Semantics-Aware Malware Detection
Mihai Christodorescu∗ Somesh Jha∗ Sanjit A. Seshia† Dawn Song Randal E. Bryant†
University of Wisconsin, Madison
{mihai, jha}@cs.wisc.edu {sanjit@cs., dawnsong@, bryant@cs.}cmu.edu
Abstract
A malware detector is a system that attempts to de-
termine whether a program has malicious intent. In or-
der to evade detection, malware writers (hackers) fre-
quently use obfuscation to morph malware. Malware
detectors that use a pattern-matching approach (such
as commercial virus scanners) are susceptible to obfus-
cations used by hackers. The fundamental deficiency
in the pattern-matching approach to malware detection
is that it is purely syntactic and ignores the semantics
of instructions. In this paper, we present a malware-
detection algorithm that addresses this deficiency by in-
corporating instruction semantics to detect malicious
program traits. Experimental evaluation demonstrates
that our malware-detection algorithm can detect vari-
ants of malware with a relatively low run-time over-
head. Moreover, our semantics-aware malware detec-
tion algorithm is resilient to common obfuscations used
by hackers.
1. Introduction
A malware instance is a program that has malicious
intent. Examples of such programs include viruses,
trojans, and worms. A classification of malware with
respect to its propagation method and goal is given
in [29]. A malware detector is a system that attempts
to identify malware. A virus scanner uses signatures
and other heuristics to identify malware, and thus is an
example of a malware detector. Given the havoc that
can be caused by malware [18], malware detection is an
important goal.
∗ This work was supported in part by the Office of Naval Research
under contracts N00014-01-1-0796 and N00014-01-1-0708. The U.S.
Government is authorized to reproduce and distribute reprints for
Governmental purposes, notwithstanding any copyright notices af-
fixed thereon.
The views and conclusions contained herein are those of the authors
and should not be interpreted as necessarily representing the official
policies or endorsements, either expressed or implied, of the above
government agencies or the U.S. Government.
† This work was supported in part by Army Research Office grant
DAAD19-01-1-0485.
Carnegie Mellon University
The goal of a malware writer (hacker) is to modify
or morph their malware to evade detection by a mal-
ware detector. A common technique used by malware
writers to evade detection is program obfuscation [30].
Polymorphism and metamorphism are two common ob-
fuscation techniques used by malware writers. For ex-
ample, in order to evade detection, a virus can morph
itself by encrypting its malicious payload and decrypt-
ing it during execution. A polymorphic virus obfus-
cates its decryption loop using several transformations,
such as nop-insertion, code transposition (changing the
order of instructions and placing jump instructions to
maintain the original semantics), and register reassign-
ment (permuting the register allocation). Metamor-
phic viruses attempt to evade detection by obfuscat-
ing the entire virus. When they replicate, these viruses
change their code in a variety of ways, such as code
transposition, substitution of equivalent instruction se-
quences, change of conditional jumps, and register re-
assignment [28, 35, 36].
Addition of new behaviors to existing malware is an-
other favorite technique used by malware writers. For
example, the Sobig.A through Sobig.F worm variants
(widespread during the summer of 2003) were devel-
oped iteratively, with each successive iteration adding
or changing small features [25–27]. Each new vari-
ant managed to evade detection either through the use
of obfuscations or by adding more behavior. The re-
cent recurrence of the Netsky and B[e]agle worms (both
active in the first half of 2004) is also an example of
how adding new code or changing existing code creates
new undetectable and more malicious variants [9, 17].
For example, the B[e]agle worm shows a series of “up-
grades” from version A to version C that include the
addition of a backdoor, code to disable local security
mechanisms, and functionality to better hide the worm
within existing processes. A quote from [17] summa-
rizes the challenges worm families pose to detectors:
Arguably the most striking aspect of Beagle
is the dedication of the author or authors to
refining the code. New pieces are tested, per-
fected, and then deployed with great fore-
thought as to how to evade antivirus scanners
and how to defeat network edge protection
 devices.
Commercial malware detectors (such as virus scan-
ners) use a simple pattern matching approach to mal-
ware detection, i.e., a program is declared as malware
if it contains a sequence of instructions that is matched
by a regular expression. A recent study demonstrated
that such malware detectors can be easily defeated us-
ing simple program obfuscations [8], that are already
being used by hackers. The basic deficiency in the pat-
tern matching approach to malware detection is that they
ignore the semantics of instructions. Since the pattern-
matching algorithm is not resilient to slight variations,
these malware detectors must use different patterns for
detecting two malware instances that are slight varia-
tions of each other. This is the reason that the signature
database of a commercial virus scanner has to be fre-
quently updated. The goal of this paper is to design a
malware-detection algorithm that uses semantics of in-
structions. Such an algorithm will be resilient to minor
obfuscations and variations.
Suppose a program P is transformed by a compiler
phase (such as register allocation) to produce a program
P ′ . The translation-validation problem is the prob-
lem of determining whether P ′ “simulates” P [31, 32].
Translation validation can be used to prove that vari-
ous compiler phases preserve the semantics of a spe-
cific program P . By viewing hacker obfuscations as
compiler phases, the malware-detection problem at the
surface seems similar to the translation-validation prob-
lem. However, there are fundamental differences be-
tween the two problems. Translation-validation tech-
niques determine whether the two programs are seman-
tically equivalent. However, variants of malware are
not equivalent because malware writers add additional
functionality between variants. Moreover, translation-
validation researchers make certain assumptions about
the transformed program. For example, Necula [31] as-
sumes that all branches in the target program must cor-
respond to branches in the source program. In the con-
text of malicious-code detection, such an assumption is
not valid: an adversary is free to transform the mali-
cious code as they wish. Although we use some ideas
from the translation-validation literature in the context
of malware detection (such as modeling semantics of
instructions and using decision procedures), our algo-
rithm is differs from those in the translation-validation
literature.
We use the observation that certain malicious behav-
iors (such as a decryption loop in a polymorphic virus
or a loop to search for email addresses in a user’s mail
folder) appear in all variants of a certain malware. The
problem is that the specified malicious behavior (such
as a decryption loop) appears in different guises in the
different variants. We formalize this problem and de-
scribe an algorithm for discovering specified malicious
behaviors in a given program. Since our algorithm is
semantic rather than purely syntactic, it is resistant to
common obfuscations used by hackers. Specifically,
this paper makes the following contributions:
• Formal semantics: We formally define the problem
of determining whether a program exhibits a speci-
fied malicious behavior. In general, this problem is
undecidable. Our semantics is described in detail in
Section 2. We believe that the semantics presented in
Section 2 can be used as a “reference semantics” for
other researchers working on malware detection.
• A semantics-aware malware detection algorithm:
Since the problem of determining whether a program
exhibits a specified malicious behavior is undecid-
able, we cannot hope to have a algorithm for the
abovementioned problem. In Section 3 we present
an algorithm for handling a limited set of transfor-
mations used by hackers. However, our evaluation
(in Section 4) shows that our algorithm is very effec-
tive in discovering malicious behavior, as it detects
multiple Netsky and B[e]agle variants with a single
template, and its resilience to obfuscation is better
than that of commercial virus scanners.
2. Semantics of malware detection
Before we present our formal semantics for malware
detection, we will provide an intuitive explanation of
the underlying ideas. We will use the example shown
in Figure 1 as a running example. Figure 1(a) shows
the control-flow graph (CFG) of a specification of ma-
licious behavior and Figure 1(b) shows the CFG of an
instruction sequence (which is a fragment of larger pro-
gram). Instructions in Figure 1 are in the intermediate
form (IR) used by our tool. The instructions in our IR
are intuitive, and we give a formal description of the IR
in Appendix B. We describe various components of our
semantics.
Specifying the malicious behavior. In our frame-
work, malicious behavior is described using templates,
which are instruction sequences where variables and
symbolic constants are used. Figure 1(a) describes
a malicious behavior that is a simplified version of a
decryption loop found in polymorphic worms. The
malware specification described in Figure 1(a) de-
crypts memory starting from address const addr1 and
writes the decrypted data to memory starting at address
const addr2. The decryption function and the termina-
tion condition are denoted by the function f(·) and pred-
icate condition(·) respectively. By abstracting away the
names of specific registers and symbolic constants in
the specification of the malicious behavior, our seman-
tics and algorithm are insensitive to simple obfusca-
tions, such as register renaming and changing the start-
ing address of a memory block.
