Abstract

In this paper, we propose a new approach for the static detection of malicious code in executable programs. Our approach rests on a semantic analysis based on behaviour that even makes possible the detection of unknown malicious code. This analysis is carried out directly on binary code. Static analysis offers techniques for predicting properties of the behaviour of programs without running them. The static analysis of a binary executable is achieved in three major steps: construction of an intermediate representation, flow-based analysis that captures security-oriented program behaviour, and static verification of critical behaviours against security policies (model checking). Categories and Subject Descriptors C.2.0 [Computer-Communication Networks]: General—Security and protection (e.g., firewalls); D.2.4 [Software Engineering]: