Defeating MBA-based Obfuscation

Eyrolles, Ninon; Goubin, Louis; Videau, Marion

doi:10.1145/2995306.2995308

Cited by 29 publications

(28 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Biondi et al [11] propose an obfuscation based on Mixed Boolean-Arithmetic expressions [50] to complexify points-to functions, making it harder for solvers to determine the trigger. Eyrolles et al [27] present a similar obfuscation together with a MBA expression simplifier based on pattern matching and arithmetic simplifications. Cryptographic hash functions hinder current solvers and can replace MBA [40].…”

Section: Related Workmentioning

confidence: 99%

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Ollivier

Bardin

Bonichon

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Ollivier

Bardin

Bonichon

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…This leads to a possible pattern matching attack (i.e. dictionary attack) [16], where one takes obfuscated predicates from a program being attacked and pattern-matches the source code against known examples. Nevertheless, it is possible to build variants of opaque predicates that cannot be matched using dictionary attacks, which implies a high false negative rate.…”

Section: Deobfuscationmentioning

confidence: 99%

“…As a consequence, several works focus on the deobfuscation of opaque predicates (e.g. [5,7,8,16,29,32,42]) in order to evaluate the quality of the obfuscated code rendered by this transformation. However, these techniques are often based on dynamic analysis and are therefore limited or not scalable.…”

Section: Introductionmentioning

confidence: 99%

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Tofighi-Shirazi

Asavoae

Elbaz-Vincent

et al. 2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

We present a new approach that bridges binary analysis techniques with machine learning classification for the purpose of providing a static and generic evaluation technique for opaque predicates, regardless of their constructions. We use this technique as a static automated deobfuscation tool to remove the opaque predicates introduced by obfuscation mechanisms. According to our experimental results, our models have up to 98% accuracy at detecting and deobfuscating state-of-the-art opaque predicates patterns. By contrast, the leading edge deobfuscation methods based on symbolic execution show less accuracy mostly due to the SMT solvers constraints and the lack of scalability of dynamic symbolic analyses. Our approach underlines the efficiency of hybrid symbolic analysis and machine learning techniques for a static and generic deobfuscation methodology.

show abstract

“…Algorithm MBA-Obf (e, d, n, R) loop d times { choose an operator op of e rewrite op with a rewrite rule r in R choose 2 n-bit values for coefficients a and b of the affine function f while a non-invertible module 2^n choose another a compute 1/a and -b/a, the coefficients of the inverse of f insert affine composition around the rewritten operator } Figure 1. Main algorithm (borrowed from [10]): obfuscation of an expression e, given a degree of obfuscation d, a number of bits n, a set of rewrites rules R.…”

Section: Generation Of Mba Expressionsmentioning

confidence: 99%

Formal verification of a program obfuscation based on mixed Boolean-arithmetic expressions

Blazy

Hutin

2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

The insertion of expressions mixing arithmetic operators and bitwise boolean operators is a widespread protection of sensitive data in source programs. This recent advanced obfuscation technique is one of the less studied among program obfuscations even if it is commonly found in binary code. In this paper, we formally verify in Coq this data obfuscation. It operates over a generic notion of mixed boolean-arithmetic expressions and on properties of bitwise operators operating over machine integers. Our obfuscation performs two kinds of program transformations: rewriting of expressions and insertion of modular inverses. To facilitate its proof of correctness, we define boolean semantic tables, a data structure inspired from truth tables. Our obfuscation is integrated into the CompCert formally verified compiler where it operates over Clight programs. The automatic extraction of our program obfuscator into OCaml yields a program with competitive results.

show abstract

Defeating MBA-based Obfuscation

Cited by 29 publications

References 18 publications

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Formal verification of a program obfuscation based on mixed Boolean-arithmetic expressions

Contact Info

Product

Resources

About