 1
eax = 0x403000
2
ebx = 0x400000
1 const addr1 ← 0x403000
3
A = const_addr1
edx = eax + 3
2 condition(X) ← X≥0x406000
4
B = const_addr2
eax >= 0x406000 ?
3
5 false
condition(A) ? true mem[ebx] = mem[edx−3] << 2 + 1
4 false
6 (c) Execution context.
mem[B] = f(mem[A]) eax = eax + 4
5
7
A=A+c
edx = edx + 4
6
8
B=B+d ebx = ebx + 4
7 9
jump const_address2 jump 0x400000
(a) Template of malicious behavior. (b) Malware instance.
Figure 1. Malware instance (b) satisfies the template (a) according to our semantics.
When does an instruction sequence contain the
malicious behavior? Consider the instruction se-
quence shown in Figure 1(b). Assume the symbolic
constants in the template are assigned values shown
in Figure 1(c). If the template and the instruction se-
quence shown in Figure 1(a) and 1(b) are executed from
a state where the contents of the memory are the same,
then after both the executions the state of the memory
is the same. In other words, the template and the in-
struction sequence have the same effect on the mem-
ory. This is because whenever memory accesses are
performed the addresses in the two executions are the
same. Moreover, stores to memory locations are also
the same. Thus, there is an execution of instruction se-
quence shown in Figure 1(b) that exhibits the behavior
specified by the template given in Figure 1(a). In other
words, the malicious behavior specified by the template
is demonstrated by the instruction sequence. Note that
this intuitive notion of an instruction sequence demon-
strating a specified malicious behavior is not affected
by program transformations, such as register renaming,
inserting irrelevant instruction sequences, and changing
starting addresses of memory blocks.
2.1. Formal semantics
A template T = (IT , VT , CT ) is a 3-tuple, where
IT is a sequence of instructions and VT and CT are
the set of variables and symbolic constants that appear
in IT . There are two types of symbolic constants: an
n-ary function (denoted as F (n)) and an n-ary predi-
cate (denoted as P (n)). Notice that a simple symbolic
const addr2 ← 0x400000
true f(X) ← X≪2 + 1
c←4
d←4
const addr1 : F(0)
const addr2 : F(0)
c : F(0)
d : F(0)
f : F(1)
condition : P(1)
(d) Symbolic constant types.
constant is 0-ary function or has type F (0). A con-
stant c of type τ is written as c : τ . In the template
shown in Figure 1(a) the variables VT are {A, B} and
the symbolic constants CT are shown in Figure 1(d).
Let I be an instruction sequence or a program frag-
ment. An example instruction sequence is shown in Fig-
ure 1(b). Memory contents are represented as a function
M : Addr → V alues from the set of addresses Addr
to the set of values V alues, where M [a] denotes the
value stored at address a.
An execution context for a template T , with T =
(IT , VT , CT ), is an assignment of values of appropriate
types to the symbolic constants in the set CT . Formally,
an execution context ECT for a template T is a function
with domain CT , such that for all c ∈ CT the type of c
and ECT (c) are the same. An execution context for the
template shown in Figure 1(a) is shown in Figure 1(c).
Given an execution context ECT for a template T , let
ECT (T ) be the template obtained by replacing every
constant c ∈ CT by ECT (c).
A state sT for the template T is a 3-tuple denoted
(valT , pcT , memT ), where valT : VT → V alues is
an assignment of values to the variables in VT , pcT is a
value for the program counter, and memT : Addr →
V alues gives the memory content. We follow the con-
vention that a state and its component referring to the
template are superscripted by T . Given a template state
sT , val(sT ), pc(sT ) and mem(sT ) refer to the three
components of the state. Similarly, a state for the in-
struction sequence I is a 3-tuple (val, pc, mem), where
val : Reg → V alues is an assignment of values to
the set of registers Reg, pc is a value for the program
counter, and mem : Addr → V alues gives the mem-
ory contents. Let S T and S be the state space for the
template and the instruction sequence respectively.
Assume that we are given an execution context ECT
for a template T , and the template is in state sT . If we
execute an instruction i from the template ECT (T ) in
state sT , we transition to a new state sT1 and generate a
system event e (in our context, events are usually sys-
tem calls or kernel traps). We denote a state change
from sT to sT1 generating an event e as sT −→ sT1 .
e Consider the example shown in Figure 1. Assume
For uniformity, if an instruction i does not generate a
system event, we say that it generates the null event,
or e(i) = null. For every initial template state sT0 ,
executing the template T in an execution context ECT
generates a sequence as follows:
eT eT
σ(T, ECT , sT0 ) = sT0 −→
1
sT1 −→
1
··· ,
where for i ≥ 1, sTi is the state after executing the i-
th instruction from the template ECT (T ) and eTi is the
event generated by the (i − 1)-th instruction. Notice
that if the template does not terminate, σ(T, ECT , sT0 )
can be infinite. Similarly, σ(I, s0 ) denotes the sequence
when the instruction sequence I is executed from the
initial state s0 .
Definition 1 We say that an instruction sequence I
contains a behavior specified by the template T =
(IT , VT , CT ) if there exists a program state s0 , an ex-
ecution context ECT , and a template state sT0 such
that mem(sT0 ) = mem(s0 ) (the memory in the two
states are the same), and the two sequences σ(I, s0 ) and
σ(T, ECT , sT0 ) are finite, and the following conditions
hold on the two sequences:
• (Condition 1): Let the two execution sequences be
given as follows:
eT eT eT
σ(T, ECT , sT0 ) = sT0 −→
1
sT1 −→
2 k
· · · −→ sTk
e
1 2 e r e
σ(I, s0 ) = s0 −→ s1 −→ · · · −→ sr
Let affected (σ(T, ECT , sT0 )) be the set of addresses
a such that mem(sT0 )[a] 6= mem(sTk )[a], i.e.,
affected (σ(T, ECT , sT0 )) is the set of memory ad-
dresses whose value changes after executing the tem-
plate T from the initial state. We require that
mem(sTk )[a] = mem(sr )[a] holds for all a ∈
affected (σ(T, ECT , sT0 )), i.e. values at addresses
that belong to the set affected (σ(T, ECT , sT0 )) are
the same after executing the template T and the in-
struction sequence I.
• (Condition 2): Ignoring null events, the event se-
quence heT0 , · · · , eTk i is a subsequence of the event
sequence he0 , · · · , er i. In order for the two system
events e1 and e2 to match, their arguments and return
values should be identical.
• (Condition 3): If
pc(sTk ) ∈ affected (σ(T, ECT , sT0 )),
then pc(sr ) ∈ affected (σ(T, ECT , sT0 )). In other
words, if the program counter at the end of executing
the template T points to the affected memory area,
then the program counter after executing I should
also point into the affected memory area.
that we use the execution context shown in Figure 1(c)
for the template shown in Figure 1(a). Suppose we ex-
ecute the template and instruction sequence shown in
Figure 1 from states with the same memory contents.
The state of the memory is same in both executions,
so condition 1 is true. Condition 2 is trivially satisfied.
Since the jumps have the same target, condition 3 is triv-
ially true.
Definition 2 A program P satisfies a template T (de-
noted as P |= T ) iff P contains an instruction sequence
I such that I contains a behavior specified by T . Given
a program P and a template T , we call the problem of
determining whether P |= T as the template matching
problem or TMP.
Defining a variant family. Definition 2 can be used
to define a variant family. The intuition is that most vari-
ants of a malware contain a common set of malicious
behavior, such as a decryption loop and a loop to search
for email addresses. Let T be a set of templates (this set
contains specification of malicious behavior common to
a certain malware family). The set T defines a variant
family as follows:
{P | for all T ∈ T , P |= T }
In other words, the variant family defined by T contains
all programs that satisfy all templates in the set T.
Theorem 1 TMP is undecidable.
Proof: We will reduce the halting problem to TMP. Let
M be a Turing machine, and PM be a program that uses
instructions in our IR that simulates M (since our IR
is Turing complete, this can be accomplished). With-
out loss of generality, assume that PM does not touch
a special address sp addr while simulating the Turing
machine M . Before starting to simulate M , PM sets
mem[sp addr] to 0. After simulating M , if PM halts,
it sets mem[sp addr] to 1. Consider the template T
shown below:
mem[sp addr] = 0
mem[sp addr] = 1
It is easy to see that PM |= T iff M halts. 
