Seoksu Lee,Hyeongchang Jeon,Eun-Sun Cho

2024-04-08

Abstract:Code obfuscation involves the addition of meaningless code or the complication of existing code in order to make a program difficult to reverse engineer. In recent years, MBA (Mixed Boolean Arithmetic) obfuscation has been applied to virus and malware code to impede expert analysis. Among the various obfuscation techniques, Mixed Boolean Arithmetic (MBA) obfuscation is considered the most challenging to decipher using existing code deobfuscation techniques. In this paper, we have attempted to simplify the MBA expression. We use an e-graph data structure to efficiently hold multiple expressions of the same semantics to systematically rewrite terms and find simpler expressions. The preliminary experimental result shows that our e-graph based MBA deobfuscation approach works faster with reasonable performance than other approaches do.

Cryptography and Security

Benjamin Reichenwallner,Peter Meerwald-Stadler

DOI: https://doi.org/10.48550/arXiv.2305.06763

2023-05-11

Cryptography and Security

Abstract:Malware code often resorts to various self-protection techniques to complicate analysis. One such technique is applying Mixed-Boolean Arithmetic (MBA) expressions as a way to create opaque predicates and diversify and obfuscate the data flow. In this work we aim to provide tools for the simplification of nonlinear MBA expressions in a very practical context to compete in the arms race between the generation of hard, diverse MBAs and their analysis. The proposed algorithm GAMBA employs algebraic rewriting at its core and extends SiMBA. It achieves efficient deobfuscation of MBA expressions from the most widely tested public datasets and simplifies expressions to their ground truths in most cases, surpassing peer tools.

Benjamin Reichenwallner,Peter Meerwald-Stadler

DOI: https://doi.org/10.48550/arXiv.2209.06335

2022-09-13

Cryptography and Security

Abstract:Mixed Boolean-Arithmetic (MBA) expressions are frequently used for obfuscation. As they combine arithmetic as well as Boolean operations, neither arithmetic laws nor transformation rules for logical formulas can be applied to suitably complex expressions, making MBAs hard to simplify and solve. In 2019, Liu et al. demystified linear MBAs, leveraging a transformation between the set $B=\{0,1\}$ of bit values and the set $B^n$ of words of length $n\in\mathbb{N}$ for linear MBAs, originally introduced by Zhou et al. in 2007. With their MBA-Blast and MBA-Solver algorithms, they outperform existing tools noticably in terms of performance as well as ability to simplify of such MBAs. We propose a surprisingly simple algorithm called SiMBA that improves upon MBA-Blast and MBA-Solver in that it can deobfuscate all linear MBAs, does not miss particularly simple solutions and takes only a fraction of their runtime.

Colton Skees

2024-06-21

Abstract:Mixed Boolean-Arithmetic (MBA) obfuscation is a common technique used to transform simple expressions into semantically equivalent but more complex combinations of boolean and arithmetic operators. Its widespread usage in DRM systems, malware, and software protectors is well documented. In 2021, Liu et al. proposed a groundbreaking method of simplifying linear MBAs, utilizing a hidden two-way transformation between 1-bit and n-bit variables. In 2022, Reichenwallner et al. proposed a similar but more effective method of simplifying linear MBAs, SiMBA, relying on a similar but more involved theorem. However, because current linear MBA simplifiers operate in 1-bit space, they cannot handle expressions which utilize constants inside of their bitwise operands, e.g. (x&1), (x&1111) + (y&1111). We propose an extension to SiMBA that enables simplification of this broader class of expressions. It surpasses peer tools, achieving efficient simplification of a class of MBAs that current simplifiers struggle with.

Cryptography and Security

Seong-Kyun Mok,Seoyeon Kang,Jeongwoo Kim,Eun-Sun Cho,Seokwoo Choi

DOI: https://doi.org/10.48550/arXiv.2208.05612

2022-08-11

Cryptography and Security

Abstract:MBA (mixed boolean and arithmetic) expressions are hard to simplify, so used for malware obfuscation to hinder analysts' diagnosis. Some MBA simplification methods with high performance have been developed, but they narrowed the target to "linear" MBA expressions, which allows efficient solutions based on logic/term-rewriting. However such restrictions are not appropriate for general forms of MBA expressions usually appearing in malware. To overcome this limitation, we introduce a "semi-linear" MBA expression, a new class of MBA expression extended from a linear MBA expression, and propose a new MBA simplifier called "SSLEM", based on a simplification idea of semi-linear MBA expressions and program synthesis

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/tcad.2018.2864220

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Since the first circuit obfuscation technique was proposed to thwart reverse engineering (RE) attacks to integrated circuits (ICs), there have been active research in de-obfuscation attacks and new obfuscation countermeasures. Although it is crucial for an obfuscation method to be secure against known de-obfuscation attacks, it is equally important to keep the cost of circuit obfuscation low. Most importantly, obfuscation methods need to be formally analyzed for their effectiveness and efficiency. In this paper, we propose a set of quantitatively evaluable metrics for this purpose, particularly facilitated by a recently proposed circuit partition attack (CPA) and the powerful SAT-based attack (SATA). Moreover, we find that CPA can be applied prior to any de-obfuscation attacks to reduce RE efforts exponentially. We then propose a new equivalent class guided obfuscation scheme (ECG-Obfus) to defeat CPA which leverages specially designed camouflaged cells to replace judiciously selected logic gates. Specifically, we select candidate gates for obfuscation from one certain equivalent class, in which the underlying equivalent relation is defined based on IC topological structure information. We evaluate ECG-Obfus using the proposed metrics and conduct experiments on ISCAS 85/89 standard benchmark suites and OpenSparc T1 microprocessor. The results show that ECG-Obfus gains good resilience against known de-obfuscation attacks (including CPA and SATA), with low design complexity and performance overhead.

