IoT malware is often created by modifying publicly available source code, resulting in numerous variants. Analyzing the functionality of these variants has become increasingly important. Function Call Sequence Graph (FCSG) have been proposed to represent internal function calls in binaries, offering a promising approach for functional analysis. However, the structure of FCSGs is highly sensitive to CPU architecture and compiler optimization, hindering cross-architecture analysis. In this paper, we propose a method for generating architecture-independent FCSGs by removing obstructive functions—such as initialization routines and architecture-specific functions—that are not called in the source code but appear in conventional FCSGs. Our method removes, on average, 97.4% of such functions across binaries compiled for Arm, i586, and MIPS architectures with different optimization levels. Furthermore, we show that the resulting FCSGs better reflect the similarity of the original source code, as measured by graph- and string-based similarity metrics. These results demonstrate the potential of our method to improve the robustness and consistency of IoT malware functional analysis across diverse architectures.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Towards Architecture-Independent Function Call Analysis for IoT Malware

  • Kensei Ma,
  • Chansu Han,
  • Akira Tanaka,
  • Takeshi Takahashi,
  • Jun’ichi Takeuchi

摘要

IoT malware is often created by modifying publicly available source code, resulting in numerous variants. Analyzing the functionality of these variants has become increasingly important. Function Call Sequence Graph (FCSG) have been proposed to represent internal function calls in binaries, offering a promising approach for functional analysis. However, the structure of FCSGs is highly sensitive to CPU architecture and compiler optimization, hindering cross-architecture analysis. In this paper, we propose a method for generating architecture-independent FCSGs by removing obstructive functions—such as initialization routines and architecture-specific functions—that are not called in the source code but appear in conventional FCSGs. Our method removes, on average, 97.4% of such functions across binaries compiled for Arm, i586, and MIPS architectures with different optimization levels. Furthermore, we show that the resulting FCSGs better reflect the similarity of the original source code, as measured by graph- and string-based similarity metrics. These results demonstrate the potential of our method to improve the robustness and consistency of IoT malware functional analysis across diverse architectures.