
Sim
ˇ
sa, R. Bryant, G. A. Gibson, and J. Hickey, “Scalable Dynamic Partial Order Reduction,” 3rd Inter-
national Conference on Runtime Verification, 2012.
B. A. Brady, R. E. Bryant, and S. A. Seshia, “Learning Conditional Abstractions,” Formal Methods in
Computer-Aided Design, October, 2011, pp. 116–124. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/fmcad11.pdf
J.
ˇ
Sim
ˇ
sa, G. A. Gibson, and R. E. Bryant, “dBug: Systematic Testing of Unmodified Distributed and Multi-
Threaded Programs,” 18th International Workshop on Model Checking of Softare (SPIN ’11), 2011.
B. A. Brady, R. E. Bryant, S. A. Seshia, and J. W. O’Leary, “ATLAS: Automatic Term-Level Abstraction of
RTL Designs,” Eighth ACM/IEEE International Conference on Formal Methods and Models for Codesign
(MEMOCODE), July, 2010. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/memocode10.pdf.
R. E. Bryant, D. Kroening, J. Ouaknine, S. A. Seshia, O. Strichman, and B. Brady, “Deciding Bit-Vector
Arithmetic with Abstraction,” Tools and Algorithms for the Construction and Analysis of Systems TACAS 2007,
April, 2007. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/tacas07.pdf.
M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant, “Semantics Aware Malware Detection,”
IEEE Symposium on Security and Privacy, May, 2005, pp. 32–46. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/oakland05.pdf.
V. Ganapathy, S. A. Seshia, S. Jha, T. W. Reps, and R. E. Bryant, “Automatic Discovery of API-Level
Exploits,” International Conference on Software Engineering ICSE 05, May, 2005, pp. 312–321. Available
as
http://www.cs.cmu.edu/˜bryant/pubdir/icse05.pdf.
S. A. Seshia, R. E. Bryant, and K. S. Stevens, “Modeling and Verifying Circuits Using Generalized Relative
Timing,” IEEE International Symposium on Asynchronous Circuits and Systems, ASYNC 05, March, 2005,
pp. 98–108 Available as
http://www.cs.cmu.edu/˜bryant/pubdir/async05.pdf.
S. K. Lahiri and R. E. Bryant, “Indexed Predicate Discovery for Unbounded System Verification,” Computer-
Aided Verification CAV 2004, R. Alur, and D. A. Peled, eds., LNCS 3114, Springer-Verlag, July, 2004,
pp. 135–147. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/cav04b.pdf.
A. Goel and R. E. Bryant, “Symbolic Simulation, Model Checking and Abstraction with Partially Ordered
Boolean Function Vectors,” Computer-Aided Verification CAV 2004, R. Alur, and D. A. Peled, eds., LNCS
3114, Springer-Verlag, July, 2004, pp. 255–267. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/cav04a.pdf.
S. A. Seshia and R. E. Bryant, “Deciding Quantifier-Free Presburger Formulas Using Parameterized Solu-
tion Bounds,” Logic in Computer Science LICS 2004, IEEE, July, 2004, pp. 100–109. Available as
http://www.cs.cmu.edu/˜bryant/pubdir/lics04.pdf.
R. M. Jensen, M. M. Veloso, and R. E. Bryant, “Fault Tolerant Planning: Toward Probabilistic Uncertainty
Models in Symbolic Non-Deterministic Planning,” International Conference on Automated Planning and
Scheduling ICAPS 04, June, 2004. Available as
5

Frequently asked questions

Q1. What are the contributions in this paper?

Bryant and O'Hallaron this paper presented a survey of the 20 years of ICCAD 's 20 Years of Excellence in Computer-Aided Design. 

Q2. What is the name of the paper?

Winner of best paper award in category “Verification, Simulation, and Test.” Available as http://www.cs.cmu.edu/˜bryant/pubdir/dac95a.pdf.