Code obfuscation against symbolic execution attacks

Bănescu, Sebastian; Collberg, Christian; Newsham, Zack; Pretschner, Alexander

doi:10.1145/2991079.2991114

Cited by 110 publications

(100 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Let us now protect the program with standard obfuscations to measure their impact on symbolic deobfuscation. We will rely on Tigress [21], a widely used tool for systematic evaluation of deobfuscation methods [5,8,35], to apply (nested) virtualization, a most effective obfuscation [5]. Yet, Table 1 clearly shows that virtualization does not prevent KLEE from finding the winning output, though it can thwart path exploration -but with a high runtime overhead (40×).…”

Section: Motivating Examplementioning

confidence: 99%

“…concolic execution) [17,28,38] use logical formulas to represent input constraints along an execution path, and then automatically solve these constraints to discover new execution paths. DSE appears to be very efficient against existing obfuscations [5,8,22,35,49], combining the best of dynamic and semantic analysis.…”

Section: Introductionmentioning

confidence: 99%

“…On the other hand, DSE has been fruitfully applied on malware and legit codes protected by state-ofthe-art tools and methods, including virtualization, self-modification, hashing or MBA [8,35,49]. The recent systematic experimental evaluation of symbolic deobfuscation by Banescu et al [5] shows that most standard obfuscation techniques do not seriously impact DSE. Only nested virtualization seems to provide a good protection, assuming the defender is ready to pay a high cost in terms of runtime and code size [35].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Ollivier

Bardin

Bonichon

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

show abstract

Section: Motivating Examplementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Ollivier

Bardin

Bonichon

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Another work, [4], aims at predicting the resiliency of obfuscated code against symbolic execution attacks. They use machine learning to measure the ability of several different symbolic execution engines to run against various layers and combinations of obfuscation techniques.…”

Section: Related Workmentioning

confidence: 99%

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Tofighi-Shirazi

Asavoae

Elbaz-Vincent

et al. 2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

We present a new approach that bridges binary analysis techniques with machine learning classification for the purpose of providing a static and generic evaluation technique for opaque predicates, regardless of their constructions. We use this technique as a static automated deobfuscation tool to remove the opaque predicates introduced by obfuscation mechanisms. According to our experimental results, our models have up to 98% accuracy at detecting and deobfuscating state-of-the-art opaque predicates patterns. By contrast, the leading edge deobfuscation methods based on symbolic execution show less accuracy mostly due to the SMT solvers constraints and the lack of scalability of dynamic symbolic analyses. Our approach underlines the efficiency of hybrid symbolic analysis and machine learning techniques for a static and generic deobfuscation methodology.

show abstract

“…opaque predicates. Several works use two-ways opaque predicates constructs, either referred to as range-dividers [4], or as correlated opaque predicates [42,69]. Moreover, regardless of their output, e.g.…”

Section: Opaquementioning

confidence: 99%

Fine-grained static detection of obfuscation transforms using ensemble-learning and semantic reasoning

Tofighi-Shirazi

Asavoae

Elbaz-Vincent

2019

Proceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering

View full text Add to dashboard Cite

e ability to e ciently detect the so ware protections used is at a prime to facilitate the selection and application of adequate deobfuscation techniques. We present a novel approach that combines semantic reasoning techniques with ensemble learning classi cation for the purpose of providing a static detection framework for obfuscation transformations. By contrast to existing work, we provide a methodology that can detect multiple layers of obfuscation, without depending on knowledge of the underlying functionality of the training-set used. We also extend our work to detect constructions of obfuscation transformations, thus providing a ne-grained methodology. To that end, we provide several studies for the best practices of the use of machine learning techniques for a scalable and e cient model. According to our experimental results and evaluations on obfuscators such as Tigress and OLLVM, our models have up to 91% accuracy on state-of-the-art obfuscation transformations. Our overall accuracies for their constructions are up to 100%.

show abstract

Code obfuscation against symbolic execution attacks

Cited by 110 publications

References 41 publications

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Fine-grained static detection of obfuscation transforms using ensemble-learning and semantic reasoning

Contact Info

Product

Resources

About