{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:42:44Z","timestamp":1759092164950},"reference-count":27,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Form. Asp. Comput."],"published-print":{"date-parts":[[2017,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Java exploits and to circumvent detection by anti virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is an intermediate language for JVM bytecode designed for optimisation and program analysis, and demonstrates how partially evaluated Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products.<\/jats:p>","DOI":"10.1007\/s00165-016-0357-3","type":"journal-article","created":{"date-parts":[[2016,2,19]],"date-time":"2016-02-19T10:40:01Z","timestamp":1455878401000},"page":"33-55","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Partial evaluation of string obfuscations for Java malware detection"],"prefix":"10.1145","volume":"29","author":[{"given":"Aziem","family":"Chawdhary","sequence":"first","affiliation":[{"name":"School of Computing, University of Kent, CT2 7NF, Kent, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ranjeet","family":"Singh","sequence":"additional","affiliation":[{"name":"School of Computing, University of Kent, CT2 7NF, Kent, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andy","family":"King","sequence":"additional","affiliation":[{"name":"School of Computing, University of Kent, CT2 7NF, Kent, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","reference":[{"key":"e_1_2_1_2_1_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ipl.2009.04.016"},{"key":"e_1_2_1_2_2_2","doi-asserted-by":"crossref","unstructured":"Andersen L (1993) Binding-time analysis and the taming of C pointers. I: PEPM. ACM New York pp 47\u201358","DOI":"10.1145\/154630.154636"},{"key":"e_1_2_1_2_3_2","doi-asserted-by":"crossref","unstructured":"Brotherston J Gorogiannis N Petersen RL (2012) A generic cyclic theorem prover. In: APLAS LNCS vol 7705. Springer Berlin pp 350\u2013367","DOI":"10.1007\/978-3-642-35182-2_25"},{"key":"e_1_2_1_2_4_2","doi-asserted-by":"crossref","unstructured":"Braux M Noy\u00e9 J (2000) Towards partially evaluating reflection in Java. In: PEPM. ACM New York pp 2\u201311","DOI":"10.1145\/328691.328693"},{"key":"e_1_2_1_2_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/BF00271642"},{"key":"e_1_2_1_2_6_2","unstructured":"Collberg C Nagra J (2008) Surreptitious software: obfuscation watermarking and tamperproofing for software protection. Addison-Wesley New York"},{"key":"e_1_2_1_2_7_2","unstructured":"Einarsson A Nielsen JD (2008) A survivor\u2019s guide to Java program analysis with soot. Technical report"},{"key":"e_1_2_1_2_8_2","doi-asserted-by":"crossref","unstructured":"Giacobazzi R Jones ND Mastroeni I (2012) Obfuscation by partial evaluation of distorted interpreters. In: PEPM. ACM New York pp 63\u201372","DOI":"10.1145\/2103746.2103761"},{"key":"e_1_2_1_2_9_2","doi-asserted-by":"crossref","unstructured":"Giacobazzi R Mastroeni I (2004) Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Principles of programming languages. ACM New York pp 186\u2013197","DOI":"10.1145\/982962.964017"},{"key":"e_1_2_1_2_10_2","doi-asserted-by":"crossref","unstructured":"Hatcliff J (1998) An introduction to online and offline partial evaluation using a simple flowchart language. DIKU Partial Evaluation Summer School Copenhagen. epository.readscheme.org\/ftp\/papers\/pe98-school\/hatcliff-DIKU-PE-summerschool.pdf","DOI":"10.1007\/3-540-47018-2_2"},{"key":"e_1_2_1_2_11_2","doi-asserted-by":"crossref","unstructured":"Hirzel M Diwan A Hind M (2004) Pointer analysis in the presence of dynamic class loading. In: ECOOP. Lecture notes in computer science vol 3086. Springer Berlin pp 96\u2013122","DOI":"10.1007\/978-3-540-24851-4_5"},{"key":"e_1_2_1_2_12_2","unstructured":"Jones