2.2. A weaker semantics
In some scenarios the semantics described in defini-
tion 1 is too strict. For example, if a template uses cer-
tain memory locations to store temporaries, then these
memory locations should not be checked for equality
in comparing executions of an instruction sequence and
a template. Let σ(T, ECT , sT0 ) be the sequence gen-
erated when a template T is executed from a state sT0
using the execution context ECT . Define a set of core
memory locations core(σ(T, ECT , sT0 )) which is a sub-
set of affected (σ(T, ECT , sT0 )). Condition 1 in defini-
tion 1 can be changed as follows to give a weaker se-
mantics:
• (Modified condition 1): We require that for all
a ∈ core(σ(T, ECT , sT0 )), we have mem(sTk )[a] =
mem(sr )[a], i.e., values in the addresses that belong
to the set core(σ(T, ECT , sT0 )) are the same after ex-
ecuting the template T and the instruction sequence
I. In other words, only the memory locations in the
set core(σ(T, ECT , sT0 )) are checked for equality in
the two executions.
There are several ways to define core memory lo-
cations. We describe one possible definition of core
memory locations. Assume that each instruction in
the template T is labeled as temp or persistent. Intu-
itively if an instruction is labeled with temp, it performs
temporary computation. Let σ(T, ECT , sT0 ) be the se-
quence generated when a template T executed from a
state sT0 using the execution context ECT . Recall that
affected (σ(T, ECT , sT0 )) is the set of addresses a such
that mem(sT0 )[a] 6= mem(sTk )[a], where sTk is the
last state in the sequence σ(T, ECT , sT0 ). Then the core
memory locations core(σ(T, ECT , sT0 )) can be defined
as any address in affected (σ(T, ECT , sT0 )) that is a tar-
get of a load or store instruction with label persistent.
3. Semantics-aware matching algorithm
We present an algorithm for checking whether a pro-
gram P satisfies a template T ; this algorithm is sound,
but not complete, with respect to the semantics pre-
sented in Section 2.1, yet it can handle several classes
of obfuscations (see Section 3.4). We have also im-
plemented our algorithm as a malware-detection tool.
The tool takes as input a template and a binary program
for the Microsoft Windows on Intel IA-32 (x86) plat-
form, and determines whether a fragment of the sus-
picious program contains a behavior specified by the
template. The tool’s output describes the matched frag-
ment of the program together with information relating
template variables to program registers and memory lo-
cations, and a list of “irrelevant” instruction sequences
that are part of the matched program fragment.
3.1. Architecture
The tool is built on top of the IDA Pro disassem-
bler [13]. Figure 2 illustrates the flow through the tool,
Program IDAPro
IR conversion
Template Program IR
Yes/No Malware detector
Decision procedures
Increasing precision and cost
Predefined patterns of
Nop library
irrelevant instructions.
Randomized x86
interpreter. Random execution
Theorem prover. Simplify
Decision procedure with
bit-vector arithmetic. UCLID
Figure 2. The architecture of the mali-
cious code detector. Gray boxes repre-
sent existing infrastructure.
starting with the input binary program on the left and
ending with an output indicating whether the program
satisfies the template.
We first disassemble the binary program, construct
control flow graphs, one per program function (as iden-
tified by IDA Pro), and produce an intermediate rep-
resentation (IR). The IR is generated using a library
of x86 instruction transformers, in such a way that the
IR is architecture-independent. The IR can still con-
tain library and system calls that are, by definition,
platform-specific – we remove this last dependency by
using summary functions expressed in IR form (see Ap-
pendix B for a description of the IR).
The rest of the toolkit takes advantage of the plat-
form- and architecture-independent IR. We have ini-
tially focused our research on the Microsoft Windows
on Intel IA-32 platform, with no loss of generality. By
providing appropriate front-ends that translate the pro-
gram into the IR format, one can use our malware-
detector tool to process programs for different plat-
forms.
3.2. Algorithm description
Our malware detection algorithm AMD works by
finding, for each template node, a matching node in
the program. Individual nodes from the template and
the program match if there exists an assignment to vari-
ables from the template node expression that unifies it
with the program node expression. Once two matching
nodes are found, we check whether the def-use relation-
ships true between template nodes also hold true in the
corresponding program (two nodes are related by a def-
use relationship if one node’s definition of a variable
reaches the other node’s use of the same variable). If all
the nodes in the template have matching counterparts
under these conditions, the algorithm has found a pro-
gram fragment that satisfies the template and produces
a proof of this relationship.
Formally, given a malicious code template T and a
program P , we define the malware detection algorithm
AMD as a predicate on pairs of programs and templates,
AMD : Programs × Templates → {yes, ⊥}, such that
AMD (P, T ) returns “yes” when program P satisfies
template T under the conditions below. We denote by ⊥
(i.e. “don’t know”) the return value from the algorithm
when it cannot determine that the program satisfies the
template.
Consider the example in Figure 3, where a simpler
version of the template T from Figure 1(a) uses expres-
sion X≥const addr3 instead of the symbolic constant
condition(X) and Xˆ5 (where symbol ‘ˆ’ represents the
bit-vector xor operator) instead of f(X). Similarly, the
program P in Figure 3 is a simpler version of the mal-
ware instance from Figure 1(b). For P to satisfy T in
algorithm AMD , i.e., AMD (P, T ) = yes, the following
two conditions have to hold:
• Matching of template nodes to program nodes.
First, each node n in the template has to unify with a
node m in P . In other words, there is an onto partial
function f from the nodes of P to nodes in T , such
that f (m) in T and m in P are unifiable. We will de-
note by B(X, n, m), where n = f (m), the binding
of variable X referred to in the template instruction
at node n to an expression referred to in the program
instruction at node m. In Figure 3, the gray arrows
connect unified template nodes and program nodes:
for instance, program node 7 unifies with template
node 4.
• Preservation of def-use paths. For each node n in
T , define def (n) as the set of variables defined in
n. Similarly, use(n) is the set of variables used in
node n. In Figure 3, template node 3 uses variable A,
use(3) = {A}, while template node 6 both defines
and uses variable B, def (6) = use(6) = {B}. De-
fine synthetic nodes npre as predecessor to the tem-
plate entry node and npost as successor to all template
exit nodes, such that def (npre ) = use(npost ) = VT .
A def-use path is a sequence of nodes hn1 , ..., nk i
such that the following conditions are true:
– For 1 ≤ i < k, there is an edge from ni to ni+1
in T , i.e., hn1 , · · · , nk i is a valid path through the
template T .
– The instruction I(n1 ) (at node n1 ) defines a vari-
able that I(nk ) uses, that is, def (n1 ) ∩ use(nk ) 6=
∅.
– None of the instructions at the intermediate nodes
redefine the value of the variables in def (n1 ), i.e.,
def (n1 ) ∩ def (ni ) = ∅ for 1 < i < k.
Two nodes n1 and n2 are def-use related (denoted by
duse(n1 , n2 )) iff there exists a path from n1 to n2
that is a def-use path. In Figure 3, template nodes
1 and 3 are def-use related, with the corresponding
def-use path h1, 2, 3i.
Consider two nodes n and n′ in T that are def-use
related. Let nodes n and n′ in T be matched to
nodes m and m′ in program P , i.e. f (m) = n
and f (m′ ) = n′ . Suppose X is a variable that is
defined in n and used in n′ , and B(X, n, m) = r
and B(X, n′ , m′ ) = r′ , i.e., X is bound to expres-
sion r program in node m and r′ in program node
m′ . In this case, we need to make sure that the
value of expression r after executing the instruction
I(m) is same as the value of expression r′ before
executing the instruction I(m′ ), for every program
path corresponding (under the matching function f )
to a template path from n to n′ . In Figure 3, pro-
gram nodes 1 and 5 match template nodes 1 and
3, with respective bindings B(A, 1, 1) = eax and
B(A, 3, 5) = (ecx − 1). The condition we need to
enforce is that the value of eax after program instruc-
tion I(1) is same as the value of (ecx −1) before pro-
gram instruction I(5). In our algorithm, these value
invariants are checked using a decision procedure.