Johannes Schneider,Thomas Locher

DOI: https://doi.org/10.48550/arXiv.1612.03345

2016-12-11

Abstract:Protecting source code against reverse engineering and theft is an important problem. The goal is to carry out computations using confidential algorithms on an untrusted party while ensuring confidentiality of algorithms. This problem has been addressed for Boolean circuits known as `circuit privacy'. Circuits corresponding to real-world programs are impractical. Well-known obfuscation techniques are highly practicable, but provide only limited security, e.g., no piracy protection. In this work, we modify source code yielding programs with adjustable performance and security guarantees ranging from indistinguishability obfuscators to (non-secure) ordinary obfuscation. The idea is to artificially generate `misleading' statements. Their results are combined with the outcome of a confidential statement using encrypted \emph{selector variables}. Thus, an attacker must `guess' the encrypted selector variables to disguise the confidential source code. We evaluated our method using more than ten programmers as well as pattern mining across open source code repositories to gain insights of (micro-)coding patterns that are relevant for generating misleading statements. The evaluation reveals that our approach is effective in that it successfully preserves source code confidentiality.

Cryptography and Security

Mathilde Ollivier,Sébastien Bardin,Richard Bonichon,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1908.01549

2019-08-07

Abstract:Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

Cryptography and Security

Hui Xu,Yangfan Zhou,Yu Kang,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.1710.01139

2017-10-03

Abstract:Program obfuscation is a widely employed approach for software intellectual property protection. However, general obfuscation methods (e.g., lexical obfuscation, control obfuscation) implemented in mainstream obfuscation tools are heuristic and have little security guarantee. Recently in 2013, Garg et al. have achieved a breakthrough in secure program obfuscation with a graded encoding mechanism and they have shown that it can fulfill a compelling security property, i.e., indistinguishability. Nevertheless, the mechanism incurs too much overhead for practical usage. Besides, it focuses on obfuscating computation models (e.g., circuits) rather than real codes. In this paper, we aim to explore secure and usable obfuscation approaches from the literature. Our main finding is that currently we still have no such approaches made secure and usable. The main reason is we do not have adequate evaluation metrics concerning both security and performance. On one hand, existing code-oriented obfuscation approaches generally evaluate the increased obscurity rather than security guarantee. On the other hand, the performance requirement for model-oriented obfuscation approaches is too weak to develop practical program obfuscation solutions.

Cryptography and Security,Software Engineering

Hui Xu,Yangfan Zhou,Yu Kang,Fengzhi Tu,Michael R. Lyu

DOI: https://doi.org/10.1109/DSN.2018.00073

2018-01-01

Abstract:Control-flow obfuscation increases program complexity by semantic-preserving transformation. Opaque predicates are essential gadgets to achieve such transformation. However, we observe that real-world opaque predicates are generally very simple and engage little security consideration. Recently, such insecure opaque predicates have been severely attacked by symbolic execution-based adversaries and jeopardize the security of control-flow obfuscation. This paper, therefore, proposes symbolic opaque predicates which can be resilient to symbolic execution-based adversaries. We design a general framework to compose such opaque predicates, which requires introducing challenging symbolic analysis problems (e.g., symbolic memory) in each opaque predicate. In this way, we may mislead symbolic execution engines into reaching false conclusions. We observe a novel bi-opaque property about symbolic opaque predicates, which can incur not only false negative issues but also false positive issues to attackers. To evaluate the efficacy of our idea, we have implemented a prototype obfuscation tool based on Obfuscator-LLVM and conduct experiments with real-world programs. Our evaluation results show that symbolic opaque predicates demonstrate excellent resilience to prevalent symbolic execution engines, such as BAP, Triton, and Angr. Moreover, although the costs of symbolic opaque predicates may vary for different problem settings, some predicates can be very efficient. Therefore, our framework is both secure and usable. Users can follow the framework to introduce symbolic opaque predicates into their obfuscation tools and made them more powerful.

