advanced anti deobfuscation
play

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 - PowerPoint PPT Presentation

Dec 05, 2022 •213 likes •680 views

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research domain: system software compilers, binary rewriting tools, whole program optimization (binary & Java), virtualization, run-time environments

  1. Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 – Paris 1

  2. About me • Research domain: system software • compilers, binary rewriting tools, whole program optimization (binary & Java), virtualization, run-time environments • improve programmer productivity by means of automation • apply tools for different applications • obfuscation, diversity, mitigating side channels and fault injection, ... • protect against exploitation of vulnerabilities (multi-variant execution) • generating code for accelerators • Also worked/spent time at • Interrupts enabled 2

  3. About me ASPIRE Framework SafeNet use case Protected SafeNet use case Software Decision Support System Gemalto use case Protection Protected Gemalto use case Tool Flow Software Protection Tool Chain Nagravision use case Protected Nagravision use case Data Hiding Algorithm Hiding Anti-Tampering Remote Attestation Renewability 3 http://www.aspire-fp7.eu

  4. Lecture Overview 1. Basic Attacks • attacks on what? • basic attack tools & techniques 2. Defenses • anti-anything 3. Advanced Automated Attacks • generic deobfuscation • symbolic execution 4. Defenses • anti-even-more 4

  5. What is being attacked? Security Asset category Examples of threats Requirements Private data Confidentiality Impersonation, illegitimate authorization (keys, credentials, tokens, Privacy Leaking sensitive data private info) Integrity Forging licenses Public data Forging licenses Integrity (keys, service info) Impersonation Unique data Confidentiality Service disruption, illegitimate access (tokens, keys, used IDs) Integrity Build emulators Global data (crypto & app Confidentiality Circumvent authentication verification bootstrap keys) Integrity Traceable data/code (Watermarks, finger-prints, Non-repudiation Make identification impossible traceable keys) Code (algorithms, protocols, Confidentiality Reverse engineering security libs) Application execution (license checks & limitations, Execution Circumvent security features (DRM) authentication & integrity correctness Integrity Out-of-context use, violating license terms 5 verification, protocols)

  6. What is being attacked? PROTECTION 1 PROTECTION 5 PROTECTION 2 PROTECTION 6 ASSET PROTECTION 3 PROTECTION 7 ADDITIONAL CODE PROTECTION 4 PROTECTION 8 1. Attackers aim for assets, layered protections are only obstacles 2. Attackers need to find assets (by iteratively zooming in) 3. Attackers need tools & techniques to build a program representation, to analyze, and to extract features 4. Attackers iteratively build strategy based on experience and confirmed and revised assumptions, incl. on path of least resistance 5. Attackers can undo, circumvent, or overcome protections with or without tampering with the code 6

  7. Basic Attack Techniques • Static attack steps: without executing the code • symbolic information • graph representations of program • Dynamic attack steps: observing execution • all kinds of hooks • start and intervene at interfaces • observe features and patterns of program execution (traces) • Hybrid attack steps: combination of both • e.g.: build graphs of (unpacked) code observed during execution 7

  8. Disassemblers - 1 • IDA Pro • Binary Ninja • angr • Far from perfect • incomplete disassembly • incorrect graphs (control flow, call graphs) • Flexible and interactive • linear sweep, recursive descent, heuristical and manual disassembly • GUI • code annotation • plug-ins and scripts 8

  9. Disassemblers - 1 • IDA Pro • Binary Ninja • Far from perfect • incomplete disassembly • incorrect graphs (control flow, call graphs) • Flexible and interactive • GUI • annotation • Plug-ins and scripts 9

  10. Disassemblers - 2 • Static & hybrid attacks • Rely on many underlying assumptions • Library detection • F.L.I.R.T • Diffing tools • BinDiff • Custom tools • detect patterns • undo obfuscations • data flow analysis • Supports code editing • Interfaces with (remote) debuggers 10

  11. Disassemblers - 2 • Static & hybrid attacks • Library detection • F.L.I.R.T • Diffing tools • BinDiff • Custom tools • detect patterns • undo obfuscations • data flow analysis 11

