Symbolic Execution of Obfuscated Code

Yadegari, Babak; Debray, Saumya

doi:10.1145/2810103.2813663

Cited by 68 publications

(55 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Recently Yadegari and Debray considered the problem of symbolically analyzing obfuscated conditionals [8]. They also focus on manipulating conditionals to hide them or to hide their relation with the inputs.…”

Section: Related Workmentioning

confidence: 99%

“…State of the art in deobfuscation shows that control flow flattening not based on opaque predicates can be broken by using static path deobfuscation [7]. Recent work [8,9] focuses on the use of symbolic analysis together with taint analysis to deobfuscate virtualized binaries and allow exploration of their execution path. Symbolic analysis maintains sets of constraints on the execution paths to determine which inputs cause each branch of a conditional statement to be explored.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Effectiveness of synthesis in concolic deobfuscation

Biondi

Josse²,

Legay

et al. 2017

Computers & Security

View full text Add to dashboard Cite

Control flow obfuscation techniques can be used to hinder software reverseengineering. Symbolic analysis can counteract these techniques, but only if they can analyze obfuscated conditional statements. We evaluate the use of dynamic synthesis to complement symbolic analysis in the analysis of obfuscated conditionals. We test this approach on the taint-analysis-resistant Mixed Boolean Arithmetics (MBA) obfuscation method that is commonly used to obfuscate and randomly diversify statements. We experimentally ascertain the practical feasibility of MBA obfuscation. We study using SMT-based approaches with different state-of-the-art SMT solvers to counteract MBA obfuscation, and we show how targeted algebraic simplification can greatly reduce the analysis time. We show that synthesis-based deobfuscation is more effective than current SMT-based deobfuscation algorithms, thus proposing a synthesis-based attacker model to complement existing attacker models.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Effectiveness of synthesis in concolic deobfuscation

Biondi

Josse²,

Legay

et al. 2017

Computers & Security

View full text Add to dashboard Cite

show abstract

“…A first, critical point to make is that none of the mentioned static techniques have been scientifically validated as successfully breaking complex forms of opaque predicates (such as the graph-based ones from Collberg et al [22]) on software of real-world complexity. Symbolic execution, for example, was only tested on programs of at most two functions [19]. Abstract interpretation was only evaluated on opaque predicates of which the program slice (i.e., the code computing the predicate) consisted of a tiny fragment immediately preceding the conditional branch [18].…”

Section: Resilience Against Counterattacksmentioning

confidence: 99%

Obfuscated integration of software protections

Broeck

Coppens

Sutter

2020

Int. J. Inf. Secur.

View full text Add to dashboard Cite

To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

show abstract

“…Although the virtualization obfuscation may lead to the excessive resource usage of LoPD, we do not view it as a hard limit. The latest work on symbolic execution of obfuscated code has proposed using fine-grained bit-level taint analysis to mitigate this problem [71]. We plan to integrate the bit-level taint analysis to improve LoPD's robust against the virtualization obfuscation.…”

Section: A Case Study I: Same Programsmentioning

confidence: 99%

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Jiang

Zhang

et al. 2016

IEEE Trans. Rel.

View full text Add to dashboard Cite

Software plagiarism, an act of illegally copying others' code, has become a serious concern for honest software companies and the open source community. Considerable research efforts have been dedicated to searching the evidence of software plagiarism. In this paper, we continue this line of research and propose LoPD, a deviation-based program equivalence checking approach, which is an ideal fit for the whole-program plagiarism detection. Instead of directly comparing the similarity between two programs, LoPD searches for any dissimilarity between two programs by finding an input that will cause these two programs to behave differently, either with different output states or with semantically different execution paths. As long as we can find one dissimilarity, the programs are semantically different; but if we cannot find any dissimilarity, it is more likely a plagiarism case. We leverage dynamic symbolic execution to capture the semantics of execution paths and to find path deviations. Compared to the existing detection approaches, LoPD's formal program semantics-based method is more resilient to automatic obfuscation schemes. Our evaluation results indicate that LoPD is effective in detecting whole-program plagiarism. Furthermore, we demonstrate that LoPD can be applied to partial software plagiarism detection as well. The encouraging experiment results show that LoPD is an appealing complement to existing software plagiarism detection approaches.Index Terms-Path deviation, program logic, semantical difference, software plagiarism, symbolic execution.

show abstract

Symbolic Execution of Obfuscated Code

Cited by 68 publications

References 28 publications

Effectiveness of synthesis in concolic deobfuscation

Effectiveness of synthesis in concolic deobfuscation

Obfuscated integration of software protections

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Contact Info

Product

Resources

About