Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Robin David,Sébastien Bardin,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1612.05675

2016-12-17

Abstract:Software deobfuscation is a crucial activity in security analysis and especially, in malware analysis. While standard static and dynamic approaches suffer from well-known shortcomings, Dynamic Symbolic Execution (DSE) has recently been proposed has an interesting alternative, more robust than static analysis and more complete than dynamic analysis. Yet, DSE addresses certain kinds of questions encountered by a reverser namely feasibility questions. Many issues arising during reverse, e.g. detecting protection schemes such as opaque predicates fall into the category of infeasibility questions. In this article, we present the Backward-Bounded DSE, a generic, precise, efficient and robust method for solving infeasibility questions. We demonstrate the benefit of the method for opaque predicates and call stack tampering, and give some insight for its usage for some other protection schemes. Especially, the technique has successfully been used on state-of-the-art packers as well as on the government-grade X-Tunnel malware -- allowing its entire deobfuscation. Backward-Bounded DSE does not supersede existing DSE approaches, but rather complements them by addressing infeasibility questions in a scalable and precise manner. Following this line, we propose sparse disassembly, a combination of Backward-Bounded DSE and static disassembly able to enlarge dynamic disassembly in a guaranteed way, hence getting the best of dynamic and static disassembly. This work paves the way for robust, efficient and precise disassembly tools for heavily-obfuscated binaries.

Cryptography and Security,Software Engineering

Chengbin Pang,Tiantai Zhang,Xuelan Xu,Linzhang Wang,Bing Mao

DOI: https://doi.org/10.1145/3597926.3598097

2023-01-01

Abstract:Function entry identification is a crucial yet challenging task for binary disassemblers that has been the focus of research in the past decades. However, recent researches show that call frame information (CFI) provides accurate and almost complete function entries. With the aid of CFI, disassemblers have significant improvements in function entry detection. CFI is specifically designed for efficient stack unwinding, and every function has corresponding CFI in x64 and aarch64 architectures. Nevertheless, not every function and instruction unwinds the stack at runtime, and this observation has led to the development of techniques such as obfuscation to complicate function detection by disassemblers. We propose a prototype of OCFI to obfuscate CFI based on this observation. The goal of OCFI is to obstruct function detection of popular disassemblers that use CFI as a way to detect function entries. We evaluated OCFI on a large-scale dataset that includes real-world applications and automated generation programs, and found that the obfuscated CFI was able to correctly unwind the stack and make the detection of function entries of popular disassemblers more difficult. Furthermore, on average, OCFI incurs a size overhead of only 4% and nearly zero runtime overhead.

Peihua Zhang,Chenggang Wu,Mingfan Peng,Kai Zeng,Ding Yu,Yuanming Lai,Yan Kang,Wei Wang,Zhe Wang

DOI: https://doi.org/10.48550/arXiv.2301.11586

2023-01-27

Cryptography and Security

Abstract:Software obfuscation techniques can prevent binary diffing techniques from locating vulnerable code by obfuscating the third-party code, to achieve the purpose of protecting embedded device software. With the rapid development of binary diffing techniques, they can achieve more and more accurate function matching and identification by extracting the features within the function. This makes existing software obfuscation techniques, which mainly focus on the intra-procedural code obfuscation, no longer effective. In this paper, we propose a new inter-procedural code obfuscation mechanism Khaos, which moves the code across functions to obfuscate the function by using compilation optimizations. Two obfuscation primitives are proposed to separate and aggregate the function, which are called fission and fusion respectively. A prototype of Khaos is implemented based on the LLVM compiler and evaluated on a large number of real-world programs including SPEC CPU 2006 & 2017, CoreUtils, JavaScript engines, etc. Experimental results show that Khaos outperforms existing code obfuscations and can significantly reduce the accuracy rates of five state-of-the-art binary diffing techniques (less than 19%) with lower runtime overhead (less than 7%).

Zeliang Kan,Haoyu Wang,Lei Wu,Yao Guo,Guoai Xu

DOI: https://doi.org/10.1109/icse-companion.2019.00135

2019-01-01

Abstract:In this paper, we propose an automated approach to facilitate the deobfuscation of Android native binary code. Specifically, given a native binary obfuscated by Obfuscator-LLVM (the most popular native code obfuscator), our deobfuscation system is capable of recovering the original Control Flow Graph. To the best of our knowledge, it is the first work that aims to tackle the problem. We have applied our system in different scenarios, and the experimental results demonstrate the effectiveness of our system based on generic similarity comparison metrics.