  12. Disassemblers - 2 12

  13. Disassemblers - 3 • Decompiler 13

  14. Debuggers - 1 • GDB • OllyDbg • Scriptable • Support tampering • alter processor state (incl. program counter) • alter memory contents • alter code • used for out-of-context execution 14

  15. Debuggers - 1 • GDB • OllyDbg • Scriptable • Used for tampering • alter processor state (incl. program counter) • alter memory contents • alter code • used for out-of-context execution 15

  16. Debuggers - 2 • Used for program understanding • Used for zooming in on relevant code • Continuous iterative refinement of scripts • Low overhead with hardware breakpoints • High overhead with software breakpoints • Requires tampering 16

  17. Emulation & Instrumentation • QEMU • Pin • Valgrind • DynInst • ltrace • Used to collect traces • To identify patterns and points of interest • Used like a debugger • Iterative refinement of scripts • But not interactive 17

  18. Software Tampering • Editing the binary • Alter running process state (CPU, memory) • Intervene at interfaces • system calls • library calls • network activities • .... • Custom binaries to invoke library APIs • Aforementioned tools • Cheat Engine • all kinds of reverse engineering aids (pointer chaining) 18

  19. Pointer chaining struct player bool visible 19

  20. Pointer chaining struct player bool visible 20

  21. Pointer chaining struct game stack play() struct player bool visible *(*(ESP(play())-0x16)+0x4)+0x28 21

  22. Pointer chaining 22

  23. Lecture Overview 1. Basic Attacks • attacks on what? • basic attack tools & techniques 2. Defenses • anti-anything 3. Advanced Automated Attacks • generic deobfuscation • symbolic execution 4. Defenses • anti-even-more 23

  24. Anti-tampering • Code guards (code integrity) • hashes over code regions • State inspection • check for existing invariants • inject additional invariants • for data integrity and control flow integrity • Basic control flow integrity • check return addresses • check stack frames 24

  25. Remote attestation Original Application logic 1 2 4 3 5 Update Query Attestator Verifier Reaction Functions Functions reaction: attestators: - abort - code guards Delay Data Structures - corruption - timing - notify server (block player) - data integrity Delay Component - graceful degradation - control flow integrity - lower quality verification: delay reaction: - local vs. remote - attacker sees symptom - prevent replay attacks - hide relation with cause! 25

  26. Anti-disassembly • Hide code • packers, virtualization, download code on demand, self-modifying code • Junk bytes • Indirect control flow transfers • Jumps into middle of instructions • Code layout randomization • Overlapping instructions • Exploit known heuristics • continuation points • patterns for function prologues, epilogues, calls, ... Often, wrong information is worse than no information. 26

  27. Anti-disassembly examples Example 1 0x123a: call 0xabca; 0x123a: jmp 0xabca; ... ... obfuscation 0xabca: pop ebx; 0xabca: addl #44,eax addl #44,eax 0x123a: push *(0xc000) Example 2 jmp 0xabca pop eax 0x123a: call 0xabca; ... ... obfuscation 0xabca: ... 0xabca: ... jmp *(esp) ret 0xc000: 0x12424 27

  28. Anti-decompilation Exploit semantic gap between source code and assembly code or bytecode • strip unnecessary symbol information • rename identifiers (I,l,L,1) • goto spaghetti • disobey constructor conventions • disobey exception handling conventions 28

  29. Anti-decompilation example pre(); flag = 1 if(flag) pre(); try{ then else might_throw_exception(); } catch(Exception e){ flag = 0 post(); catch(Exception e){ handle_exception(); might_throw_exception(); handle_exception(); } on fall- fall- post(); exception through through post(); Batchelder, Michael, and Laurie Hendren. "Obfuscating Java: the most pain for the least gain." In Compiler Construction , pp. 96-110. Springer Berlin Heidelberg, 2007 29

