IDENTIFYING SOFTWARE EXECUTION BEHAVIOR

US 20130185798A1
Filed: 01/13/2012
Published: 07/18/2013
Est. Priority Date: 01/13/2012
Status: Active Grant

First Claim

Patent Images

1. At a computer system, the computer system including a processor and system memory, a method for identifying execution behavior for a portion of binary code, the method comprising:

an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set;

an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including;

an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code;

an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;

parameter values and parameter types used to call functions of interest within the portion of binary code; and

an act of outputting one or more of;

functions, parameter values, and parameters types of interest for the portion of binary code.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for identifying software execution behavior. Embodiments of the invention can be used to assist a user in a making a reasoned and informed decision about whether the behavior of executable code is malicious. Data indicative of executable code behavior can be collected statically without having to execute the executable code. Behavior data can be collected essentially automatically with little, if any, user involvement. A user initiates analysis of executable code and is provided a visual categorized representation of behavior data for the executable code.

237 Citations

20 Claims

1. At a computer system, the computer system including a processor and system memory, a method for identifying execution behavior for a portion of binary code, the method comprising:
- an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set;
  
  an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including;
  
  an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code;
  
  an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;
  
  parameter values and parameter types used to call functions of interest within the portion of binary code; and
  
  an act of outputting one or more of;
  
  functions, parameter values, and parameters types of interest for the portion of binary code.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, further comprising prior to accessing the portion of assembly code:
    - an act of accessing the portion of binary code;
      
      an act of disassembling the portion of binary code into the portion of assembly code; and
      
      an act of outputting the portion of assembly code.
  - 3. The method as recited in claim 1, wherein the act of converting the portion of assembly code to an intermediate representation comprises:
    - an act of analyzing the portion of assembly code to identify each location where the portion of assembly code calls an operating system function;
      
      an act of demarking each transition between user functions and operating system functions based on the identified locations; and
      
      wherein the act of mapping the assembly language instructions to corresponding intermediate representation instructions comprises;
      
      an act of mapping assembly language instructions of the user functions to intermediate representation instructions; and
      
      an act of ignoring the operating system functions.
  - 4. The method as recited in claim 3, wherein the an act of converting the portion of assembly code to an intermediate representation comprises an act of keeping track of a stack pointer used in the portion of assembly code.
  - 5. The method as recited in claim 4, wherein the act of keeping track of a stack pointer used in the portion of assembly code comprises for each location where an operating system function is called:
    - an act of accessing a stack delta for the operating system function;
      
      an act of accessing the calling convention for the operating system function; and
      
      an act of determining how to adjust the stack pointer based on the stack delta and calling convention for the operating system function.
  - 6. The method as recited in claim 1, wherein an act of tracking the path of one or more parameters within functions of the intermediate representation comprises an act of identifying parameter values used to call operating system functions.
  - 8. The method as recited in claim 1, wherein an act of tracking the path of one or more parameters within functions of the intermediate representation comprises an act of identifying parameter values used to call functions that facilitate of or more of:
    - network access, opening a file, modifying a registry, and activating computer system peripheral devices.
  - 9. The method as recited in claim 1, wherein an act of tracking the path of one or more parameters within functions of the intermediate representation comprises an act of tracking values that are configured to get moved between system registers and system memory.
  - 10. The method as recited in claim 1, wherein the act of outputting one or more of:
    - functions, parameter values, and parameters types of interest for the portion of binary code comprises an act of categorizing functions, parameters values, and parameter types to simplify complexity and assist in identifying potentially malicious behavior exhibited by the portion of binary code.
  - 11. The method as recited in claim 1, wherein the act of outputting one or more of:
    - functions, parameter values, and parameters types of interest for the portion of binary code comprises an act of categorizing functions of interest based on the operations the functions are configured to perform.
  - 12. The method as recited in claim 11, wherein the act of categorizing functions of interest based on the operations the functions are configured to perform comprises an act of categorizing functions to indicate the functions are configured to perform operations selected from:
    - network access, opening a file, modifying a registry, and activating computer system peripheral devices.
  - 13. The method as recited in claim 1, further comprising an act of sending the output of one or more of:
    - functions, parameter values, and parameters types of interest to a display device for presentation to a user, presentation to the user assisting the user in determining if the portion of binary code includes malicious behaviors.

