Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Tofighi-Shirazi, Ramtine; Asavoae, Irina-Mariuca; Elbaz-Vincent, Philippe; Le, Trung-Nghia

doi:10.1145/3338503.3357719

Cited by 15 publications

(18 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, Backward-Bounded DSE [3] can detect 100% of the opaque predicates inserted by the OLLVM obfuscator [18]. However, dynamic symbolic execution-based approaches' detection accuracy decreases when encountering opaque predicates of varied constructions [37]. This is because their detection approaches are based on determining if a conditional branch contains an invariant expression.…”

Section: Contributionsmentioning

confidence: 99%

“…Depending on how the opaque predicate is constructed, it can be non-trivial or even undecidable to identify the invariant expression. Tofighi-Shirazi et al [37] recently introduce a detection approach using machine learning based on a decision-tree classification model. Although it can detect opaque predicates of varied constructions, the performance of Tofighi-Shirazi's approach suffers when detecting an opaque predicate whose construction is not previously encountered in its training data.…”

Section: Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly

Tung¹,

Harris²

2020

Proceedings 2020 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Opaque predicates are used to perform code obfuscation by injecting superfluous branches into the program. Superfluous branches are the gateways for junk bytes or unreachable code to inconspicuously mingle with authentic code instructions. In this paper, we focus on the case where opaque predicates introduce junk bytes, thus causing damage to the static disassembly process when junk bytes are also treated as code. Although introduced two decades ago, detecting opaque predicates is still an unsolved problem due to the flexibility in their constructions. Past works on detecting opaque predicates only detect opaque predicates with specific constructions. We propose a novel approach to opaque predicates detection that allows us to generically detect opaque predicates when the damage is the inserted junk bytes. Our proposed approach is the first to detect opaque predicates by identifying their corresponding superfluous branches through the damage caused by the obfuscation. Preliminary experiments show the potential of this novel approach by detecting opaque predicates of varied constructions.

show abstract

Section: Contributionsmentioning

confidence: 99%

Section: Contributionsmentioning

confidence: 99%

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly

Tung¹,

Harris²

2020

Proceedings 2020 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…is language is part of the symbolic execution engine that we use for the implementation of our methodology as IDA Pro plug-in. Additionally, the normalized Miasm2 intermediate language has also been successful for the application of machine learning techniques in order to deobfuscate opaque predicates [61]. Listing 1 illustrates the symbolic state S of the rst basic-block of the function quick-sort, which is illustrated in Figure 1.…”

Section: Semantic-based Raw Datamentioning

confidence: 99%

“…As seen in [61], semantic reasoning and machine learning provides promising results for deobfuscation methodology. e evaluations shown in this paper illustrate that our model does not depend on the code functionality.…”

Section: Perspectives and Future Workmentioning

confidence: 99%

See 1 more Smart Citation

Fine-grained static detection of obfuscation transforms using ensemble-learning and semantic reasoning

Tofighi-Shirazi

Asavoae

Elbaz-Vincent

2019

Proceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering

Self Cite

View full text Add to dashboard Cite

e ability to e ciently detect the so ware protections used is at a prime to facilitate the selection and application of adequate deobfuscation techniques. We present a novel approach that combines semantic reasoning techniques with ensemble learning classi cation for the purpose of providing a static detection framework for obfuscation transformations. By contrast to existing work, we provide a methodology that can detect multiple layers of obfuscation, without depending on knowledge of the underlying functionality of the training-set used. We also extend our work to detect constructions of obfuscation transformations, thus providing a ne-grained methodology. To that end, we provide several studies for the best practices of the use of machine learning techniques for a scalable and e cient model. According to our experimental results and evaluations on obfuscators such as Tigress and OLLVM, our models have up to 91% accuracy on state-of-the-art obfuscation transformations. Our overall accuracies for their constructions are up to 100%.

show abstract

BinSEAL: Linux Binary Obfuscation Against Symbolic Execution

Qin

Han

2021

Security, Privacy, and Anonymity in Computation, Communication, and Storage

View full text Add to dashboard Cite

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Cited by 15 publications

References 30 publications

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly

Fine-grained static detection of obfuscation transforms using ensemble-learning and semantic reasoning

BinSEAL: Linux Binary Obfuscation Against Symbolic Execution

Contact Info

Product

Resources

About