Related Work

This paper is mainly relevant to the previous static analysis exploit code detection approaches[4,3,6]. One benefit of these static analysis approaches is that they can detect both foreseen exploit code exploiting known vulnerabilities and zero-day exploit code exploiting unknown vulnerabilities. In addition, they are in general more resilient to polymorphism and metamorphism (than string-matching signatures). However, Polychronakis et al. [5] demonstrated that some anti-static-analysis techniques such as self-modifying and indirect jump can easily thwart these existing static analysis techniques.

Polychronakis et al. [5] firstly proposed a CPU emulator to detect polymorphic shellcode. The emulators, being a dynamic analyzer, are immune to most anti-static-analysis techniques. However, dynamic analysis is vulnerable to several anti-emulation techniques, which have existed in virus writer community for many years. Motivated by [5], we proposed STILL, which is robust to both anti-static-analysis and anti-emulation techniques.