  30. Anti-debugging • Option 1: check environment for presence debugger • Option 2: prevent debugger to attach • OS & hardware support at most one debugger per process • occupy one seat with custom “debugger” process • make control & data flow dependent on custom debugger • anti-debugging by means of self-debugging 30

  31. Self-Debugging function 1 function 2 function 3 mini debugger 31

  32. Self-Debugging function 1 function 1 function 2 function 2 function 3 function 3 mini mini debugger debugger 32

  33. Self-Debugging process 1045 process 3721 function 1 function 1 function 2 function 2 function 3 function 3 mini mini debugger debugger debugger debuggee 33

  34. Self-Debugging process 1045 process 3721 function 1 function 1 function 2 function 2b function 2 function 2a function 3 function 3 mini mini debugger debugger debugger debuggee 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1. Obfuscating Arithmetic 2. Opaque Expressions 3. Control Flow Flattening 4. Constructing Opaque Expressions 5. Generic Deobfuscation 6. Turning up

1.39k views • 95 slides
DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA LIST, QuarksLab) Jean-Yves Marion (LORIA) Sbastien Bardin et al. Dagstuhl2017 | 1 IN A NUTSHELL Challenge: malware deobfuscation

641 views • 36 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with computers, phones, sensors Records constantly Intro We worked on one system used for alcohol craving and drinking prediction Collected

422 views • 23 slides
Someone Into Health ~ David Baltimore MD, ND Tapeworms for weight loss in the 1900's

Someone Into Health ~ David Baltimore MD, ND Tapeworms for weight loss in the 1900's

11/7/2014 Thomas J. Lokensgard DDS, NMD, ABAAHP The Metabolic Syndrome Advanced Preventive Dentistry and Oral Inflammation American Academy of Anti-Aging Medicine, Diplomate American Academy of Anti-Aging Medicine, Fellow Center for

534 views • 11 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

664 views • 40 slides
Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration injunctions ASA Below 40 Seminar: Court assistance in international arbitration how to use it wisely and efficiently Anti-suit and anti-arbitration

359 views • 10 slides
Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Hounslow Housing Chris Shoubridge Head of Area Housing Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014 conduct that has caused, or is likely to cause, harassment, alarm or distress to any

377 views • 18 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

1.12k views • 82 slides
for Anticancer and Anti-inflammation Therapy Sangyong Jon, Ph.D. Bio-Nanomedicine Lab

for Anticancer and Anti-inflammation Therapy Sangyong Jon, Ph.D. Bio-Nanomedicine Lab

A PEGylated Bilirubin Nanomedicine for Anticancer and Anti-inflammation Therapy Sangyong Jon, Ph.D. Bio-Nanomedicine Lab Department of Biological Sciences Korea Advanced Institute of Science and Technology (KAIST) Bilirubin? A Final

625 views • 30 slides
Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs

Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs

Controversies in the Management of SAH Disclosures: None Controversies Anti-fibrinolytics Anti-epileptic Drugs Goal Hemoglobin Hyponatremia Fever Anti-Fibrinolytics The risk of re-bleeding is highest in the first 24 hours

695 views • 36 slides
First Presentation of Data for Pembrolizumab, Mercks Investigational Anti-PD-1 Antibody, in

First Presentation of Data for Pembrolizumab, Mercks Investigational Anti-PD-1 Antibody, in

NEWS RELEASE First Presentation of Data for Pembrolizumab, Mercks Investigational Anti-PD-1 Antibody, in Patients with Previously-Untreated, Advanced Non- Small Cell Lung Cancer (NSCLC) at ASCO 2014 6/2/2014 Initial Therapy with

654 views • 6 slides
ENGOT-EN6/NSGO/TSR-042 A Phase 3, Randomized, Open-Label Study of TSR-042, an Anti-PD-1

ENGOT-EN6/NSGO/TSR-042 A Phase 3, Randomized, Open-Label Study of TSR-042, an Anti-PD-1