7. The method as recited in claims wherein the act of an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions comprises:
- an act of reducing redundant instructions within the portion of assembly code; and
  
  an act of retaining sufficient semantics from the binary code such that potentially malicious behavior can be detected.

14. A computer program product for use at a computer system, the computer system include a display device, the computer program product for implementing a method for identifying execution behavior for a portion of binary code, the computer program product computer one or more computer storage devices having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
- access a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set;
  
  convert the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including;
  
  mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code;
  
  track the path of one or more parameters within functions of the intermediate representation to identify one or more of;
  
  parameter values and parameter types used to call functions of interest within the portion of binary code;
  
  output one or more of;
  
  functions, parameter values, and parameters types of interest for the portion of binary code; and
  
  present the one or more of;
  
  functions, parameter values, and parameters types of interest at the display device, presentation at the display device assisting a user in determining if the portion of binary code includes malicious behaviors.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to convert the portion of assembly code to an intermediate representation comprise computer-executable instructions that, when executed, cause the computer system to:
    - analyze the portion of assembly code to identify each location where the portion of assembly code calls an operating system function;
      
      demark each transition between user functions and operating system functions based on the identified locations; and
      
      wherein computer-executable instructions that, when executed, cause the computer system to map the assembly language instructions to corresponding intermediate representation instructions comprise computer-executable instructions that, when executed, cause the computer system tomap assembly language instructions of the user functions to intermediate representation instructions; and
      
      ignore the operating system functions.
  - 16. The computer program product as recited in claim 14, further comprising computer-executable instructions that, when executed, cause the computer system to convert the portion of assembly code to an intermediate representation comprise computer-executable instructions that, when executed, cause the computer system keep track of a stack pointer used in the portion of assembly code.
  - 17. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to map each assembly language instruction to a corresponding ordered list of one or more intermediate representation instruction comprise computer-executable instructions that, when executed, cause the computer system to:
    - reduce redundant instructions within the portion of assembly code; and
      
      retain sufficient semantics from the binary code such that potentially malicious behavior can be detected.
  - 18. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to output one or more of:
    - functions, parameter values, and parameters types of interest for the portion of binary code comprise computer-executable instructions that, when executed, cause the computer system to categorize functions, parameters values, and parameter types to simplify complexity and assist in identifying potentially malicious behavior exhibited by the portion of binary code.
  - 19. The computer program product as recited in claim 14, wherein computer-executable instructions that, when executed, cause the computer system to output one or more of:
    - functions, parameter values, and parameters types of interest for the portion of binary code comprise computer-executable instructions that, when executed, cause the computer system to categorize functions of interest based on the operations the functions are configured to perform.

20. At a computer system, the computer system including a processor, system memory, and a display device, a method for identifying execution behavior for a portion of binary code, the method comprising:
- an act of accessing a portion of assembly code, the portion of assembly code disassembled from the portion of binary code, the portion of assembly code including assembly language instructions from an assembly language instruction set;
  
  an act of converting the portion of assembly code to an intermediate representation, the intermediate representation including intermediate representation instructions from an intermediate representation instruction set, converting the portion of assembly code including;
  
  an act of mapping each assembly language instruction to a corresponding ordered list of one or more intermediate representation instructions so as to reduce the complexity of analyzing the behavior of the portion of binary code, including for at least one assembly language instruction decomposing the assembly language instruction in to a plurality of micro operations to simplify analysis of the portion of binary code;
  
  an act of tracking the path of one or more parameters within functions of the intermediate representation to identify one or more of;
  
  parameter values and parameter types used to call functions of interest within the portion of binary code;
  
  categorizing functions, parameters values, and parameter types to simplify the complexity of identifying potentially malicious behavior exhibited by the portion of binary code; and
  
  presenting the categorized functions, parameter values, and parameters types of interest at the display device, presentation at the display device assisting a user in determining if the portion of binary code includes malicious behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accessdata Group Incorporated (Exterro Incorporated)
Original Assignee
Accessdata Group LLC (Exterro Incorporated)
Inventors
Saunders, Allen Mark, Ruef, Andrew Walter

Granted Patent

US 8,533,836 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/577   Assessing vulnerabilities a...

G06F 8/53   Decompilation; Disassembly

IDENTIFYING SOFTWARE EXECUTION BEHAVIOR

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING SOFTWARE EXECUTION BEHAVIOR

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links