Asmita Pal,Keerthana Desai,Rahul Chatterjee,Joshua San Miguel

DOI: https://doi.org/10.1145/3650110

IF: 1.444

2024-02-29

ACM Transactions on Architecture and Code Optimization

Abstract:Trace-based simulation is a widely used methodology for system design exploration. It relies on realistic traces that represent a range of behaviors necessary to be evaluated, containing a lot of information about the application, its inputs and the underlying system on which it was generated. Consequently, generating traces from real-world executions risk leakage of sensitive information. To prevent this, traces can be obfuscated before release. However, this can undermine their ideal utility, i.e., how realistically a program behavior was captured. To address this, we propose Camouflage, a novel obfuscation framework, designed with awareness of the necessary architectural properties required to preserve trace utility , while ensuring secrecy of the inputs used to generate the trace. Focusing on memory access traces, our extensive evaluation on various benchmarks shows that camouflaged traces preserve the performance measurements of the original execution, with an average τ correlation of 0.66. We model input secrecy as an input indistinguishability problem and show that the average security loss is 7.8%, which is better than traces generated from the state-of-the-art.

computer science, theory & methods, hardware & architecture

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

FU Jian-jing,WANG Ke

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.012

2010-01-01

Abstract:A compiler built-in obfuscating technology was developed in order to protect software intellectual property and keep from reverse engineering and static analysis. A crossing control-flow code obfuscation technology and the corresponding compiling solution were presented. The control crossing principle of If statement and While loop statement were given out,which produced the control blocks of multi-level exit and entry,so the code control flow became more complicated. Meanwhile,the protected code block was placed in the crossing control blocks to conceal the true control flow. Then the automatic anti-compile can be effectively prevented and the difficulty of software analysis was enhanced. Because the crossing control-flow in source code level cannot be passed by compiler,a compatible compiling method of built-in functions was presented,which made programming simple and safe. The simulation and analysis results indicated that the technology had good protection effect for source code; the target code was slightly increased after compiled,and its running efficiency was almost not affected.

Zhi Xin,Huiyu Chen,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-18178-8_16

2011-01-01

Abstract:Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

LI Chengyang,HUANG Tianbo,CHEN Xiarun,WEN Weiping

DOI: https://doi.org/10.3778/j.issn.1002-8331.2112-0035

2023-01-01

Abstract:Software security issues are becoming more prominent in the post-epidemic era, and code obfuscation as a mature protection scheme provides the possibility of cross-platform use with the help of LLVM. However, LLVM-based control flow obfuscation algorithms are limited in terms of protection strength, on the one hand, the existing algorithm model is immutable and lacks structural innovation. On the other hand, the obfuscation processing does not take into account the fact that attackers can base on the basic block. Therefore, two algorithms are proposed:firstly, nested switch obfuscation, which breaks the inherent flat processing model and enhances the hiding of the hopping amount by reconstructing the switch structure internally; secondly, indegree obfuscation, which adds an anti-entry degree analysis strategy to the false control flow to circumvent the false block by changing the indegree of the false block. The results show that the obfuscation method can further reduce 58.67% of the basic block similarity and increase 64.44% of the jump instructions compared to the existing control-flow obfuscation scheme within 1.5 times the temporal overhead.

Yuichiro Kanzaki,Clark D. Thomborson,Akito Monden,Christian S. Collberg

DOI: https://doi.org/10.1145/2843859.2843862

2015-01-01

Abstract:ABSTRACTIn this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.

Vadim Kotov,Michael Wojnowicz

DOI: https://doi.org/10.48550/arXiv.1802.04466

2020-12-06

Abstract:A common way to get insight into a malicious program's functionality is to look at which API functions it calls. To complicate the reverse engineering of their programs, malware authors deploy API obfuscation techniques, hiding them from analysts' eyes and anti-malware scanners. This problem can be partially addressed by using dynamic analysis; that is, by executing a malware sample in a controlled environment and logging the API calls. However, malware that is aware of virtual machines and sandboxes might terminate without showing any signs of malicious behavior. In this paper, we introduce a static analysis technique allowing generic deobfuscation of Windows API calls. The technique utilizes symbolic execution and hidden Markov models to predict API names from the arguments passed to the API functions. Our best prediction model can correctly identify API names with 87.60% accuracy.