Xueyan Wang,Xiaotao Jia,Qiang Zhou,Yici Cai,Jianlei Yang,Mingze Gao,Gang Qu

DOI: https://doi.org/10.1145/2902961.2903000

2016-01-01

Abstract:Circuit obfuscation techniques have been proposed to conceal circuit's functionality in order to thwart reverse engineering (RE) attacks to integrated circuits (IC). We believe that a good obfuscation method should have low design complexity and low performance overhead, yet, causing high RE attack complexity. However, existing obfuscation techniques do not meet all these requirements. In this paper, we propose a polynomial obfuscation scheme which leverages special designed multiplexers (MUXs) to replace judiciously selected logic gates. Candidate to-be-obfuscated logic gates are selected based on a novel gate classification method which utilizes IC topological structure information. We show that this scheme is resilient to all the known attacks, hence it is secure. Experiments are conducted on ISCAS 85/89 and MCNC benchmark suites to evaluate the performance overhead due to obfuscation.

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.

Hui Xu,Yangfan Zhou,Jiang Ming,Michael Lyu

DOI: https://doi.org/10.1186/s42400-020-00049-3

2020-01-01

Abstract:Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

Stephen Drape,Clark Thomborson,Anirban Majumdar

DOI: https://doi.org/10.1007/978-3-540-75496-1_20

2007-01-01

Abstract:An obfuscation aims to transform a program, without affecting the functionality, so that some secret information within the program can be hidden for as long as possible from an adversary. Proving that an obfuscating transform is correct (i.e. it preserves functionality) is considered to be a challenging task.In this paper we show how data refinement can be used to specify imperative data obfuscations. An advantage of this approach is that we can establish a framework in which we can prove the correctness of our obfuscations. We demonstrate our framework by considering some examples from obfuscation literature. We show how to specify these obfuscations, prove that they are correct and produce generalisations.

Hameeza Ahmed,Muhammad Faraz Hyder,Muhammad Fahim ul Haque,Paulo Cesar Santos

DOI: https://doi.org/10.1016/j.cose.2024.103704

IF: 5.105

2024-01-11

Computers & Security

Abstract:Code obfuscation is a promising technique for securing software and protecting it from adversaries. The objective is to harden the exploitation of security vulnerabilities for the attacker as well as launching of successful attacks. Obfuscation can be classified into layout, data, and control flow obfuscation. Control flow obfuscation impedes the understanding of the application logic by making it complicated to determine the actual control flows. Although numerous control flow methods exist in the literature, the role of existing compiler optimizations has just been discovered. This paper is the first one that explores the existing optimization space of LLVM compiler for obfuscating code. Our techniques optimally explore the native compiler's optimizations to improve the original code performance and reduce memory space with no disruptive efforts, tools, or extra costs. In the CBench benchmark suite, our work is able to improve 246%, 143%, and 468% in cyclomatic complexity, program length, and implementation effort, respectively, compared to unobfuscated code. Therefore, instead of inventing new obfuscation tools, the existing compiler optimizations can easily be used to obfuscate control flows, saving the overall cost and efforts.

computer science, information systems

Cunxi Yu,Daniel Holcomb

DOI: https://doi.org/10.48550/arXiv.1809.06207

2018-09-17

Cryptography and Security

Abstract:Galois Field arithmetic blocks are the key components in many security applications, such as Elliptic Curve Cryptography (ECC) and the S-Boxes of the Advanced Encryption Standard (AES) cipher. This paper introduces a novel hardware intellectual property (IP) protection technique by obfuscating arithmetic functions over Galois Field (GF), specifically, focusing on obfuscation of GF multiplication that underpins complex GF arithmetic and elliptic curve point arithmetic functions. Obfuscating GF multiplication circuits is important because the choice of irreducible polynomials in GF multiplication has the great impact on the performance of the hardware designs, and because the significant effort is spent on finding an optimum irreducible polynomial for a given field, which can provide one company a competitive advantage over another.

Clark Thomborson

DOI: https://doi.org/10.48550/arxiv.1501.02885

2015-01-01

Abstract:We propose a set of benchmarks for evaluating the practicality of software obfuscators which rely on provably-secure methods for functional obfuscation.

Pei Wang,Shuai Wang,Jiang Ming,Yufei Jiang,Dinghao Wu

DOI: https://doi.org/10.1109/eurosp.2016.21

2016-03-01

Abstract:Program obfuscation is an important software protection technique that prevents attackers from revealing the programming logic and design of the software. We introduce translingual obfuscation, a new software obfuscation scheme which makes programs obscure by "misusing" the unique features of certain programming languages. Translingual obfuscation translates part of a program from its original language to another language which has a different programming paradigm and execution model, thus increasing program complexity and impeding reverse engineering. In this paper, we investigate the feasibility and effectiveness of translingual obfuscation with Prolog, a logic programming language. We implement translingual obfuscation in a tool called BABEL, which can selectively translate C functions into Prolog predicates. By leveraging two important features of the Prolog language, i.e., unification and backtracking, BABEL obfuscates both the data layout and control flow of C programs, making them much more difficult to reverse engineer. Our experiments show that BABEL provides effective and stealthy software obfuscation, while the cost is only modest compared to one of the most popular commercial obfuscators on the market. With BABEL, we verified the feasibility of translingual obfuscation, which we consider to be a promising new direction for software obfuscation.

Zhi Xin,Huiyu Chen,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-18178-8_16

2011-01-01

Abstract:Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

Christian Collberg,Clark Thomborson,Douglas Low

1997-01-01

Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering....