How to kill symbolic deobfuscation for free (or: unleashing the potential of path-oriented protections)

Ollivier, Mathilde; Bardin, Sébastien; Bonichon, Richard; Marion, Jean-Yves

doi:10.1145/3359789.3359812

Cited by 23 publications

(41 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…KLEE is not only a useful tool for testing software but it's also very effective in attacking several code obfuscation techniques. Current work proposed in [22] tries to hinder symbolic execution tools like KLEE to do their work effectively.…”

Section: Kleementioning

confidence: 99%

“…We consider a man-at-the-end (MATE) scenario where the attacker has full access to a protected binary under attack and no access to the source code or unprotected binary. The attack model and the methodology follow closely the survey by Schrittweiser et al [28] and are similar to the ones considered in [22]. To be more concrete, we will focus on the following goals: 1.…”

Section: Motivation 31 Attacker Modelmentioning

confidence: 99%

“…ch^= 97; else ch^= 23; return (ch == 31); } Listing 2: Anti-symbolic path-oriented protections FOR and SPLIT applied on a toy program based on [22] define dso_local i32 @func(i8 signext) local_unnamed_addr #0 { %2 = icmp eq i8 %0, 126 %3 = zext i1 %2 to i32 ret i32 %3 }…”

Section: Motivating Examplementioning

confidence: 99%

“…Dataset #2. This dataset includes some programs that were taken from the repository provided by [22] and use the SPLIT and 2 https://github.com/pgarba/Saturn_Results FOR anti-DSE tricks.…”

Section: Datasetsmentioning

confidence: 99%

See 3 more Smart Citations

SATURN - Software Deobfuscation Framework Based On LLVM

Garba

Favaro²

2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

The strength of obfuscated software has increased over the recent years. Compiler based obfuscation has become the de facto standard in the industry and recent papers also show that injection of obfuscation techniques is done at the compiler level. In this paper we discuss a generic approach for deobfuscation and recompilation of obfuscated code based on the compiler framework LLVM. We show how binary code can be lifted back into the compiler intermediate language LLVM-IR and explain how we recover the control flow graph of an obfuscated binary function with an iterative control flow graph construction algorithm [3] based on compiler optimizations and satisfiability modulo theories (SMT) solving. Our approach does not make any assumptions about the obfuscated code, but instead uses strong compiler optimizations available in LLVM and Souper Optimizer to simplify away the obfuscation. Our experimental results show that this approach can be effective to weaken or even remove the applied obfuscation techniques like constant unfolding, certain arithmetic-based opaque expressions, dead code insertions, bogus control flow or integer encoding found in public and commercial obfuscators. The recovered LLVM-IR can be further processed by custom deobfuscation passes that are now applied at the same level as the injected obfuscation techniques or recompiled with one of the available LLVM backends. The presented work is implemented in a deobfuscation tool called SATURN (Figure 1).

show abstract

Section: Kleementioning

confidence: 99%

Section: Motivation 31 Attacker Modelmentioning

confidence: 99%

Section: Motivating Examplementioning

confidence: 99%

“…Dataset #2. This dataset includes some programs that were taken from the repository provided by [22] and use the SPLIT and 2 https://github.com/pgarba/Saturn_Results FOR anti-DSE tricks.…”

Section: Datasetsmentioning

confidence: 99%

See 2 more Smart Citations

SATURN - Software Deobfuscation Framework Based On LLVM

Garba

Favaro²

2019

Proceedings of the 3rd ACM Workshop on Software Protection

View full text Add to dashboard Cite

show abstract

“…Among the countless obfuscation methods proposed [1,16,28,32,36,45,49,51,65,67,69,75], one of the most promising techniques is Virtual Machine (VM)-based obfuscation [28,53]. State-of-the-art, commercial obfuscators such as THEMIDA [50] and VMPROTECT [64], as well as most game copy-protection schemes used in practice [23,60] make extensive use of VM-based obfuscation.…”

Section: Introductionmentioning

confidence: 99%

Technical Report: Hardening Code Obfuscation Against Automated Attacks

Schloegel¹,

Blazytko²,

Contag³

et al. 2021

Preprint

View full text Add to dashboard Cite

Software obfuscation is a crucial technology to protect intellectual property. Despite its importance, commercial and academic state-of-the-art obfuscation approaches are vulnerable to a plethora of automated deobfuscation attacks, such as symbolic execution, taint analysis, or program synthesis. While several enhanced techniques were proposed to thwart taint analysis or symbolic execution, they either impose a prohibitive runtime overhead or can be removed by compiler optimizations. In general, they suffer from focusing on a single attack vector, allowing an attacker to switch to other more effective techniques, such as program synthesis.In this work, we present LOKI, an approach for code obfuscation that is resilient against all known automated deobfuscation attacks. To this end, we deploy multiple techniques, including a generic approach to synthesize formally verified expressions of arbitrary complexity. Contrary to state-of-theart approaches that rely on a few hardcoded generation rules, our expressions are more diverse and harder to pattern match against. Moreover, LOKI protects against previously unaccounted attack vectors such as program synthesis, for which it reduces the success rate to merely 19%. Overall, our design incurs significantly less overhead while providing a much stronger protection level.

show abstract