Metamorphic Software for Good and Evil

Mark Stamp, SJSU

Software is said to be metamorphic if copies of the software are functionally equivalent but they differ in their internal structure. This is in contrast to cloned software, in which all copies are identical. Metamorphism can be viewed as providing "genetic diversity" for software. In this talk, we show that a small degree of metamorphism can effectively mitigate a buffer overflow attack. More generally, we consider the potential role of metamorphism in so-called "break once, break everywhere" (BOBE) protection. We also outline a real-world example of the use of metamorphism in a digital rights management (DRM) product.

In the hacker community, it seems to be an article of faith that metamorphism can be used to create virtually undetectable viruses and worms. We examine four virus generators available on the Internet, each of which claims to produce metamorphic copies. We show that three of these fail to generate any significant degree of metamorphism. For the one engine that is highly metamorphic, we show that the viruses it generates are relatively easy to distinguish, using either a hidden Markov model approach or a more straightforward similarity index. This work suggests that the effective use of metamorphism for evil may be more difficult than is generally believed.

26 September (Tuesday) at 1630 hrs

Gates 4B (opposite 490)