Deobfuscation of virtualization-obfuscated software

Coogan, Kevin; Lu, Gen; Debray, Saumya

doi:10.1145/2046707.2046739

Cited by 100 publications

(78 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Coogan et al have developed a scheme which focuses on identifying the flow of values to system call instructions used by the malware, thereby obviating the need to analyze VM instructions [15]. However, their scheme does not produce encouraging results when applied to complex applications.…”

Section: Related Workmentioning

confidence: 99%

Replacement attacks against VM-protected applications

Ghosh

Hiser

Davidson

2012

Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments

View full text Add to dashboard Cite

Process-level virtualization is increasingly being used to enhance the security of software applications from reverse engineering and unauthorized modification (called software protection). Processlevel virtual machines (PVMs) can safeguard the application code at run time and hamper the adversary's ability to launch dynamic attacks on the application. This dynamic protection, combined with its flexibility, ease in handling legacy systems and low performance overhead, has made process-level virtualization a popular approach for providing software protection. While there has been much research on using process-level virtualization to provide such protection, there has been less research on attacks against PVM-protected software. In this paper, we describe an attack on applications protected using process-level virtualization, called a replacement attack. In a replacement attack, the adversary replaces the protecting PVM with an attack VM thereby rendering the application vulnerable to analysis and modification. We present a general description of the replacement attack methodology and two attack implementations against a protected application using freely available tools. The generality and simplicity of replacement attacks demonstrates that there is a strong need to develop techniques that meld applications more tightly to the protecting PVM to prevent such attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Replacement attacks against VM-protected applications

Ghosh

Hiser

Davidson

2012

Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments

View full text Add to dashboard Cite

show abstract

“…To perform specialization for interprocedural partialevaluation, the following lines are added after line [16] In addition, Alg. 3 takes an additional argument, specializedCFGs, which is a map whose entries are of the form CFG, ρ → ρ , where ρ is a partial static pre-store and ρ is a partial static post-store.…”

Section: Specializationmentioning

confidence: 99%

Partial evaluation of machine code

SrinivasanVenkatesh

RepsThomas

2015

SIGPLAN Not.

View full text Add to dashboard Cite

This paper presents an algorithm for off-line partial evaluation of machine code. The algorithm follows the classical two-phase approach of binding-time analysis (BTA) followed by specialization. However, machine-code partial evaluation presents a number of new challenges, and it was necessary to devise new techniques for use in each phase.• Our BTA algorithm makes use of an instruction-rewriting method that "decouples" multiple updates performed by a single instruction. This method counters the cascading imprecision that would otherwise occur with a more naïve approach to BTA.• Our specializer specializes an explicit representation of the semantics of an instruction, and emits residual code via machine-code synthesis. Moreover, to create code that allows the stack and heap to be at different positions at run-time than at specialization-time, the specializer represents specialization-time addresses using symbolic constants, and uses a symbolic state for specialization. Our experiments show that our algorithm can be used to specialize binaries with respect to commonly used inputs to produce faster binaries, as well as to extract an executable component from a bloated binary.

show abstract

“…System invocation is the interface between application software and operation systems, almost all functions of application software are implemented by system invocations. Kevin and Wang [5,6] claim that most malicious behaviors caused by malicious code are resulted from redirection of normal execution to certain malicious instructions, which was previous designed by attracter and injected in certain memory space, such as buffer leakage. By using the trace of taint data, certain malicious behaviors can be sketched and reoccur, in order to represent how certain system calls are illegally used to achieve certain unauthorized goals.…”

Section: Related Workmentioning

confidence: 99%

Software Trusty Analysis Based on Tiant Trace with Non-interference

Chen¹,

Ye²,

Chen³

et al. 2014

Proceedings of the 2014 International Conference on Mechatronics, Electronic, Industrial and Control Engineering

View full text Add to dashboard Cite

Abstract-we proposed a novel approach for software trust analysis, in order to solve the problems in auto testing that, the test process is lack of guidance, further more, with high performance cost. The main idea of this approach is based on taint data tracing by taint tracing started from outside of software environment. By extracting the raw behaviors such as API invocation that may cause un-trust consequence, the scope of codes that being tested will be narrowed. These may-un-trust behaviors then form into a taint dependency behaviors model, and will be proved that whether these behaviors can be trusted in certain environment. The proving mechanism will be done by a so called noninterference information flow model. The behavior model will be evolved by refinement, and the context of each test iteration will be taken advantaged of for guidance. Besides, non-interference theories will also be applied in proving. We also briefly discussed about the implementation of this approach, and necessary theorems for this approach are also proved.

show abstract

Deobfuscation of virtualization-obfuscated software

Cited by 100 publications

References 7 publications

Replacement attacks against VM-protected applications

Replacement attacks against VM-protected applications

Partial evaluation of machine code

Software Trusty Analysis Based on Tiant Trace with Non-interference

Contact Info

Product

Resources

About