Algorithm AMD implements a conservative approxima-
tion of the formal semantics of malware detection from
Section 2.1, as the following result demonstrates.
Theorem 2 AMD is sound with respect to the TMP se-
mantics, i.e. AMD (P, T ) = yes implies that P |= T .

The proof is given in Appendix A. Our algorithm is thus
sound with respect to the TMP semantics, but it is not
complete. We can show there exists a program P , and a
template T , such that P |= T , but AMD (P, T ) returns
⊥. Consider the following example (in C-like syntax)
where the template captures the behavior of initializing
an array of 10 elements to 0.
Template T Program P
for ( i =0; i <10; i +=2)
f o r ( i =0; i <10; i ++)
a[ i ]=0;
a[ i ]=0;
for ( i =1; i <10; i +=2)
a[ i ]=0;
Both the program and the template initialize one array
of 10 elements: the sets of affected memory locations
are the same in the final states of the template and the
program, thus P |= T . Our algorithm AMD will not
 1 1
A = const_addr1
2 2
B = const_addr2
A
3
4
3 5
true
A > const_addr3 ?
false 6
4 7
mem[B] = mem[A] ^ key
5 8
A=A+c
6 9
B=B+d
7 10
jump const_address2
Figure 3. Example of program (on the right) satisfying a template (on the left) according to
our algorithm AMD . Gray arrows connect program nodes to their template counterparts. The
dashed arrow on the left marks one of the def-use relations that does hold true in the template,
while the corresponding dashed arrow on the right marks the def-use relation that must hold true
in the program.
match the program with the template as the ordering of
memory updates in the template loop is different from
that in the program loops.
Local unification. The unification step addresses
the first condition of algorithm AMD , by producing an
assignment to variables in an instruction at a template
node such that it matches a program node instruction (if
such an assignment exists). Since a program node ex-
pression contains only ground terms, the algorithm uses
one-way matching that instantiates template variables
with program expressions. In Figure 3, template node
3 matches program node 5, with the binding { A ← ecx
- 1, const addr3 ← 0x406000 }. In the prototype we
implemented, a template can contain expressions with
variables, symbolic constants, predefined functions (see
the operators in Appendix B), and external function
calls. The matching algorithm takes these restrictions
into account:
• A variable in the template can be unified with any
program expression, except for assignment expres-
sions.
• A symbolic constant in the template can only be uni-
fied with a program constant.
• The predefined function memory : F (1) (traditionally
written in array notation memory[. . . ]) can only be
unified with the program function memory : F (1).
eax = 0x403000
ebx = 0x400000 valpre<I>(eax) = valpost<I>(ecx−1)
nop
ecx = eax + 1
true
ecx − 1 > 0x406000
false
eax = ecx − 1
mem[ebx] = mem[eax]^5
eax = eax + 1
ebx = ebx + 2
jump 0x400000
• A predefined operator in the template can only be
unified with the same operator in the program.
• An external function call in the template can only be
unified with the same external function call in the
program.
Standard unification rules apply in all other cases: for
example, an operator expression in the template unifies
with an expression in the program if the program oper-
ator is the same as the template operator and the cor-
responding operator arguments unify. Template node 1
(A = const addr1) can unify with program nodes 1
(eax = 0x403000) or 2 (ebx = 0x400000) but not
with program nodes 8 or 9, since template node 1 ex-
pression has a symbolic constant as the right-hand side.
The result of the local unification step is a binding
relating template variables to program expressions. The
binding for the example in Figure 3 is shown in Table 1.
Note that the bindings are different at various program
points (at program node 1, template variable A is bound
to eax, while at program node 5, template variable A is
bound to (ecx - 1)). Requiring bindings to be consis-
tent (monomorphic) seems like an intuitive approach,
but leads to an overly restrictive semantics – any obfus-
cation attack that reassigns registers in a program frag-
ment would evade detection. We want to check pro-
gram expressions bound to the same template variable
(e.g. eax and (ecx - 1) are both bound to A) and verify
they change value in the same way the template vari-
able changes values. We employ a mechanism based
on def-use chains and value preservation to answer this
problem.
Unified nodes Bindings
A ← eax
T1 P1
const addr1 ← 0x403000
B ← ebx
T2 P2
const addr2 ← 0x400000
A ← ecx - 1
T3 P5
const addr3 ← 0x406000
A ← eax
T4 P7
B ← ebx
A ← eax
T5 P8
increment1 ← 1
B ← ebx
T6 P9
increment2 ← 2
T7 P10 const addr2 ← 0x400000
Table 1. Bindings generated from the uni-
fication of template and program nodes in
Figure 3. Notation Tn refers to node n of
the template, and Pm refers to node m of
the program.
Value preservation on def-use chains. The sec-
ond condition of algorithm AMD requires template vari-
ables and the corresponding program expressions to
have similar update patterns (although not necessarily
the same values). For each def-use chain in the tem-
plate, the algorithm checks whether the value of the pro-
gram expression corresponding to the template-variable
use is the same as the value of the program expression
corresponding to the template-variable definition. Con-
sider Figure 3, where template nodes 1 and 3 are def-
use related. Program nodes 1 and 5 map to template
nodes 1 and 3, respectively. Denote by R the program
fragment between nodes 1 and 5, such that R contains
only program paths from program node 1 to node 5 that
correspond to template paths between template nodes 1
and 3 (i.e., any path in R has nodes that either map to
template paths between 1 and 3, or have no correspond-
ing template node). A def-use chain for template vari-
able A connects template node 1 with template node 3:
in the program, the expressions corresponding to tem-
plate variable A after program node 1 and before pro-
gram node 5 must be equal in value, across all paths in
R. This condition can be expressed in terms of value
predicates: for each path I in program fragment R (e.g.
I = hP2, P3, P4i), val prehIi (eax ) = val posthIi (ecx − 1),
where val prehIi represents the variable-valuation func-
tion for the program state before path I and val posthIi
is the variable-valuation function for the program state
after path I. We can formulate this query about pre-
serving def-use chains as a value preservation prob-
lem: given the program fragment R, we want to check
whether it maintains the value predicate
φ ≡ ∀I ∈
R . val prehIi (eax ) = val posthIi (ecx − 1) .
The algorithm uses decision procedures to determine
whether a value predicate holds. We discuss these de-
cision procedures in Section 3.3; for now, we treat the
decision procedures as oracles that can answer queries
of the form “Does a program fragment R maintain an
invariant φ?” For each match considered between a pro-
gram node and a template node, the algorithm checks
whether the def-use chain is preserved for each program
expression corresponding to a template variable used at
the matched node (see Appendix C for a listing of all
the def-use chains checked for the example shown in
Figure 3). This approach eliminates a large number of
matches that cannot lead to a correct template assign-
ment.
3.3. Using decision procedures to check value-
preservation
A value-preservation oracle is a decision procedure
that determines whether a given program fragment is
a semantic nop with respect to certain program vari-
ables. Formally, given a program fragment P and pro-
gram expressions e1 , e2 , a decision procedure D deter-
mines whether the value predicate φ(P, e1 , e2 ) ≡ ∀I ∈
P . val prehIi (e1 ) = val posthIi (e2 ) holds.

 true if P is a semantic nop,
D(P, e1 , e2 ) = i.e. φ(P, e1 , e2 ) holds
 ⊥ otherwise
Similarly, we can define decision procedures that de-
termine whether ¬φ(P, e1 , e2 ) holds (in this case, the
result of D(P, e1 , e2 ) is “false” or ⊥). We denote by
D+ a decision procedure for φ(P, e1 , e2 ), and by D− a
decision procedure for ¬φ(P, e1 , e2 ).
As the value preservation queries are frequent in our
algorithm (possibly at every step during node match-
ing), the prototype use a collections of decision proce-
dures ordered by their precision and cost. Intuitively,
the most naı̈ve decision procedures are the least precise,
but the fastest to execute. If a D+ -style decision proce-
dure reports “true” on some input, all D+ -style deci-
sion procedures following it in the ordered collection
will also report “true” on the same input. Similarly, if a
D− -style decision procedure reports “false on some in-
put, all D− -style decision procedures following it in the
ordered collection will also report “false” on the same
input. As both D+ - and D− -style decision procedures
are sound, we define the order between D+ and D− de-
cision procedures based only on performance.
