Effectiveness of synthesis in concolic deobfuscation

Biondi, Fabrizio; Josse, Sébastien; Legay, Axel; Sirvent, Thomas

doi:10.1016/j.cose.2017.07.006

Cited by 18 publications

(31 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The work presented in [19], although based on binary execution traces, is a valid starting point to improve the detection of the dynamic opaque predicates in SATURN. While the work presented in [3] describes a strong simplification methodology based on the Drill&Join synthesis technique [1] which is orthogonal to the ones in SATURN and could further improve the MBA expressions handling. As discussed in Section 12, a plugin system would enable us to integrate these approaches during the exploration phase.…”

Section: Discussionmentioning

confidence: 99%

“…Effectiveness of Synthesis in Concolic Deobfuscation. Biondi et al summarize in [3] that SMT solvers alone are not efficient enough against MBA based obfuscation. As future work they proposed to study a tool that could drive the concolic execution of obfuscated programs by retrieving a compact representation of obfuscated constraints.…”

Section: Related Workmentioning

confidence: 99%

“…Instead, the path exploration is done based on the partially deobfuscated basic blocks and their predecessors. Our algorithm is similar to the Iterative Control Flow Graph Construction in [3] but is superior in the way that it works independently of the order in which the branches are examined.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SATURN - Software Deobfuscation Framework Based On LLVM

Garba

Favaro²

2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

The strength of obfuscated software has increased over the recent years. Compiler based obfuscation has become the de facto standard in the industry and recent papers also show that injection of obfuscation techniques is done at the compiler level. In this paper we discuss a generic approach for deobfuscation and recompilation of obfuscated code based on the compiler framework LLVM. We show how binary code can be lifted back into the compiler intermediate language LLVM-IR and explain how we recover the control flow graph of an obfuscated binary function with an iterative control flow graph construction algorithm [3] based on compiler optimizations and satisfiability modulo theories (SMT) solving. Our approach does not make any assumptions about the obfuscated code, but instead uses strong compiler optimizations available in LLVM and Souper Optimizer to simplify away the obfuscation. Our experimental results show that this approach can be effective to weaken or even remove the applied obfuscation techniques like constant unfolding, certain arithmetic-based opaque expressions, dead code insertions, bogus control flow or integer encoding found in public and commercial obfuscators. The recovered LLVM-IR can be further processed by custom deobfuscation passes that are now applied at the same level as the injected obfuscation techniques or recompiled with one of the available LLVM backends. The presented work is implemented in a deobfuscation tool called SATURN (Figure 1).

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

SATURN - Software Deobfuscation Framework Based On LLVM

Garba

Favaro²

2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

show abstract

“…As a consequence, several works focus on the deobfuscation of opaque predicates (e.g. [5,7,8,16,29,32,42]) in order to evaluate the quality of the obfuscated code rendered by this transformation. However, these techniques are often based on dynamic analysis and are therefore limited or not scalable.…”

Section: Introductionmentioning

confidence: 99%

Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis

Tofighi-Shirazi

Asavoae

Elbaz-Vincent

et al. 2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

We present a new approach that bridges binary analysis techniques with machine learning classification for the purpose of providing a static and generic evaluation technique for opaque predicates, regardless of their constructions. We use this technique as a static automated deobfuscation tool to remove the opaque predicates introduced by obfuscation mechanisms. According to our experimental results, our models have up to 98% accuracy at detecting and deobfuscating state-of-the-art opaque predicates patterns. By contrast, the leading edge deobfuscation methods based on symbolic execution show less accuracy mostly due to the SMT solvers constraints and the lack of scalability of dynamic symbolic analyses. Our approach underlines the efficiency of hybrid symbolic analysis and machine learning techniques for a static and generic deobfuscation methodology.

show abstract

“…Using a subfamily is a problem in the context of obfuscation since such polynomials will have an intrinsic form which can be recognized more easily and thus help the reverser. The attack proposed in [1] relies on this property.…”

Section: Introductionmentioning

confidence: 99%