QSynth - A Program Synthesis based approach for Binary Code Deobfuscation

David, Robin; Coniglio, Luigi; Ceccato, Mariano

doi:10.14722/bar.2020.23009

Cited by 19 publications

(30 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To the best of our knowledge, there are no predefined metrics to measure whether the deobfuscation result is easier to understand. David et al [23] provide a solution for evaluating the size reduction factor of the obfuscated expression against the synthesized one. In addition, we also use the user study in Section 6.6 to evaluate the deobfuscation results.…”

Section: Metrics For Deobfuscation Result Deobfuscation Aimsmentioning

confidence: 99%

“…at is different from previous work since they all assume that the obfuscated instructions are known [22,23].…”

Section: Introductionmentioning

confidence: 88%

“…Program synthesis has been widely used in the following areas: automatic programming [28], peephole optimization [29,30], and generating the best code snippets [31,32]. Some works have proved the feasibility of program synthesis on deobfuscation [21][22][23]. Specifically, taking a given program as the specification of the equivalent program required in the target language, program synthesis can translate the given piece of code into a semantically equivalent code written in a certain target language.…”

Section: Program Synthesismentioning

confidence: 99%

“…erefore, deobfuscation in the way of compiler optimization may lead to the generated code being too simplified. e second category of deobfuscation is based on the program synthesis technique [20][21][22][23], which treats the target program as a black box. e underlying intuition is that a program's semantics can be understood as a mapping from input values to output values.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Input-Output Example-Guided Data Deobfuscation on Binary

Zhao

Tang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Data obfuscation is usually used by malicious software to avoid detection and reverse analysis. When analyzing the malware, such obfuscations have to be removed to restore the program into an easier understandable form (deobfuscation). The deobfuscation based on program synthesis provides a good solution for treating the target program as a black box. Thus, deobfuscation becomes a problem of finding the shortest instruction sequence to synthesize a program with the same input-output behavior as the target program. Existing work has two limitations: assuming that obfuscated code snippets in the target program are known and using a stochastic search algorithm resulting in low efficiency. In this paper, we propose fine-grained obfuscation detection for locating obfuscated code snippets by machine learning. Besides, we also combine the program synthesis and a heuristic search algorithm of Nested Monte Carlo Search. We have applied a prototype implementation of our ideas to data obfuscation in different tools, including OLLVM and Tigress. Our experimental results suggest that this approach is highly effective in locating and deobfuscating the binaries with data obfuscation, with an accuracy of at least 90.34%. Compared with the state-of-the-art deobfuscation technique, our approach’s efficiency has increased by 75%, with the success rate increasing by 5%.

show abstract

Section: Metrics For Deobfuscation Result Deobfuscation Aimsmentioning

confidence: 99%

“…at is different from previous work since they all assume that the obfuscated instructions are known [22,23].…”

Section: Introductionmentioning

confidence: 88%

Section: Program Synthesismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Input-Output Example-Guided Data Deobfuscation on Binary

Zhao

Tang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…In the second type, the oracle cannot verify the correctness of the synthesized program but can provide a set of input-output examples. This includes the applications where the oracle is a black-box program, such as binary programs [Zhai et al 2016], and applications where the program is too complex to verify its correctness, e.g., the task involves system calls or complex loops, such as program repair, second-order execution, and deobfuscation [Blazytko et al 2017;David et al 2020;Jha et al 2010;Mechtaev et al 2018Mechtaev et al , 2015a.…”

Section: Introductionmentioning

confidence: 99%

Generalizable synthesis through unification

Xia

Xiong

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

The generalizability of PBE solvers is the key to the empirical synthesis performance. Despite the importance of generalizability, related studies on PBE solvers are still limited. In theory, few existing solvers provide theoretical guarantees on generalizability, and in practice, there is a lack of PBE solvers with satisfactory generalizability on important domains such as conditional linear integer arithmetic (CLIA). In this paper, we adopt a concept from the computational learning theory, Occam learning, and perform a comprehensive study on the framework of synthesis through unification (STUN), a state-of-the-art framework for synthesizing programs with nested if-then-else operators. We prove that Eusolver, a state-of-the-art STUN solver, does not satisfy the condition of Occam learning, and then we design a novel STUN solver, PolyGen, of which the generalizability is theoretically guaranteed by Occam learning. We evaluate PolyGen on the domains of CLIA and demonstrate that PolyGen significantly outperforms two state-of-the-art PBE solvers on CLIA, Eusolver and Euphony, on both generalizability and efficiency.

show abstract

Constructing Opaque Predicate Using Homomorphic Encryption

Hirano

Ohtaki²

2022

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

QSynth - A Program Synthesis based approach for Binary Code Deobfuscation

Cited by 19 publications

References 22 publications

Input-Output Example-Guided Data Deobfuscation on Binary

Input-Output Example-Guided Data Deobfuscation on Binary

Generalizable synthesis through unification

Constructing Opaque Predicate Using Homomorphic Encryption

Contact Info

Product

Resources

About