Mathilde Ollivier,Sébastien Bardin,Richard Bonichon,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1908.01549

2019-08-07

Abstract:Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

Cryptography and Security

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Zhanyong Tang,Kaiyuan Kuang,Lei Wang,Chao Xue,Xiaoqing Gong,Xiaojiang Chen,Dingyi Fang,Jie Liu,Zheng Wang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.246

2017-01-01

Abstract:Increasingly sophisticated code obfuscation techniques are quickly adopted by malware developers to escape from malware detection and to thwart the reverse engineering effort of security analysts. State-of-the-art de-obfuscation approaches rely on dynamic analysis, but face the challenge of low code coverage as not all software execution paths and behavior will be exposed at specific profiling runs. As a result, these approaches often fail to discover hidden malicious patterns. This paper introduces SEEAD, a novel and generic semantic-based de-obfuscation system. When building SEEAD, we try to rely on as few assumptions about the structure of the obfuscation tool as possible, so that the system can keep pace with the fast evolving code obfuscation techniques. To increase the code coverage, SEEAD dynamically directs the target program to execute different paths across different runs. This dynamic profiling scheme is rife with taint and control dependence analysis to reduce the search overhead, and a carefully designed protection scheme to bring the program to an error free status should any error happens during dynamic profile runs. As a result, the increased code coverage enables us to uncover hidden malicious behaviors that are not detected by traditional dynamic analysis based de-obfuscation approaches. We evaluate SEEAD on a range of benign and malicious obfuscated programs. Our experimental results show that SEEAD is able to successfully recover the original logic from obfuscated binaries.

Jun Guo,Lei Wang,Zhanyong Tang,Dingyi Fang

DOI: https://doi.org/10.13245/j.hust.160311

2016-01-01

Abstract:Current binary code de-obfuscation approaches only target a limited set of specific obfusca-tions and are ineffective against new obfuscations.State-of-the-art approaches of this problem are based on dynamic analysis and face the challenge of low code coverage.A semantics-based automated de-obfuscation approach was introduced.The key point of this approach is to optimize the instruction traces of the obfuscated program with the results of semantically relevant instruction identification, which can be applied to both existing and new obfuscation techniques.Moreover,a low-cost solution for multiple execution paths exploration was introduced.The proposed solution can enhance the code coverage and reduce the overhead at the same time.Experiment results show that the de-obfuscation approach is particularly effective and can be an invaluable aid for malware analysis.It can reduce the difficulty,and improve the efficiency of malware analysis effectively.

Jinxin Ma,Zhoujun Li,Chaojian Hu

DOI: https://doi.org/10.1109/cicn.2012.216

2012-01-01

Abstract:Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

Chang Wang,Zhaolong Zhang,Xiaoqi Jia,Donghai Tian

DOI: https://doi.org/10.1109/malware.2018.8659363

2018-01-01

Abstract:Software reverse engineering is the process of retrieving the source code or recovering the higher level structure from an executable binary file. It has a wide range of applications in software analysis, such as vulnerability mining and exploiting, blind patching and so on. But it can also be used for illegal activities such as software piracy and plagiarism, which bring huge losses to relevant workers. So Anti-reverse has important significance for intellectual property protection. In fact, it is difficult to protect a software against being reversed or malicious modifications.In this paper, we present and discuss a new binary obfuscation method based on reassemble. The binary reassembling refers to the process of disassembling an executable binaries into assembly code and assemble it back to a correct binary. We make binary obfuscation in this process because it can avoid many problems and have better protection than other obfuscation methods. We designed two obfuscating schemes including instruction substitution and control flow confusion. The resulting code is still a correct program, but it has more complex instruction execution sequence and sophisticated control flow graph. According to the experiment results, the obfuscated program has more smaller file size but it execute more slowly than the original program.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1145/2076732.2076784

2011-01-01

Abstract:Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.

Eric Filiol

DOI: https://doi.org/10.48550/arXiv.1009.4000

2010-09-21

Abstract:Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection mean. This also applies to protection of software whenever one wishes to analyze them. In this paper, we show how to amour code in such a way that reserse engineering techniques (static and dymanic) are absolutely impossible by combining malicious cryptography techniques developped in our laboratory and new types of programming (k-ary codes). Suitable encryption algorithms combined with new cryptanalytic approaches to ease the protection of (malicious or not) binaries, enable to provide both total code armouring and large scale polymorphic features at the same time. A simple 400 Kb of executable code enables to produce a binary code and around $2^{140}$ mutated forms natively while going far beyond the old concept of decryptor.

Cryptography and Security

Jing Qiu,Xiao Hong Su,Pei Jun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amr.989-994.1782

2014-01-01

Advanced Materials Research

Abstract:Instruction traces are essential for dynamic analysis in reverse engineering. Code in instruction traces is often obfuscated to hinder analysts from understanding and analyzing in malware and binaries that protected by packers. Non-returning calls and call-stack tampering are two typical kinds of such obfuscation. We propose a deobfuscation approach to fight against these two kinds of obfuscated code. We first apply static analysis on instruction traces to identify obfuscated code. Then we transform obfuscated code into semantically equivalent instructions to make the code be easy to understand. Evaluations results on some packed binaries indicate that our approach works well in deobfuscate instruction traces with non-returning calls and call-stack tampering in high precision.

Novak Boskov,Mihailo Isakov,Michel A. Kinsy

DOI: https://doi.org/10.48550/arXiv.1912.01560

2019-11-29

Abstract:Binary analysis is traditionally used in the realm of malware detection. However, the same technique may be employed by an attacker to analyze the original binaries in order to reverse engineer them and extract exploitable weaknesses. When a binary is distributed to end users, it becomes a common remotely exploitable attack point. Code obfuscation is used to hinder reverse engineering of executable programs. In this paper, we focus on securing binary distribution, where attackers gain access to binaries distributed to end devices, in order to reverse engineer them and find potential vulnerabilities. Attackers do not however have means to monitor the execution of said devices. In particular, we focus on the control flow obfuscation --- a technique that prevents an attacker from restoring the correct reachability conditions for the basic blocks of a program. By doing so, we thwart attackers in their effort to infer the inputs that cause the program to enter a vulnerable state (e.g., buffer overrun). We propose a compiler extension for obfuscation and a minimal hardware modification for dynamic deobfuscation that takes advantage of a secret key stored in hardware. We evaluate our experiments on the LLVM compiler toolchain and the BRISC-V open source processor. On PARSEC benchmarks, our deobfuscation technique incurs only a 5\% runtime overhead. We evaluate the security of Drndalo by training classifiers on pairs of obfuscated and unobfuscated binaries. Our results shine light on the difficulty of producing obfuscated binaries of arbitrary programs in such a way that they are statistically indistinguishable from plain binaries.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Yujie Zhao,Zhanyong Tang,Guixin Ye,Xiaoqing Gong,Dingyi Fang

DOI: https://doi.org/10.1155/2021/4646048

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Data obfuscation is usually used by malicious software to avoid detection and reverse analysis. When analyzing the malware, such obfuscations have to be removed to restore the program into an easier understandable form (deobfuscation). The deobfuscation based on program synthesis provides a good solution for treating the target program as a black box. Thus, deobfuscation becomes a problem of finding the shortest instruction sequence to synthesize a program with the same input-output behavior as the target program. Existing work has two limitations: assuming that obfuscated code snippets in the target program are known and using a stochastic search algorithm resulting in low efficiency. In this paper, we propose fine-grained obfuscation detection for locating obfuscated code snippets by machine learning. Besides, we also combine the program synthesis and a heuristic search algorithm of Nested Monte Carlo Search. We have applied a prototype implementation of our ideas to data obfuscation in different tools, including OLLVM and Tigress. Our experimental results suggest that this approach is highly effective in locating and deobfuscating the binaries with data obfuscation, with an accuracy of at least 90.34%. Compared with the state-of-the-art deobfuscation technique, our approach’s efficiency has increased by 75%, with the success rate increasing by 5%.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Fangzhou Xu,Wang Zhang,Weizhong Qiang,Hai Jin

