A Generic Approach to Automatic Deobfuscation of Executable Code

Yadegari, Babak; Johannesmeyer, Brian; Whitely, Ben; Debray, Saumya

doi:10.1109/sp.2015.47

Cited by 150 publications

(146 citation statements)

References 25 publications

Supporting

Mentioning

140

Contrasting

Order By: Relevance

“…We complement this approach by considering a class of obfuscation mechanisms that are inherently difficult to analyze with taint analysis. Yadegari et al [9] also measured the impact of different taint analysis techniques on the quality of the deobfuscation for several off-the-shelf virtualization-based obfuscators.…”

Section: Related Workmentioning

confidence: 99%

“…State of the art in deobfuscation shows that control flow flattening not based on opaque predicates can be broken by using static path deobfuscation [7]. Recent work [8,9] focuses on the use of symbolic analysis together with taint analysis to deobfuscate virtualized binaries and allow exploration of their execution path. Symbolic analysis maintains sets of constraints on the execution paths to determine which inputs cause each branch of a conditional statement to be explored.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Effectiveness of synthesis in concolic deobfuscation

Biondi

Josse²,

Legay

et al. 2017

Computers & Security

View full text Add to dashboard Cite

Control flow obfuscation techniques can be used to hinder software reverseengineering. Symbolic analysis can counteract these techniques, but only if they can analyze obfuscated conditional statements. We evaluate the use of dynamic synthesis to complement symbolic analysis in the analysis of obfuscated conditionals. We test this approach on the taint-analysis-resistant Mixed Boolean Arithmetics (MBA) obfuscation method that is commonly used to obfuscate and randomly diversify statements. We experimentally ascertain the practical feasibility of MBA obfuscation. We study using SMT-based approaches with different state-of-the-art SMT solvers to counteract MBA obfuscation, and we show how targeted algebraic simplification can greatly reduce the analysis time. We show that synthesis-based deobfuscation is more effective than current SMT-based deobfuscation algorithms, thus proposing a synthesis-based attacker model to complement existing attacker models.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Effectiveness of synthesis in concolic deobfuscation

Biondi

Josse²,

Legay

et al. 2017

Computers & Security

View full text Add to dashboard Cite

show abstract

“…On the other side, since one x86 instruction will be translated into several virtual bytecode that are emulated at run time, applying virtualization obfuscation on the whole program will introduce unacceptable time and space overheads. Typically, virtualization obfuscation is used to selectively protect the key [70]. As shown in Table V, two cases fail at 10% obfuscation level and three test cases do not work when 30% code is obfuscated.…”

Section: A Case Study I: Same Programsmentioning

confidence: 99%

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Jiang

Zhang

et al. 2016

IEEE Trans. Rel.

View full text Add to dashboard Cite

Software plagiarism, an act of illegally copying others' code, has become a serious concern for honest software companies and the open source community. Considerable research efforts have been dedicated to searching the evidence of software plagiarism. In this paper, we continue this line of research and propose LoPD, a deviation-based program equivalence checking approach, which is an ideal fit for the whole-program plagiarism detection. Instead of directly comparing the similarity between two programs, LoPD searches for any dissimilarity between two programs by finding an input that will cause these two programs to behave differently, either with different output states or with semantically different execution paths. As long as we can find one dissimilarity, the programs are semantically different; but if we cannot find any dissimilarity, it is more likely a plagiarism case. We leverage dynamic symbolic execution to capture the semantics of execution paths and to find path deviations. Compared to the existing detection approaches, LoPD's formal program semantics-based method is more resilient to automatic obfuscation schemes. Our evaluation results indicate that LoPD is effective in detecting whole-program plagiarism. Furthermore, we demonstrate that LoPD can be applied to partial software plagiarism detection as well. The encouraging experiment results show that LoPD is an appealing complement to existing software plagiarism detection approaches.Index Terms-Path deviation, program logic, semantical difference, software plagiarism, symbolic execution.

show abstract

“…a hidden key, an algorithm, etc.) [11,25,28]. Effectively, they enable reverse engineers to cope with a large number of programs.…”

Section: Introductionmentioning

confidence: 99%

Metadata recovery from obfuscated programs using machine learning

Salem

Bănescu

2016

Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

View full text Add to dashboard Cite

Obfuscation is a mechanism used to hinder reverse engineering of programs. To cope with the large number of obfuscated programs, especially malware, reverse engineers automate the process of deobfuscation i.e. extracting information from obfuscated programs. Deobfuscation techniques target specific obfuscation transformations, which requires reverse engineers to manually identify the transformations used by a program, in what is known as metadata recovery attack. In this paper, we present Oedipus, a Python framework that uses machine learning classifiers viz., decision trees and naive Bayes, to automate metadata recovery attacks against obfuscated programs. We evaluated Oedipus' performance using two datasets totaling 1960 unobfuscated C programs, which were used to generate 11.075 programs obfuscated using 30 configurations of 6 different obfuscation transformations. Our results empirically show the feasibility of using machine learning to implement the metadata recovery attacks with classification accuracies of 100% in some cases.

show abstract

A Generic Approach to Automatic Deobfuscation of Executable Code

Cited by 150 publications

References 25 publications

Effectiveness of synthesis in concolic deobfuscation

Effectiveness of synthesis in concolic deobfuscation

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Metadata recovery from obfuscated programs using machine learning

Contact Info

Product

Resources

About