This collection of decision procedures provides us
with an efficient algorithm for testing whether a pro-
gram fragment P preserves expression values: iterate
through the ordered collection of decision procedures,
querying each Di , and stop when one of them returns
“true”, respectively “false” for D− -style decision pro-
cedures. This algorithm provides for incrementally ex-
pensive and powerful checking of the program frag-
ment, in step with its complexity: program fragments
that are simple semantic nops will be detected early by
decision procedures in the ordered collection. Complex
value preserving fragments will require passes through
multiple decision procedures. We present, in order, four
decision procedures that are part of our prototype.
Nop Library D+
NOP . This decision procedure iden-
tifies sequences of actual nop instructions, which are
processor-specific instructions similar to the skip state-
ment in some high-level programming languages, as
well as predefined instruction sequences known to be
semantic nops. Based on simple pattern matching, the
decision procedure annotates basic blocks as nop se-
quences where applicable. If the whole program frag-
ment under analysis is annotated, then it is a semantic
nop. The nop library can also act as a cache for queries
already resolved by other decision procedures.
Randomized Symbolic Execution D− RE . This ora-
cle is based on a D− -style decision procedure using ran-
domized execution. The program fragment is executed
using a random initial state (i.e. the values in registers
and memory are chosen to be random). At completion
time, we check whether it is true that ¬φ(P, e1 , e2 ): if
true, at least one path in the program fragment is not a
semantic nop, and thus the whole program fragment is
not a semantic nop.
Theorem Proving D+ ThSimplify . The value preser-
vation problem can be formulated as a theorem to be
proved, given that the program fragment has no loops.
We use the Simplify theorem prover [14] to implement
this oracle: the program fragment is represented as a
state transformer δ, using each program register and
memory expression converted to SSA form. We then
use Simplify to prove the formula δ ⇒ φ(P, e1 , e2 ), in
order to show that all paths through the program frag-
ment are semantic nops under φ(P, e1 , e2 ). If Simplify
confirms that the formula is valid, the program fragment
is a semantic nop. One limitation of the Simplify the-
orem prover is the lack of bit-vector arithmetic, which
binary programs are based on. Thus, we can query Sim-
plify only on programs that do not use bit-vector opera-
tions.
Theorem Proving D+ ThUCLID . A second theorem
proving oracle is based on the UCLID infinite-state
bounded model checker [22]. For our purposes, the
logic supported by UCLID is a superset of that sup-
ported by Simplify. In particular, UCLID precisely
models integer and bit-vector arithmetic. We model the
program fragment instructions as state transformers for
each register and for memory (represented as an unin-
terpreted function). UCLID then simulates the program
Handled
Obfuscation transformation
by AMD ?
Instruction reordering ✓
Register renaming ✓
Garbage insertion ✓
Instruction replacement limited
Equivalent functionality ✗
Reordered memory accesses ✗
Table 3. Obfuscation transformations ad-
dressed by our malware detection algo-
rithm and some limitations.
fragment for a given number of steps and determines
whether φ(P, e1 , e2 ) holds at the end of the simulation.
For illustration, consider Figure 3: the value preser-
vation problem consists of the program fragment R, cre-
ated from program nodes 2, 3, and 4, and the value pred-
icate φ ≡ ∀I ∈ R . val prehIi (eax ) = val posthIi (ecx −1).
To use the Simplify theorem proving oracle, the formula
shown in Table 2 is generated from program fragment
R.
3.4. Strengths and limitations
For the algorithm to be effective against real-life at-
tacks, it has to “undo” various obfuscations and other
program transformations that a malware writer might
use. We list the strengths and weaknesses of our algo-
rithm in Table 3. We discuss below in detail four classes
of obfuscations algorithm AMD can handle: code re-
ordering, equivalent instruction replacement, register
renaming, and garbage insertion.
Code reordering is one of the simplest obfuscations
hackers use to evade signature matching. The obfus-
cation changes the order of instructions on disk, in the
binary image, while maintaining the execution order us-
ing jump instructions. This obfuscation is handled by
the use of control flow graphs. Register renaming is a
simple obfuscation that reassigns registers in selected
program fragments. As a result, a signature matching
tool will fail to detect any obfuscated variant as long as
it searches for a signature with a specific register. Our
template matching algorithm avoids this pitfall by us-
ing templates. The uninterpreted variables are assigned
corresponding program registers and memory locations
only during unification and, thus, the matching algo-
rithm can identify any program with the same behavior
as the template, irrespective of the register allocation.
Garbage insertion obfuscates a program by inserting
instruction sequences that do not change the behavior
of the program. Algorithm AMD tackles this class of
obfuscations through the use of decision procedures to
reason about value predicates on def-use chains. Equiv-
alent instruction replacement uses the rich instruction
set available on some architectures, notably on the Intel
 Instruction sequence: Simplify formula:
2: ebx = 0x400000 ( IMPLIES ( AND ( EQ ebx 1 4194304)
3: nop (EQ ecx 4 ( + e a x p r e 1 ) )
4: ecx = eax + 1 (EQ e c x p o s t ecx 4 )
)
(EQ e a x p r e ( − e c x p o s t 1 ) )
Value predicate: )
∀I ∈ R . val prehIi (eax ) = val posthIi (ecx − 1)

Table 2. Example of Simplify query corresponding to program fragment R and value predicate
φ.

IA-32 (x86), to replace groups of consecutive instruc- gorithm’s resilience to obfuscation. We used malware
tions with other short instruction sequences that have instances in the wild both for developing behavior tem-
the same semantics. For example, to add 1 to register plates and as starting point for obfuscation transforma-
X in the x86 architecture, one can use the inc X (in- tions in the obfuscation resilience testing. Highlights of
crement) instruction, or the add X, 1 instruction, or the evaluation are:
the sub X, -1 instruction. We handle a limited kind
of instruction replacement by normalizing the code into • The template-based algorithm detects worms from
an intermediate representation (IR) with semantically- the same family, as well as unrelated worms, using
disjoint operations. a single template.
Limitations. Our tool has few limitations. First, • No false positives were generated when running our
the current implementation requires all of the IR in- malware detector on benign programs, illustrating the
structions in the template to appear in the same form soundness of our algorithm in its current implemen-
in the program. For example, if an IR node in the tem- tation.
plate contains “x = x * 2”, the same operation (an
assignment with a multiplication on the right hand side) • The algorithm exhibits improved resilience to obfus-
has to appear in the program for that node to match. cation when compared to commercial anti-virus tool
This means that we will not match the equivalent pro- McAfee VirusScan.
gram instruction “eax = eax << 1” (arithmetic left
shift). Attacks against this requirement are still possi- 4.1. Variant detection evaluation
ble, but are fairly hard, as the bar has been raised: the
attacker has to devise multiple equivalent, yet distinct,
We developed two templates and tested malware
implementations of the same computation, to evade de-
samples and benign programs against them. One tem-
tection. This is not an inherent limitation of the seman-
plate captures the decryption-loop functionality com-
tics, and can be handled using an IR normalization step.
mon in many malicious programs, while the other tem-
The second limitation comes from the use of def-use
plate captures the mass-mailing functionality common
chains for value preservation checking. The def-use re-
to email worms. While throughout this section we use
lations in the malicious template effectively encode a
only the decryption-loop template as example, the re-
specific ordering of memory updates – thus, our algo-
sults from using the mass email template were similar.
rithm AMD will detect only those program that exhibit
For malware samples we used seven variants of Netsky
the same ordering of memory updates. We note that au-
(B, C, D, O, P, T, and W), seven variants of B[e]agle (I,
tomatically generating functionally-equivalent variants
J, N, O, P, R, and Y), and seven variants of Sober (A, C,
is a hard problem. Handling obfuscations that reorder
D, E, F, G, and I). All of them are email worms, each
instructions to achieve a different ordering of memory
with many variants in the wild, ranging in size from
updates is one goal of our ongoing research.
12 kB to 75 kB.
Malware Template detection Running time
4. Experimental results Decryp- Mass-
family tion loop mailer
Avg. Std. dev.
Netsky 100% 100% 99.57 s 41.01 s
We evaluated our implementation of algorithm AMD B[e]agle 100% 100% 56.41 s 40.72 s
against real-world malware variants. The three major Sober 100% 0% 100.12 s 45.00 s
goals of our experiments were to develop malicious be-
havior templates that can match malware variants, to Table 4. Malware detection using algo-
measure the false positive rates the algorithm generates rithm AMD for 21 e-mail worm instances.
with these templates, and to measure the detection al-
 The decryption-loop template describes the behav-
ior of programs that unpack or decrypt themselves to
memory: the template consists of (1) a loop that pro-
cesses data from a source memory area and writes data
to a destination memory area, and (2) a jump that targets
the destination area. Many binary worms use this tech-
nique to make static analysis harder: the actual code of
the worm is not available for inspection until runtime.
To construct the template, we analyzed the Netsky.B
email worm and manually extracted the code that per-
forms the decryption and the jump. The template was
then generalized from this code by replacing actual reg-
isters and memory addresses with variables. The mass-
mailing template was developed in a similar manner: it
describes the custom SMTP functionality present in the
worm, including email composition and transmission.
We applied our algorithm on each malware instance
and each decryption-loop template. We achieved 100%
detection of the Netsky and B[e]agle worm instances
using only the two templates (the mass-mailing tem-
plate required minor tweaks to detect B[e]agle). The
Sober worm instances did not match the mass-mailing
template, requiring a separate template. Due to limita-
tions in the current prototype implementation, match-
ing calls into the Microsoft Visual Basic runtime li-
brary (used by Sober worm instances) is not supported.
Nonetheless, we have shown that algorithm AMD can
detect multiple worm instances from the same family
using one template, in contrast with commercial virus
scanners that require many signatures (McAfee VirusS-
can uses 13 signatures to detect the worms in our test
set). Our detection results come with one caveat: 3 of
the Netsky variants could not be processed by IDA Pro.
Since we build our tool on the assumption that disas-
sembly can be performed successfully, we do not con-
sider those 3 variants as false negatives. Running times
for the tool (listed in Table 4) are satisfactory for a pro-
totype and suggest that real-time performance can be
achieved with an optimized implementation.
4.2. False positive evaluation
We evaluated the algorithm and the templates against
a set of benign programs, in order to measure the false
positive rate and to evaluate the templates we devel-
oped. We used a set of 2,000 programs with sizes
between <1 kB and 150 kB, from standard Microsoft
Windows system programs, to compiler tools, to Mi-
crosoft Office programs. We have also tried to test
larger benign binaries, with sizes up to 5 MB, but they
did not disassemble successfully. For successfully dis-
assembled programs, the false positive rate was 0%,
meaning that our implementation AMD correctly clas-
sified all programs as benign (none of the test programs
matched the templates).
In Figure 4, we present the results of this evalua-
tion: programs are grouped by size, in 5 kB increments,
and the disassembly and detection rates are plotted for
each group. For example, the bar to the right of the
71,680 B point represents programs between 71,680 B
and 76,799 B in size, and indicates that 97.78% of the
programs in this group were disassembled successfully
and were detected as benign, while 2.22% failed to dis-
assemble (either because the disassembler crashed, or
because it failed to group program code into functions).
The running time per test case ranged from 9.12 s to
413.78 s, with an average of 165.5 s.
False Positive Evaluation of 2,000 Binaries
100%
80%
Disassembly rate 60%
40%
20%
0%
0B 35,840 B 71,680 B 107,520 B 143,360 B
Program size (grouped in 5 kB increments)
Figure 4. Evaluation of algorithm AMD on
a set of 2,000 benign Windows programs
yielded no false positives. Gray bars indi-
cate the percentage of programs that dis-
assembled correctly and were detected as
benign; white bars indicate the percent-
age of programs that failed to disassem-
ble.
4.3. Obfuscation resilience evaluation
To test resilience to obfuscation, we applied garbage
insertion transformations of varying degrees of com-
plexity to worm variant B[e]agle.Y, and compared the
detection rate of our malware detection tool against
McAfee VirusScan. The garbage insertion transforma-
tion adds code fragments to a program, such that each
code fragment is irrelevant in its insertion context. We
considered three types of garbage insertion: (1) nop in-
sertion adds simple sequences of nop instructions; (2)
stack-op insertion adds sequences of stack operations;
and (3) math-op insertion adds sequences of arithmetic
operations. We generated 20 variants for each type of
obfuscation. To test the limits of our implementation,
one of the math-op insertion transformations actually
replaced single instructions of the form x = x + const
with equivalent sequences. The results are tabulated in
Table 5: our tool catches all obfuscations with the ex-
ception of the math-op replacement transformation; in
such a case, since the algorithm seeks to exactly match
a template instruction of the form x = x + const, any
equivalent instruction sequences are not detected.
Obfuscation Algorithm AMD McAfee
type Average Detection VirusScan
time rate
Nop 74.81 s 100% 75.0%
Stack op 159.10 s 100% 25.0%
Math op 186.50 s 95% 5.0%
Table 5. Evaluation of algorithm AMD on
a set of obfuscated variants of B[e]agle.Y.
For comparison, we include the detection
rate of McAfee VirusScan.
5. Related work
We compare our work to existing research in the
areas of malware detection, translation validation, and
software verification.
5.1. Malware detection
In previous work [8], we demonstrated that cur-
rent commercial virus scanners can be easily evaded
by using simple obfuscations used by hackers. Many
malware-detection techniques are based on static-
analysis of executables. In this area, we previously de-
scribed a malware-detection algorithm called SAFE [7].
SAFE can only handle very simple obfuscations (only
nops can appear between matching instructions), e.g.,
the example shown in Figure 1 cannot be handled by
SAFE. Moreover, the formal semantics of malware de-
tection was not explored by the earlier work. Static
analysis of binaries is used by Kruegel et al. [21] to
detect kernel-level rootkits, which are attack tools that
are used by hackers to hide their presence from system
administrators. They look for suspicious instruction se-
quences using symbolic execution. The detection algo-
rithm presented in this paper is more powerful because
we use multiple decision procedures (symbolic execu-
tion being just one of them). Our specification of ma-
licious behavior is richer than the one used by Kruegel
et al. Therefore, using our algorithm can result in a
more powerful tool for detecting kernel-level rootkits.
We will explore this interesting application of our algo-
rithm in the future. Singh and Lakhotia [33] provide an
annotated bibliography of papers on malware analysis
and detection.
An essential step in statically analyzing executables
is disassembly, which translates machine code to as-
sembly code. Linn and Debray [23] demonstrate that
simple obfuscations can thwart the disassembly pro-
cess. The abovementioned research demonstrates the
importance of handling obfuscations in malware detec-
tion. Kruegel et al. [20] present techniques for disas-
sembling obfuscated executables. In this paper, we as-
sume that the malware being analyzed can be disassem-
bled.
The theoretical limits of malicious code detection
(specifically of virus detection) have been the focus of
many researchers. A virus is a malware that replicates
itself by copying its code to other program files. Co-
hen [10] and Chess-White [6] showed that in general
the problem of virus detection is undecidable. Spinel-
lis [34] proved that problem of reliably identifying a
bounded-length virus is NP-complete. These results are
similar to the result presented in this paper (see Theo-
rem 1). However, our formal model of malware detec-
tion is different than the one used by these researchers:
we present a semantics and an algorithm for detecting
specific malicious behaviors, avoiding the problem of
undecidability (as proven by Cohen) and the problem of
undetectable malware classes (as introduced by Chess
and White).
Dynamic monitoring can also be used for malware
detection. Cohen [10] and Chess-White [6] propose
a virus detection model that executes code in a sand-
box. Another approach rewrites the binary to introduce
checks driven by an enforceable security policy [15]
(known as the inline reference monitor or the IRM ap-
proach). We believe static analysis can be used to im-
prove the efficiency of dynamic analysis techniques,
e.g., static analysis can remove redundant checks in the
IRM framework. In the future we will explore hybrid
static-dynamic approaches to malware detection.
5.2. Translation validation
A translation-validation [12, 16, 31, 32] system at-
tempts to verify that the semantics of a program is not
changed by an optimizing transformation. Differences
between malware detection and translation validation
were discussed in the introduction.