ENGOT-EN6/NSGO/TSR-042 A Phase 3, Randomized, Open-Label Study of TSR-042, an Anti-PD-1 Monoclonal Antibody, versus Investigators Choice Chemotherapy in Patients with Advanced/Recurrent Endometrial Cancer Prevalence of somatic mutations

466 views • 13 slides
Second Quarter 2019 Earnings Presentation Tuesday, August 13, 2019 Agenda Prepared Remarks

Second Quarter 2019 Earnings Presentation Tuesday, August 13, 2019 Agenda Prepared Remarks

Second Quarter 2019 Earnings Presentation Tuesday, August 13, 2019 Agenda Prepared Remarks Jeff Edison - Chairman and CEO Highlights Portfolio & T enant Overview Leasing Activity Devin Murphy - CFO Investment

879 views • 32 slides
FNCE 4004 Derivatives Chapter 5 Determination of Forward and Futures Prices University of

FNCE 4004 Derivatives Chapter 5 Determination of Forward and Futures Prices University of

University of Colorado at Boulder Leeds School of Business FNCE 4040 Derivatives FNCE 4004 Derivatives Chapter 5 Determination of Forward and Futures Prices University of Colorado at Boulder Leeds School of Business FNCE 4040

769 views • 59 slides
Private Equity: Leveraged Expertise or Leveraged Bets? Ulf Axelson London School of Economics

Private Equity: Leveraged Expertise or Leveraged Bets? Ulf Axelson London School of Economics

Department of Finance Private Equity: Leveraged Expertise or Leveraged Bets? Ulf Axelson London School of Economics Private Equity: Leveraged Expertise or Leveraged Bets? Department of Finance 1. What is private equity? 2. Why is it

460 views • 21 slides
Welcome to NTU EAPSI Programme Singapore 2009 15 th June 20 0 9 to 7 th August 20 0 9 Prepared

Welcome to NTU EAPSI Programme Singapore 2009 15 th June 20 0 9 to 7 th August 20 0 9 Prepared

Welcome to NTU EAPSI Programme Singapore 2009 15 th June 20 0 9 to 7 th August 20 0 9 Prepared by: Research Support Office Dated : 1 st April 2009 T o g e t you orie nte d a nd pre pa re d for your sta y in NT U, we ha ve c onsolida te d a

1.23k views • 47 slides
Federal Tax Legislative Update Here We Go Again! Will Tax Reform Finally Happen? Hank Gutman

Federal Tax Legislative Update Here We Go Again! Will Tax Reform Finally Happen? Hank Gutman

Federal Tax Legislative Update Here We Go Again! Will Tax Reform Finally Happen? Hank Gutman Ivins, Phillips & Barker, Chartered July 18, 2017 A Prescient Comment on the U.S. Legislative Process You can always count on Americans

562 views • 29 slides
Utah DOT Randy Park Peer Exchange - Integra/ng Risk Management

Utah DOT Randy Park Peer Exchange - Integra/ng Risk Management

Utah DOT Randy Park Peer Exchange - Integra/ng Risk Management in Transporta/on Asset Management Programs Peer Exchange - Integra/ng Risk Management in

724 views • 25 slides
The 7th International Symposium on Data Assimilation (ISDA2019) Efficient Implementations of

The 7th International Symposium on Data Assimilation (ISDA2019) Efficient Implementations of

The 7th International Symposium on Data Assimilation (ISDA2019) Efficient Implementations of Ensemble Based Methods In Sequential Data Assimilation: Accounting for Localization Elias D. Ni no-Ruiz Applied Math and Computer Science Laboratory

642 views • 50 slides
Data Assimilation for Numerical Weather Prediction [NWP] Project Ahmed Attia Statistical and

Data Assimilation for Numerical Weather Prediction [NWP] Project Ahmed Attia Statistical and

Data Assimilation for Numerical Weather Prediction [NWP] Project Ahmed Attia Statistical and Applied Mathematical Science Institute (SAMSI) 19 TW Alexander Dr, Durham, NC 27703 attia@ { vt.edu || samsi.info } Department of Mathematics North

526 views • 14 slides

More recommend