ND Gomard CK Sestoft P (1993) Partial evaluation and automatic program generation. Prentice-Hall Upper Saddle River"},{"key":"e_1_2_1_2_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/0743-1066(91)90027-M"},{"key":"e_1_2_1_2_14_2","doi-asserted-by":"crossref","unstructured":"Livshits VB Whaley J Lam MS (2005) Reflection analysis for Java. In: APLAS. Lecture Notes in Computer Science vol 3780. Springer Berlin pp 139\u2013160","DOI":"10.1007\/11575467_11"},{"key":"e_1_2_1_2_15_2","unstructured":"Lindholm T Yellin F Bracha G Buckley A (2013) The Java virtual machine specification Java SE 7 edn. Addison-Wesley Professional 1st edition"},{"key":"e_1_2_1_2_16_2","doi-asserted-by":"crossref","unstructured":"McCabe TJ (1976) A complexity measure. IEEE Trans Softw Eng 2(4):308\u2013320","DOI":"10.1109\/TSE.1976.233837"},{"key":"e_1_2_1_2_17_2","doi-asserted-by":"crossref","unstructured":"Madhavan R Ramalingam G Vaswani K (2011) Purity analysis: an abstract interpretation formulation. In: SAS. LNCS vol 6887. Springer Berlin pp 7\u201324","DOI":"10.1007\/978-3-642-23702-7_6"},{"key":"e_1_2_1_2_18_2","unstructured":"National Institute of Standards and Technology (2013) Vulnerability summary for CVE-2013-3346"},{"key":"e_1_2_1_2_19_2","unstructured":"OWASP (2013) Metasploit Java exploit code obfuscation and antivirus bypass\/evasion (CVE-2012-4681)"},{"key":"e_1_2_1_2_20_2","doi-asserted-by":"crossref","unstructured":"Park JG Lee AH (2001) Removing reflection from java programs using partial evaluation. In: Reflection. Lecture notes in computer science vol 2192. Springer Berlin pp 274\u2013275","DOI":"10.1007\/3-540-45429-2_22"},{"key":"e_1_2_1_2_21_2","unstructured":"Rapid 7. Java Applet JMX Remote Code Execution (2013)"},{"key":"e_1_2_1_2_22_2","unstructured":"Rapid 7. Metasploit (2014)"},{"key":"e_1_2_1_2_23_2","doi-asserted-by":"crossref","unstructured":"Shali A Cook WR (2011) Hybrid partial evaluation. In: OOPSLA. ACM New York pp 375\u2013390","DOI":"10.1145\/2076021.2048098"},{"key":"e_1_2_1_2_24_2","unstructured":"Security Obscurity Blog (2012) Java exploit code obfuscation and antivirus bypass\/evasion (blog post). http:\/\/security-obscurity.blogspot.co.uk\/2012\/11\/java-exploit-code-obfuscation-and.html"},{"key":"e_1_2_1_2_25_2","unstructured":"Sistemas H (2014) VirusTotal analyses suspicious files and URLs. https:\/\/www.virustotal.com\/"},{"key":"e_1_2_1_2_26_2","doi-asserted-by":"crossref","unstructured":"Schlumberger J Kruegel C Vigna G (2012) Jarhead: analysis and detection of malicious Java applets. In: ACSAC. ACM New York pp 249\u2013257","DOI":"10.1145\/2420950.2420988"},{"key":"e_1_2_1_2_27_2","unstructured":"Valle\u00e9 Rai R Hendren LJ (1998) Jimple: simplifying Java bytecode for analyses and transformations. Technical report TR-1998-4. McGill University Montreal"}],"container-title":["Formal Aspects of Computing"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00165-016-0357-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00165-016-0357-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1007\/s00165-016-0357-3","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00165-016-0357-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,6]],"date-time":"2022-01-06T16:03:39Z","timestamp":1641485019000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1007\/s00165-016-0357-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,1]]},"references-count":27,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,1]]}},"alternative-id":["10.1007\/s00165-016-0357-3"],"URL":"https:\/\/doi.org\/10.1007\/s00165-016-0357-3","relation":{},"ISSN":["0934-5043","1433-299X"],"issn-type":[{"value":"0934-5043","type":"print"},{"value":"1433-299X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,1]]}}}