5.3. Software verification
Our work is closely related to previous results on
static analysis techniques for verifying security proper-
ties of software [1, 3–5, 19, 24]. In a larger context, our
work is similar to existing research on software verifica-
tion [2,11]. However, there are several important differ-
ences. First, since these systems analyze benign code,
they do not have to handle obfuscations. Second, to
our knowledge, all existing work on static analysis tech-
niques for verifying security properties analyzes source
code. On the other hand, our analysis technique works
on executables.
6. Conclusion
We observe that certain malicious behaviors (such
as decryption loops) appear in all variants of a certain
malware. Based on this intuition, we gave a formal
semantics for malware detection. We also presented a
malware-detection algorithm that is sound with respect
to our semantics. Experimental evaluation demon-
strated that our algorithm can detect all variants of cer-
tain malware, has no false positives, and is resilient to
obfuscation transformations generally used by hackers.
There are several opportunities for further work. In
the future we will address the limitations discussed in
Section 3 (see Table 3). We also plan to optimize our
tool to reduce the execution times.
Acknowledgments. We are thankful to our anony-
mous reviewers for their invaluable comments. We
would also like to express our gratitude to Giovanni Vi-
gna, our shepherd throughout the revision process, for
his feedback.
References
[1] K. Ashcraft and D. Engler. Using programmer-written
compiler extensions to catch security holes. In Proceed-
ings of the 2002 IEEE Symposium on Security and Pri-
vacy (Oakland’02), pages 143–159, May 2002.
[2] T. Ball and S. Rajamani. Automatically validating tem-
poral safety properties of interfaces. In Proceedings of
the 8th International SPIN Workshop on Model Check-
ing of Software (SPIN’01), volume 2057 of Lecture
Notes in Computer Science, pages 103–122, Toronto,
Ontario, Canada, 2001. Springer-Verlag Heidelberg.
[3] M. Bishop and M. Dilger. Checking for race conditions
in file accesses. Computing Systems, 9(2), 1996.
[4] H. Chen and D. Wagner. MOPS: an infrastructure for
examining security properties of software. In 9th ACM
Conference on Computer and Communications Security
(CCS’02). ACM Press, November 2002.
[5] B. Chess. Improving computer security using extending
static checking. In Proceedings of the 2002 IEEE Sym-
posium on Security and Privacy (Oakland’02), pages
160–173, May 2002.
[6] D. Chess and S. White. An undetectable computer virus.
In Proceedings of the 2000 Virus Bulletin Conference
(VB2000), 2000.
[7] M. Christodorescu and S. Jha. Static analysis of exe-
cutables to detect malicious patterns. In Proceedings
of the 12th USENIX Security Symposium (Security’03),
pages 169–186. USENIX Association, USENIX Asso-
ciation, Aug. 2003.
[8] M. Christodorescu and S. Jha. Testing malware de-
tectors. In Proceedings of the ACM SIGSOFT Inter-
national Symposium on Software Testing and Analysis
2004 (ISSTA’04), pages 34–44, Boston, MA, USA, July
2004. ACM Press.
[9] M. Ciubotariu. Netsky: a conflict starter? Virus Bul-
letin, pages 4–8, May 2004.
[10] F. Cohen. Computer viruses: Theory and experiments.
Computers and Security, 6:22–35, 1987.
[11] J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby,
S. Laubach, and H. Zheng. Bandera: Extracting finite-
state models from Java source code. In Proceedings of
the 22nd International Conference on Software Engi-
neering (ICSE’00), pages 439–448. ACM Press, 2000.
[12] D. W. Currie, A. J. Hu, and S. Rajan. Automatic formal
verification of DSP software. In Proceedings of the 37th
Annual ACM IEEE Conference on Design Automation
(DAC’00), pages 130–135. ACM Press, 2000.
[13] DataRescue sa/nv. IDA Pro – interactive disassembler.
Published online at http://www.datarescue.
com/idabase/. Last accessed on 3 Feb. 2003.
[14] D. Detlefs, G. Nelson, and J. Saxe. The Simplify theo-
rem prover. Published online at http://research.
compaq.com/SRC/esc/Simplify.html. Last
accessed on 10 Nov. 2004.
[15] U. Erlingsson and F. B. Schneider. IRM enforce-
ment of Java stack inspection. In Proceedings of the
2000 IEEE Symposium on Security and Privacy (Oak-
land’00), pages 246–255, May 2000.
[16] X. Feng and A. J. Hu. Automatic formal verification
for scheduled VLIW code. In Proceedings of the Joint
Conference on Languages, Compilers and Tools for Em-
bedded Systems & Software and Compilers for Embed-
ded Systems (LCTES/SCOPES’02), pages 85–92. ACM
Press, 2002.
[17] J. Gordon. Lessons from virus developers: The Beagle
worm history through April 24, 2004. In SecurityFocus
Guest Feature Forum. SecurityFocus, May 2004. Pub-
lished online at http://www.securityfocus.
com/guest/24228. Last accessed: 9 Sep. 2004.
[18] L. A. Gordon, M. P. Loeb, W. Lucyshyn, and
R. Richardson. 2004 CSI/FBI computer crime and se-
curity survey. Technical report, Computer Security In-
stitute, 2004.
[19] T. Jensen, D. Métayer, and T. Thorn. Verification of
control flow based security properties. In Proceedings
of the 1999 IEEE Symposium on Security and Privacy
(Oakland’99), May 1999.
[20] C. Kruegel, W. Robertson, F. Valeur, and G. Vigna.
Static disassembly of obfuscated binaries. In Proceed-
ings of the 13th USENIX Security Symposium (Secu-
rity’04), San Diego, CA, Aug. 2004.
[21] C. Kruegel, W. Robertson, and G. Vigna. Detecting
kernel-level rootkits through binary analysis. In Pro-
ceedings of the 20th Annual Computer Security Ap-
plications Conference (ACSAC’04), Tucson, AZ, Dec.
2004.
[22] S. K. Lahiri and S. A. Seshia. The UCLID decision pro-
cedure. In R. Alur and D. A. Peled, editors, Proceed-
ings of the 16th International Conference on Computer
Aided Verification (CAV’04), volume 3114 of Lecture
Notes in Computer Science, pages 475–478, Boston,
MA, USA, July 2004. Springer-Verlag Heidelberg.
[23] C. Linn and S. Debray. Obfuscation of executable code
to improve resistance to static disassembly. In Pro-
ceedings of the 10th ACM Conference on Computer and
Communications Security (CCS’03), Oct. 2003.
[24] R. Lo, K. Levitt, and R. Olsson. MCF: A malicious code
filter. Computers & Society, 14(6):541–566, 1995.
[25] LURHQ Threat Intelligence Group. Sobig.a and the
spam you received today. Technical report, LURHQ,
2003. Published online at http://www.lurhq.
com/sobig.html. Last accessed on 16 Jan. 2004.
[26] LURHQ Threat Intelligence Group. Sobig.e - Evo-
lution of the worm. Technical report, LURHQ,
2003. Published online at http://www.lurhq.
com/sobig-e.html. Last accessed on 16 Jan. 2004.
[27] LURHQ Threat Intelligence Group. Sobig.f examined.
Technical report, LURHQ, 2003. Published online at
http://www.lurhq.com/sobig-f.html. Last
accessed on 16 Jan. 2004.
[28] A. Marinescu. Russian doll. Virus Bulletin, pages 7–9,
Aug. 2003.
[29] G. McGraw and G. Morrisett. Attacking malicious
code: report to the Infosec research council. IEEE Soft-
ware, 17(5):33 – 41, Sept./Oct. 2000.
[30] C. Nachenberg. Computer virus-antivirus coevolution.
Communications of the ACM, 40(1):46–51, Jan. 1997.
[31] G. C. Necula. Translation validation for an optimiz-
ing compiler. In Proceedings of the ACM SIGPLAN
2000 Conference on Programming Language Design
and Implementation (PLDI’00), pages 83–94. ACM
Press, June 2000.
[32] A. Pnueli, M. Siegel, and E. Singerman. Translation
validation. In Proceedings of the 4th International
Conference on Tools and Algorithms for Construction
and Analysis of Systems (TACAS’98), volume 1384 of
Lecture Notes in Computer Science, pages 151–166.
