Deobfuscation of Virtualization-Obfuscated Code Through Symbolic Execution and Compilation Optimization

Liang, Mingyue; Li, Zhoujun; Zeng, Qiang; Fang, Zhejun

doi:10.1007/978-3-319-89500-0_28

Cited by 9 publications

(4 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Symbolic executors usually know common arithmetic identities and can perform basic simplification, e. g., constant propagation. Applied to code obfuscation, symbolic execution is used to symbolically extract the core semantics of VM handlers [42], track user input in an execution trace [54,71,72], or detect opaque predicates (in combination with SMT solvers) [5]. Typically, techniques to impede symbolic execution aim at artificially increasing the syntactic complexity of arithmetic operations (via MBAs) or the number of paths to analyze (triggering a so-called path explosion) [1,49].…”

Section: Automated Deobfuscation Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Technical Report: Hardening Code Obfuscation Against Automated Attacks

Schloegel¹,

Blazytko²,

Contag³

et al. 2021

Preprint

View full text Add to dashboard Cite

Software obfuscation is a crucial technology to protect intellectual property. Despite its importance, commercial and academic state-of-the-art obfuscation approaches are vulnerable to a plethora of automated deobfuscation attacks, such as symbolic execution, taint analysis, or program synthesis. While several enhanced techniques were proposed to thwart taint analysis or symbolic execution, they either impose a prohibitive runtime overhead or can be removed by compiler optimizations. In general, they suffer from focusing on a single attack vector, allowing an attacker to switch to other more effective techniques, such as program synthesis.In this work, we present LOKI, an approach for code obfuscation that is resilient against all known automated deobfuscation attacks. To this end, we deploy multiple techniques, including a generic approach to synthesize formally verified expressions of arbitrary complexity. Contrary to state-of-theart approaches that rely on a few hardcoded generation rules, our expressions are more diverse and harder to pattern match against. Moreover, LOKI protects against previously unaccounted attack vectors such as program synthesis, for which it reduces the success rate to merely 19%. Overall, our design incurs significantly less overhead while providing a much stronger protection level.

show abstract

Section: Automated Deobfuscation Attacksmentioning

confidence: 99%

“…Table 1). Subsequently, the resulting code can be further simplified using a wide range of automated techniques, including taint analysis [70,72], symbolic execution [71,72], program synthesis [7,22], and various other techniques [5,6,18,26,27,31,33,38,42,53,54,58].…”

Section: Introductionmentioning

confidence: 99%

Technical Report: Hardening Code Obfuscation Against Automated Attacks

Schloegel¹,

Blazytko²,

Contag³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…[18] has been tested with VMProtect for the evaluation of the implementation results. [9] proposed a method to analyze the virtualization structure by applying symbolic execution and compiler optimization together. In [9], the extracted symbol and virtual code were converted to C language to remain semantically equivalent to the original program.…”

Section: A Analysis Of Virtualization Obfuscationmentioning

confidence: 99%

“…[9] proposed a method to analyze the virtualization structure by applying symbolic execution and compiler optimization together. In [9], the extracted symbol and virtual code were converted to C language to remain semantically equivalent to the original program. In this study, PinTool was used as a tool to accurately extract the dispatcher of virtualization structure.…”

Section: A Analysis Of Virtualization Obfuscationmentioning

confidence: 99%

VCF: Virtual Code Folding to Enhance Virtualization Obfuscation

Suk

Lee

2020

IEEE Access

View full text Add to dashboard Cite

Code virtualization, also called virtualization obfuscation, is a code obfuscation technique that protects software from malicious analysis. Unlike code packing or code encryption techniques, code virtualization does not restore the original code on the memory. However, because basic components of the structure are simple, if a virtualization structure is revealed statically, there is a limitation in that the analysis process is somewhat constant. In this paper, we propose Virtual Code Folding (VCF) as a new code virtualization technique. The proposed method reduces the amount of virtual code that is statically revealed by folding the virtual code inside a virtualization structure and enables the virtual code to be decoded by generating multiple diversified dispatchers. The folded virtual code is restored by the random key, and then fetched and decoded by the diversified dispatcher. This process makes it possible for VCF to effectively obfuscate correspondence between virtual code and handler code (i.e., code that performs real functionality) without significant performance overhead or strong assumptions.

show abstract