DOI: https://doi.org/10.1051/sands/2023023

2023-01-01

Abstract:Static analysis is often impeded by malware obfuscation techniques, such as encryption and packing, whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information. Unfortunately, malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly. While known evasive techniques can be explicitly dismantled, the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations, such as logic bombs that rely on uncertain conditions, let alone unsupported evasive techniques, which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations. In this paper, we present Antitoxin, a prototype for automatically exploring evasive malware. Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques. The probabilities of branch execution are derived from dynamic coverage, while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions. Subsequently, Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration. This is achieved through forced execution, which forcefully sets the outcomes of branches on selected paths. Additionally, Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques, thereby reducing exploration overhead. Furthermore, Antitoxin provides valuable insights into sensitive behaviors, facilitating deeper manual analysis. Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner. The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations, enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows. Additionally, taint analysis can accurately identify branches related to logic bombs, facilitating preferential exploration.

Peidai Xie,Xicheng Lu,Yongjun Wang,Jinshu Su

2013-01-01

International Journal of Security and Its Applications

Abstract:In order to be a long time alive, modern malware often make anti-emulation check after launched for evading dynamic analysis. Malware authors gain fingerprint information of target environment through several API to detect whether their creations are running in monitored state or not. If an emulated analysis environment is detected, the malware will change its running to avoid malicious behavior exposing. The existing approaches are based on trace matching with a intuition that, given the same inputs, the execution of a program should be the same in simulated analysis environment and on a real hardware reference system. However those approaches are too fine-grained to be inefficient.In this paper we propose an approach to deal with anti-emulation using instruction traces and dynamic slicing. With a difference from trace matching solutions presented in existing references, our approach is performed on one instruction trace derived from our dynamic analysis platform. We evaluate our approach with 189 malware samples collected in the wild. The experience shows that our proposed approach can spot efAPI used for anti-emulation check in an efficient way.

Kaiyuan Kuan,Zhanyong Tang,Xiaoqing Gong,Dingyi Fang,Xiaojiang Chen,Heng Zhang,Jie Liu,Zheng Wang

DOI: https://doi.org/10.1109/uic-atc.2017.8397540

2017-01-01

Abstract:Unauthorized code modification based on reverse engineering is a serious threat for software industry. Virtual machine based code obfuscation is emerging as a powerful technique for software protection. However, the current Virtual machine code protection are vulnerable under semantic attacks which use dynamic profiling to transform an obfuscated program to construct a simpler program that is functionally equivalent to the obfuscated program but easier to analyze. This paper presents DSA-VMP, a novel VM-based code obfuscation technique, to address the issue of semantic attacks. Our design goal is to exploit dynamic data flows to increase the diversity of the program behaviour. Our approach uses multiple bytecode handlers to interpret a single bytecode and hides the logics that determine the program execution path (it is difficult for the attacker to anticipate the program execution flow). These two techniques greatly increase the diversity of the program execution where the protected code regions exhibit a complex data flow across multiple runs, making it harder and more time consuming to trace the program execution through profiling. Our approach is evaluated using a set of real-world applications. Experimental results show that DSA-VMP can well protect software against semantic attacks at the cost of little extra runtime overhead when compared to two commercial VM-based code obfuscation tools.

Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/iccd56317.2022.00075

2022-01-01

Abstract:Instruction disassemblers can be used for software reverse engineering, malware analysis, and undocumented instructions detection. However, flaws in the disassemblers directly affect the accuracy of its related applications. For example, if the disassembler fails to decode or misdecodes the binary code of malware, the reverse engineers may misinterpret the functionality of the malware. Therefore, it is necessary to systematically test the disassemblers. Existing works leverage the depth-first search (DFS) algorithm to search the x86 instruction space. However, they cannot cover all x86 instruction opcodes and register operands. The root cause is that existing DFS algorithms cannot guarantee the search depth for some instruction space. We proposed an approach, named FedDFS, to improve the search depth of DFS algorithm. We analyzed the x86 instruction formats and summarized the essential search depth for each instruction format. We leveraged a feedback controlled DFS algorithm, which is controlled by comparing its search depth with essential search depth. If FedDFS detects that search depth is smaller than essential search depth, the feedback mechanism promptly increases the search depth until it reaches the proper search depth. We evaluated FedDFS on disassembler Capstone and processors from Intel and AMD. The experimental results proved that, after increasing the search depth, FedDFS does improve the coverage of x86 instruction opcodes and register operands. FedDFS tested trillions of instructions and found more instruction flaws in Capstone, which of them can only be found by FedDFS.

