v0.7.8 — Overlay Detection & Extended Entropy Analysis
Summary
v0.7.8 enhances IOCX’s static PE engine with precise overlay detection, extended entropy analysis, and structural overlay heuristics.
This release introduces deterministic identification of appended data, malformed overlay boundaries, compressed‑looking regions, and deceptive high‑entropy patterns. It strengthens IOCX’s ability to reason about PE structure beyond the last section, ensuring stable behaviour across unusual or adversarial overlays.
The goal is to increase IOCX’s structural awareness — enabling accurate overlay detection, conservative entropy‑based heuristics, and robust handling of malformed or deceptive appended data — while preserving IOCX’s static‑only, deterministic design.
Scope
v0.7.8 focuses on:
- overlay detection and boundary validation
- extended entropy analysis across sections and overlays
- structural overlay heuristics
- adversarial overlay fixtures
- deterministic reason codes for overlay‑related anomalies
No unpacking, emulation, or dynamic analysis is introduced.
Goals
Extend IOCX’s static PE engine with:
- detection of appended data beyond the last section
- validation of overlay boundaries
- entropy analysis for overlays and section‑overlay transitions
- conservative heuristics for malformed or deceptive overlays
- deterministic handling of overlay‑heavy adversarial samples
All behaviour must remain reproducible and JSON‑safe.
Feature Requirements
1. Overlay Detection & Boundary Validation
Add support for:
- detecting appended data beyond the last section
- validating overlay start offset
- detecting zero‑length overlays
- detecting overlays overlapping section data
- detecting overlays located inside declared section ranges (invalid)
Expected behaviour:
Malformed overlays produce structured, non‑fatal errors; heuristics remain conservative; snapshot tests confirm determinism.
2. Extended Entropy Analysis
Expand entropy analysis to include:
- per‑section entropy
- overlay entropy
- entropy deltas between adjacent sections
- entropy anomalies (uniform entropy, sudden spikes, compressed‑looking data)
- entropy‑based structural hints (not packer detection)
Expected behaviour:
Entropy heuristics remain conservative; deceptive high‑entropy overlays do not trigger false positives; reason codes remain deterministic.
3. Structural Overlay Heuristics
Add deterministic heuristics for:
- extremely small overlays (1–16 bytes)
- extremely large overlays relative to image size
- overlay entropy inconsistent with section entropy
- overlay starting inside a section (invalid)
- overlays containing PE‑like signatures (fake nested PEs)
- overlays with misleading packer‑like patterns
Expected behaviour:
Heuristics must not misfire; output remains JSON‑safe; snapshot tests validate stability.
4. Adversarial Overlay Fixtures
Add adversarial samples covering:
- truncated overlays
- overlays with fake PE headers
- overlays with fake packer signatures
- overlays with uniform entropy
- overlays with extremely high entropy
- overlays with malformed boundaries
- deceptive “double overlay” structures
Expected behaviour:
Parser remains stable; no nondeterministic behaviour; no crashes on malformed overlays.
5. Reason‑Code Expansion for Overlay/Entropy Issues
Add new deterministic reason codes:
- malformed_overlay_boundary
- overlay_inside_section
- overlay_entropy_anomaly
- overlay_size_anomaly
- fake_nested_pe_signature
- uniform_entropy_pattern
- entropy_spike_between_sections
Expected behaviour:
Codes are lowercase, snake_case, non‑overlapping, and snapshot‑stable.
Output Requirements
All new overlay and entropy metadata must produce:
- deterministic JSON output
- structured Detection objects where applicable
- stable snapshot results
Parser errors must be:
- structured
- non‑fatal
- deterministic
- JSON‑safe
Integration Requirements
- add overlay fixtures under
tests/contract/fixtures/layer2_overlays/
- add adversarial overlay fixtures under
layer3_adversarial/
- add snapshot tests for all new metadata
- no new extractors
- no dynamic analysis
- no heavy dependencies
Non‑Goals (Strict)
v0.7.8 must not introduce:
- unpacking or emulation
- dynamic execution
- behavioural tracing
- ML/AI models
- sandboxing
- network access
- packer detection (reserved for v0.8.x)
- disassembly or CFG reconstruction
Testing Requirements
Tests must verify:
- correct detection of overlays
- correct validation of overlay boundaries
- deterministic entropy analysis
- stable behaviour on malformed overlays
- no false positives on normal system binaries
- no crashes or nondeterministic output
Acceptance Criteria
v0.7.8 — Overlay Detection & Extended Entropy Analysis
Summary
v0.7.8 enhances IOCX’s static PE engine with precise overlay detection, extended entropy analysis, and structural overlay heuristics.
This release introduces deterministic identification of appended data, malformed overlay boundaries, compressed‑looking regions, and deceptive high‑entropy patterns. It strengthens IOCX’s ability to reason about PE structure beyond the last section, ensuring stable behaviour across unusual or adversarial overlays.
The goal is to increase IOCX’s structural awareness — enabling accurate overlay detection, conservative entropy‑based heuristics, and robust handling of malformed or deceptive appended data — while preserving IOCX’s static‑only, deterministic design.
Scope
v0.7.8 focuses on:
No unpacking, emulation, or dynamic analysis is introduced.
Goals
Extend IOCX’s static PE engine with:
All behaviour must remain reproducible and JSON‑safe.
Feature Requirements
1. Overlay Detection & Boundary Validation
Add support for:
Expected behaviour:
Malformed overlays produce structured, non‑fatal errors; heuristics remain conservative; snapshot tests confirm determinism.
2. Extended Entropy Analysis
Expand entropy analysis to include:
Expected behaviour:
Entropy heuristics remain conservative; deceptive high‑entropy overlays do not trigger false positives; reason codes remain deterministic.
3. Structural Overlay Heuristics
Add deterministic heuristics for:
Expected behaviour:
Heuristics must not misfire; output remains JSON‑safe; snapshot tests validate stability.
4. Adversarial Overlay Fixtures
Add adversarial samples covering:
Expected behaviour:
Parser remains stable; no nondeterministic behaviour; no crashes on malformed overlays.
5. Reason‑Code Expansion for Overlay/Entropy Issues
Add new deterministic reason codes:
Expected behaviour:
Codes are lowercase, snake_case, non‑overlapping, and snapshot‑stable.
Output Requirements
All new overlay and entropy metadata must produce:
Parser errors must be:
Integration Requirements
tests/contract/fixtures/layer2_overlays/layer3_adversarial/Non‑Goals (Strict)
v0.7.8 must not introduce:
Testing Requirements
Tests must verify:
Acceptance Criteria