Springer-Verlag Heidelberg, Mar. 1998.
[33] P. Singh and A. Lakhotia. Analysis and detection of
computer viruses and worms: An annotated bibliogra-
phy. ACM SIGPLAN Notices, 37(2):29–35, Feb. 2002.
[34] D. Spinellis. Reliable identification of bounded-length
viruses is NP-complete. IEEE Transactions on Infor-
mation Theory, 49(1):280–284, Jan. 2003.
[35] P. Ször and P. Ferrie. Hunting for metamorphic. In
Proceedings of the 2001 Virus Bulletin Conference
(VB2001), pages 123 – 144, Sept. 2001.
[36] z0mbie. z0mbie’s homepage. Published online at
http://z0mbie.host.sk. Last accessed: 16 Jan.
2004.
A. Proof of Theorem 2
Let P be a program and T a template such that
AMD (P, T ) returns yes. Let f be a function from the
set of nodes of P to nodes in T that satisfy the two
conditions given in section 3 (such a function exists be-
cause the AMD (P, T ) returned yes). We will prove that
P |= T .
There are two set of states - one for the program
(which we simply refer to as state) and other for the
template (which we refer to as template state). Re-
call that a state s of program is a 3-tuple comprising
of an assignment val(s) of values to registers, value
pc(s) for the program counter, and the memory con-
tents mem(s). Consider a node n in the template T and
a node m in P such that f (m) = n. Let s be a state
such that pc(s) = m (in this proof we equate the pro-
gram counter with the CFG node it corresponds to), and
B(·, n, m) be the binding. We define a template state
corresponding to s (denoted by T (s)) as follows:
• Let B(val(s)) be the assignment implied by the bind-
ing B, i.e., B(val(s))(X) is equal to the value of the
expression B(X, n, m) in the state s.
• Define pc(T (s)) to be the program counter corre-
sponding to node n.
• Define mem(T (s)) as mem(s).
Let n0 be the initial node of the template and m0
be a node in the program such that f (m0 ) = n0 .
Let s0 be a state such that pc(s0 ) = m0 , and define
sT0 as T (s0 ). Recall that I(n) denotes the instruction
corresponding to node n. Given a state s, I(n)(s) de-
notes the state obtained by executing instruction I(n)
from state s, and e(I(n), s) denotes the event gener-
ated by executing instruction I(n) from state s. Let s′1
be equal to I(m0 )(s0 ) and e1 be equal to e(I(m0 ), s0 ).
Let sT1 = I(n0 )(sT0 ) and eT1 = e(I(n0 ), sT0 ). Since n0
and m0 are unifiable, it is easy to see that eT1 = e1 . Let
n1 be the template node corresponding to pc(sT1 ). As-
sume that in program P , from state s′1 there is a feasible
path path(s′1 , m1 ) from pc(s′1 ) to a node m1 , such that
f (m1 ) = n1 , i.e., executing path(s′1 , m1 ) from state
s′1 yields a state s1 , such that pc(s1 ) = m1 . We de-
e
note this fact by s0 1 s1 , i.e., there is an execution
sequence α that starts at s0 and ends at s1 and the first
event generated by α is e1 . Thus we obtain the follow-
ing execution sequences in P and T :
e1
σ = s0 s1
eT
σT = sT0 →1
sT1
Recall that use(n1 ) is the set of variables used by in-
struction I(n1 ). For every variable X ∈ use(n1 ),
value of expression B(X, n1 , m1 ) is unchanged by
path(s′1 , m1 ). Therefore, executing instruction I(n1 )
in the template from the states T (s1 ) and sT1 =
I(n0 )(s0 ) results in same memory accesses, generate
the same event, and transitions to the same node n2 in
the template. We continue augmenting the execution
sequences σ and σT until we obtain a template state sTk
such that pc(sTk ) corresponds to the final node of the
template. At the end, we have two execution sequences
e1 e2 ek
σ = s0 s1 s2 · · · sk
eT eT eT
σT = sT0 → sT1 → sT2 · · · → sk
1 2 k
where σ and σT are execution sequences in the program
and the template. Moreover, for 1 ≤ i ≤ k, ei = eTi
and template states sTi and T (si ) satisfy the following
property:
• Executing instruction I(pc(si )) in the program P proven as semantic nops for the program in Figure 3
from the state si and instruction I(pc(sTi )) in the to satisfy the template in the same figure. In Table 7,
template from the state T (si ) results in same mem- we list the 10 def-use chains in the template, the de-
ory accesses and generate the same event. rived value predicates that relate program expressions,
and the corresponding program fragments. The nota-
• In the template T , executing instruction I(pc(sTi )) x
tion n → n′ describes the variable corresponding to the
from the state sTi and from the state T (si ) results in
def-use path, such that def (n) ∩ use(n′ ) = {x}.
same memory accesses and generate the same event.
Def-use chain and
The proof of abovementioned property uses the condi- value predicate
Program fragment
tion that def-use paths are preserved by the program. A
From the above two observations it is easy to see that T1 → T3 2: ebx = 0x400000
P |= T . 3: nop
val posthIi (ecx − 1) 4: ecx = eax + 1
= val prehIi (eax )
B. Intermediate representation language A
T5 → T3
9: ebx = ebx + 1
The intermediate representation (IR) of a program is val posthIi (ecx − 1) 4: ecx = eax + 1
structured as a collection of control flow graphs (CFGs), = val prehIi (eax )
A
each node in the graph corresponding to one IR instruc- T1 → T4 2: ebx = 0x400000
tion. Edges in a CFG are unlabeled, with the exception 3: nop
of the outgoing edges of a conditional control flow in- val posthIi (eax ) 4: ecx = eax + 1
struction. In such a case, the IR instruction is labeled = val prehIi (eax ) 6: eax = ecx - 1
A
jump, and the outgoing edges are labeled with the cor- T5 → T4 9: ebx = ebx + 1
responding condition that holds true along that branch. 4: ecx = eax + 1
IR instructions are elements in a language with sim- val posthIi (eax ) 6: eax = ecx - 1
ple rules, illustrated in Table 6. Each IR instruction (or = val prehIi (eax )
B
IR term) is either an assignment that updates state vari- T2 → T4 3: nop
ables or a call to other functions in the same program, 4: ecx = eax + 1
or to external functions (library or system routines). An val posthIi (ebx ) 6: eax = ecx - 1
IR expression uses arithmetic, bit-vector, and relational = val prehIi (ebx )
B
operators, as well as the special memory addressing op- T6 → T4
erator. 4: ecx = eax + 1
val posthIi (ebx ) 6: eax = ecx - 1
term :: expr1 ASSIGN expr2 = val prehIi (ebx )
| CALL expr A 2: ebx = 0x400000
T1 → T5 3: nop
expr :: expr1 op expr2 4: ecx = eax + 1
val posthIi (eax ) 6: eax = ecx - 1
| ident ( expr, . . . )
= val prehIi (eax ) 7: mem[ebx] = mem[eax] ˆ 5
| memory [ expr ]
A
| ident | number | string T5 → T5 9: ebx = ebx + 1
4: ecx = eax + 1
op :: OR | AND | XOR | NOT | BITAND val posthIi (eax ) 6: eax = ecx - 1
| BITOR | BITXOR | BITNOT = val prehIi (eax ) 7: mem[ebx] = mem[eax] ˆ 5
| EQUAL | LESSTHAN B 3: nop
T2 → T6 4: ecx = eax + 1
| GREATERTHAN | LEQ | GEQ
6: eax = ecx - 1
| BITSHIFTLEFT | BITSHIFTRIGHT val posthIi (ebx ) 7: mem[ebx] = mem[eax] ˆ 5
| PLUS | MINUS | STAR | DIV | MOD = val prehIi (ebx ) 8: eax = eax + 1
B
T6 → T6 4: ecx = eax + 1
Table 6. Term algebra for intermediate rep- 6: eax = ecx - 1
resentation (IR) expressions. 7: mem[ebx] = mem[eax] ˆ 5
val posthIi (ebx )
= val prehIi (ebx ) 8: eax = eax + 1

Table 7. Def-use paths, value predicates,

C. Def-use paths and value predicates and program paths for the example in Fig-
ure 3.
We list here the complete set of value predicates
and corresponding program fragments that have to be