Control Flow Graph Based Virus Scanning

DerbyCon 4.0 - Family Rootz

Presented by: Douglas Goddard
Date: Sunday September 28, 2014
Time: 13:00 - 13:50
Location: Track 4

Traditional anti-virus works by detecting sequences of bytes. Many evasion techniques manipulate data and code in very minor ways that- while not affecting the functionality of the program- change the sequences of bytes within it. An alternative approach is to identify programs based on their control flow graphs (CFGs). Using the Baksmali tool as a base- I’ve added code to parse the CFG for each method- read in a signature file- and run different comparison algorithms to effectively make a CFG based virus scanner. An algorithm for node-by-node matching has been designed and implemented specifically for this project. The algorithms- efficacy- and implementation of this tool will be discussed.Some technical background will be helpful. However- in addition to the control flow graph isomorphism algorithm- this talk will attempt to cover the necessary background knowledge including traditional anti-virus methods- Android APK structure and code- disassembly- basic blocks- and control flow graphs.

Douglas Goddard


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats