Visualization and analysis of assembly code in an integrated comprehension environment

Pucsek, Dean W.

26 June 2013

Computing has reached a point where it is visible in almost every aspect of one’s daily activities. Consider, for example, a typical household. There will be a desktop computer, game console, tablet computer, and smartphones built using different types of processors and instruction sets. To support the pervasive and heterogeneous nature of computing there has been many advances in programming languages, hardware features, and increasingly complex software systems. One task that is shared by all people who work with software is the need to develop a concrete understanding of foreign code so that tasks such as bug fixing, feature implementation, and security audits can be conducted. To do this tools are needed to help present the code in a manner that is conducive to comprehension and allows for knowledge to be transferred. Current tools for program comprehension are aimed at high-level languages and do not provide a platform for assembly code comprehension that is extensible both in terms of the supported environment as well as the supported analysis. This thesis presents ICE, an Integrated Comprehension Environment, that is de- veloped to support comprehension of assembly code while remaining extensible. ICE is designed to receive data from external tools, such as disassemblers and debuggers, which is then presented in a series of visualizations: Cartographer, Tracks, and a Control Flow Graph. Cartographer displays an interactive function call graph while Tracks displays a navigable sequence diagram. Support for new visualizations is provided through the extensible implementation enabling analysts to develop visual- izations tailored to their needs. Evaluation of ICE is completed through a series of case studies that demonstrate different aspects of ICE relative to currently available tools. / Graduate / 0984 / dpucsek@uvic.ca

assembly code

visualization

reverse engineering

software engineering

Identifying malware similarity through token-based and semantic code clones

Lanclos, Christopher I. G.

08 December 2023

Malware is the source or a catalyst for many of the attacks on our cyberspace. Malware analysts and other cybersecurity professionals are responsible for responding to and understanding attacks to mount a defense against the attacks in our cyberspace. The sheer amount of malware alone makes this a difficult task, but malware is also increasing in complexity. This research provides empirical evidence that a hybrid approach using token-based and semantic-based code clones can identify similarities between malware. In addition, the use of different normalization techniques and the use of undirected matrices versus directed matrices were studied. Lastly, the impact of the use of inexact code clones was evaluated. Our results showed that our approach to determining the similarity between malware outperforms two methods currently used in malware analyses. In addition, we showed that overly generalized normalization of code sections would hinder the performance of the proposed method. At the same time, there is no significant difference between the use of directed and undirected matrices. This research also confirmed the positive impact of using inexact code clones when determining similarity.

Malware

Code Clones

Assembly Code

Matrices