Semantics-aware obfuscation scheme prediction for binary

Zhao, Yuhe; Tang, Zhanyong; Ye, Guixin; Peng, Dongxu; Fang, Dingyi; Liu, Chen; Wang, Zheng

doi:10.1016/j.cose.2020.102072

Cited by 8 publications

(5 citation statements)

References 31 publications

(41 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, code obfuscation techniques, such as instruction replacement, dead code insertion, function inlining, etc., that commit changes to the code [30,32] are very likely to destroy or submerge features important to compiler identification, hence decreasing the detection accuracy. One possible solution to this problem is to deobfuscate the binaries first with deobfuscation techniques [22,44,49] before enforcing compiler identification. Another possible way is to adopt the idea of adversarial training [40], which trains the compiler identification model with adversarial examples (i.e.…”

Section: Discussionmentioning

confidence: 99%

Fine-Grained Compiler Identification With Sequence-Oriented Neural Modeling

et al. 2021

View full text Add to dashboard Cite

Different compilers and optimization levels can be used to compile the source code. Revealed in reverse from the produced binaries, these compiler details facilitate essential binary analysis tasks, such as malware analysis and software forensics. Most existing approaches adopt a signature matching based or machine learning based strategy to identify the compiler details, showing limits in either the detection accuracy or granularity. In this work, we propose NeuralCI (Neural modeling-based Compiler Identification) to infer these compiler details including compiler family, optimization level and compiler version on individual functions. The basic idea is to formulate sequence-oriented neural networks to process normalized instruction sequences generated using a lightweight function abstraction strategy. To evaluate the performance of NeuralCI, a large dataset consisting of 854,858 unique functions collected from 19 widely used real-world projects is constructed. The experiments show that NeuralCI achieves averagely 98.6% accuracy in identifying the compiler family, 95.3% accuracy in identifying the optimization level, 88.7% accuracy in identifying the compiler version, 94.8% accuracy in identifying the compiler family and optimization level, and 83.0% accuracy in identifying all compiler components simultaneously, outperforming existing function level compiler identification methods in terms of both detection accuracy and comprehensiveness.INDEX TERMS software forensics, binary code analysis, compiler identification, neural network.

show abstract

Section: Discussionmentioning

confidence: 99%

Fine-Grained Compiler Identification With Sequence-Oriented Neural Modeling

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Even though obfuscation can hide semantics very well, there can still be some hints left. Existing obfuscation detection work has high accuracy [13,[33][34][35][36][37]. us, we are motivated to employ a classifier to detect which basic block is obfuscated.…”

Section: Obfuscated Instructions Detectormentioning

confidence: 99%

“…Dataset1: We use a dataset of OBFEYE [13], which contains over 277,000 obfuscated samples with different individual obfuscation schemes. e source codes of OBFEYE's datasets come from the real world like GNU Toolkit and gcc-7.4.0.…”

Section: Datasetsmentioning

confidence: 99%

“…Obfuscation Detection. Zhao et al [13] propose an obfuscation detection method using deep neural networks to learn semantic information of the disassembled binary to predict the program's Obfuscation Scheme. But they do not discuss locating the obfuscated code snippet.…”

Section: Related Workmentioning

confidence: 99%

“…First of all, compared with other obfuscation algorithms, data obfuscation is more stealthy. at is because the number of instructions involved in data obfuscation is small, so it is difficult to detect [13]. Afterward, when most obfuscation tools implement data obfuscation, they randomly select one from the equivalent instruction sequences to increase the diversity of the transformation [14][15][16].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Input-Output Example-Guided Data Deobfuscation on Binary

Zhao

Tang

et al. 2021

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

Data obfuscation is usually used by malicious software to avoid detection and reverse analysis. When analyzing the malware, such obfuscations have to be removed to restore the program into an easier understandable form (deobfuscation). The deobfuscation based on program synthesis provides a good solution for treating the target program as a black box. Thus, deobfuscation becomes a problem of finding the shortest instruction sequence to synthesize a program with the same input-output behavior as the target program. Existing work has two limitations: assuming that obfuscated code snippets in the target program are known and using a stochastic search algorithm resulting in low efficiency. In this paper, we propose fine-grained obfuscation detection for locating obfuscated code snippets by machine learning. Besides, we also combine the program synthesis and a heuristic search algorithm of Nested Monte Carlo Search. We have applied a prototype implementation of our ideas to data obfuscation in different tools, including OLLVM and Tigress. Our experimental results suggest that this approach is highly effective in locating and deobfuscating the binaries with data obfuscation, with an accuracy of at least 90.34%. Compared with the state-of-the-art deobfuscation technique, our approach’s efficiency has increased by 75%, with the success rate increasing by 5%.

show abstract