Gwangyeol Lee,Minho Kim,Jeong Hyun Yi,Haehyun Cho

DOI: https://doi.org/10.3390/electronics13112081

IF: 2.9

2024-05-28

Electronics

Abstract:Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers' anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.

engineering, electrical & electronic,physics, applied,computer science, information systems

Chengbin Pang,Ruotong Yu,Yaohui Chen,Eric Koskinen,Georgios Portokalidis,Bing Mao,Jun Xu

DOI: https://doi.org/10.1109/sp40001.2021.00012

2021-05-01

Abstract:Disassembly of binary code is hard, but necessary for improving the security of binary software. Over the past few decades, research in binary disassembly has produced many tools and frameworks, which have been made available to researchers and security professionals. These tools employ a variety of strategies that grant them different characteristics. The lack of systematization, however, impedes new research in the area and makes selecting the right tool hard, as we do not understand the strengths and weaknesses of existing tools. In this paper, we systematize binary disassembly through the study of nine popular, open-source tools. We couple the manual examination of their code bases with the most comprehensive experimental evaluation (thus far) using 3,788 binaries. Our study yields a comprehensive description and organization of strategies for disassembly, classifying them as either algorithm or else heuristic. Meanwhile, we measure and report the impact of individual algorithms on the results of each tool. We find that while principled algorithms are used by all tools, they still heavily rely on heuristics to increase code coverage. Depending on the heuristics used, different coverage-vs-correctness trade-offs come in play, leading to tools with different strengths and weaknesses. We envision that these findings will help users pick the right tool and assist researchers in improving binary disassembly.

Junyuan Zeng,Yangchun Fu,Kenneth A. Miller,Zhiqiang Lin,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.1145/2508859.2516664

2013-01-01

Abstract:With the wide existence of binary code, it is desirable to reuse it in many security applications, such as malware analysis and software patching. While prior approaches have shown that binary code can be extracted and reused, they are often based on static analysis and face challenges when coping with obfuscated binaries. This paper introduces trace-oriented programming (TOP), a general framework for generating new software from existing binary code by elevating the low-level binary code to C code with templates and inlined assembly. Different from existing work, TOP gains benefits from dynamic analysis such as resilience against obfuscation and avoidance of points-to analysis. Thus, TOP can be used for malware analysis, especially for malware function analysis and identification. We have implemented a proof-of-concept of TOP and our evaluation results with a range of benign and malicious software indicate that TOP is able to reconstruct source code from binary execution traces in malware analysis and identification, and binary function transplanting.

Lei Yu,Yucong Duan

DOI: https://doi.org/10.32604/cmc.2023.038970

2023-01-01

Abstract:Cloud computing and edge computing brought more software, which also brought a new danger of malicious software attacks. Data synchronization mechanisms of software can further help reverse data modifications. Based on the mechanisms, attackers can cover themselves behind the network and modify data undetected. Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks, when attackers intrude cloud server to access the source or binary codes. Therefore, we proposed a novel method to resist this kind of reverse engineering by breaking these rules. Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era. Our method is capable of (1) replacing the original assembly codes of the protected program with equivalent assembly instructions in an iteration way, (2) obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs, (3) encrypting data to confuse attackers. In addition, the approach can periodically and automatically modify the protected software binary codes, and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis. Furthermore, a simplified virtual machine is implemented to make the protected codes unreadable to attackers. Cloud game is one of the specific scenarios which needs low latency and strong data consistency. Cheat engine, Ollydbg, and Interactive Disassembler Professional (IDA) are used prevalently for games. Our improved methods can protect the software from the most vulnerable aspects. The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations. We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis. Experiments show that hidden dangers can be eliminated with efficient methods: Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.