Cryptography and Security,Applications

Ali Ajorian,Erick Lavoie,Christian Tschudin

2024-11-08

Abstract:Obfuscation of computer programs has historically been approached either as a practical but \textit{ad hoc} craft to make reverse engineering subjectively difficult, or as a sound theoretical investigation unfortunately detached from the numerous existing constraints of engineering practical systems. In this paper, we propose \textit{instruction decorrelation} as a new approach that makes the instructions of a set of real-world programs appear independent from one another. We contribute: a formal definition of \textit{instruction independence} with multiple instantiations for various aspects of programs; a combination of program transformations that meet the corresponding instances of instruction independence against an honest-but-curious adversary, specifically random interleaving and memory access obfuscation; and an implementation of an interpreter that uses a trusted execution environment (TEE) only to perform memory address translation and memory shuffling, leaving instructions execution outside the TEE. These first steps highlight the practicality of our approach. Combined with additional techniques to protect the content of memory and to hopefully lower the requirements on TEEs, this work could potentially lead to more secure obfuscation techniques that could execute on commonly available hardware.

Cryptography and Security,Programming Languages

Mathilde Ollivier,Sébastien Bardin,Richard Bonichon,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1908.01549

2019-08-07

Abstract:Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

Cryptography and Security

Shuai Jiang,Yao Hong,Cai Fu,Yekui Qian,Lansheng Han

DOI: https://doi.org/10.1016/j.jisa.2021.102953

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:The obfuscation detection technology is an important auxiliary means of malware detection. Also, for security practitioners, it can carry out automatic obfuscation detection before manual reverse analysis, which helps reverse engineers to perform reverse analysis more specifically. Existing obfuscation detection methods are mainly for Android applications and based on traditional machine learning, whose detection granularity is coarse, generality is poor, and the performance is not good enough. To address these issues, in this paper, we propose a function-level obfuscation detection method based on Graph Convolutional Networks for X86 assembly code and Android applications. Firstly, our method is function-level obfuscation detection, and we extract the Control Flow Graph (CFG) of each function as its feature, including the adjacency matrix and the basic block feature matrix. Secondly, we build a hybrid neural network model GCN-LSTM as our obfuscation detection model, which combines the Graph Convolutional Network (GCN) and the Long Short-Term Memory (LSTM). Finally, we conduct experiments using real-world open-source programs and compare results with baseline methods. For function-level detection, the accuracy of our method is 94.7575% for X86 assembly code and 98.9457% for Android applications, both of which are better than baseline methods. For APK-level detection, our method can almost completely detect the obfuscated APKs. Experimental results show that our method performs well for both X86 assembly code and Android applications and is superior to the baseline methods in both function-level detection and APK-level detection. Our research showcases a successful application of the Graph Convolutional Network and the Control Flow Graph on code obfuscation detection problems.

Christian Collberg,Clark Thomborson,Douglas Low

1997-01-01

Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering....

ZHANG Yi-chi,PANG Jian-min,ZHAO Rong-cai,HAN Xiao-su

2009-01-01

Abstract:Malware writers make use of exception return of subroutine to evade detecting by malware detectors.To crack the technique,this paper proposes a novel disassembly algorithm.This algorithm decodes an executable file twice and emulates the operations on memory stack.Through this twice-decoding and emulation process,this algorithm can be used to recognize exception returns and thus ensure the correctness of a decoding process.Compared with two commonly used disassemblers IDAPro and OBJDump,this algorithm is better at identifying this kind of exception and improves the rate of disassembly.

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Hameeza Ahmed,Muhammad Faraz Hyder,Muhammad Fahim ul Haque,Paulo Cesar Santos

DOI: https://doi.org/10.1016/j.cose.2024.103704

IF: 5.105

2024-01-11

Computers & Security

Abstract:Code obfuscation is a promising technique for securing software and protecting it from adversaries. The objective is to harden the exploitation of security vulnerabilities for the attacker as well as launching of successful attacks. Obfuscation can be classified into layout, data, and control flow obfuscation. Control flow obfuscation impedes the understanding of the application logic by making it complicated to determine the actual control flows. Although numerous control flow methods exist in the literature, the role of existing compiler optimizations has just been discovered. This paper is the first one that explores the existing optimization space of LLVM compiler for obfuscating code. Our techniques optimally explore the native compiler's optimizations to improve the original code performance and reduce memory space with no disruptive efforts, tools, or extra costs. In the CBench benchmark suite, our work is able to improve 246%, 143%, and 468% in cyclomatic complexity, program length, and implementation effort, respectively, compared to unobfuscated code. Therefore, instead of inventing new obfuscation tools, the existing compiler optimizations can easily be used to obfuscate control flows, saving the overall cost and efforts.

computer science, information systems