code deobfuscation
play

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic - PowerPoint PPT Presentation

Sep 15, 2023 •184 likes •771 views

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David & Sbastien Bardin CEA LIST Who are we ? #Robin David #Sbastien Bardin PhD Student Full-time researcher at CEA LIST at CEA LIST Where

  1. Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David & Sébastien Bardin CEA LIST

  2. Who are we ? #Robin David #Sébastien Bardin PhD Student Full-time researcher ● ● at CEA LIST at CEA LIST Where are we ? Atomic Energy Commission (CEA LIST), Paris Saclay ● Software Safety & Security Lab ○ ○

  3. Context & Goal Analysis of obfuscated binaries and malware (potentially self-modifying) Recovering high-level view of the program (e.g CFG) Locating and removing obfuscation if any Challenges ? Static, dynamic and symbolic analyses are not enough used alone Scalability, robustness, “infeasibility queries”

  4. Our proposal A new symbolic method for infeasiblity-based obfuscation problems A combination of approaches to handle obfuscations impeding different kind of analyses Achievements A set of tool to analyse binaries (instrumentation, binary analysis and IDA integration) Detection of several obfuscations in packers Deobfuscation of the X-Tunnel malware (for which obfuscation is stripped)

  5. Long term objectives Execution trace dynamic dynamic symbolic disassembly execution new input Obfuscation information Partial safe CFG static disassembly Takeaway message disassembling highly obfuscated codes is challenging ◦ combining static, dynamic and symbolic is promising ◦ (accurate and efficient)

  6. Agenda Background 1. Disassembling obfuscated codes 2. Dynamic Symbolic Execution Our proposal 3. Backward-Bounded DSE 4. Analysis combination Binsec 5. The Binsec platform Case-studies 6. Packers 7. X-Tunnel

  7. 1 Disassembling obfuscated codes Getting an exploitable representation of the program

  8. An essential task before in-depth analysis is the CFG disassembly recovery of the program

  9. Disassembly issues Non-code bytes Code Missing symbols (function discovery addr) (aka. Decoding Instruction overlapping opcodes) CFG Indirect control-flow reconstruction Non-returning functions (aka. Building the graph, nodes & edges) Function code sharing CFG partitioning Non-contiguous function (aka. Finding functions, Tail calls bounds etc) *segmentation proposed in Binary Code is Not Easy, Xiaozhu Meng, Barton P. Miller

  10. Obfuscation Any means aiming at slowing-down the analysis process either for a human or an automated algorithm

  11. Obfuscation diversity Control Data Vs function calls, edges strings, constants.. Target Against Control Data Static Dynamic CFG flattening ⚫ ⚫ Jump encoding ⚫ ⚫ (direct → indirect/computed) Opaque predicates ⚫ ⚫ VM (virtual-machines) ⚫ ⚫ ⚫ ⚫ Polymorphism (self-modification, ⚫ ⚫ ⚫ resource ciphering) Call/Stack tampering ⚫ ⚫ Anti-debug / anti-tampering ⚫ ⚫ ⚫ Signal / Exception ⚫ ⚫ and so many others….

  12. Opaque predicates eg: 7y 2 - 1 ≠ x 2 Definition : Predicate always (for any value of x, y in evaluating to true (resp. false). modular arithmetic) (but for which this property is ↧ difficult to deduce) mov eax, ds:X Taxonomy : mov ecx, ds:Y imul ecx, ecx ◦ Arithmetic based imul ecx, 7 ◦ Data-structure based sub ecx, 1 imul eax, eax Pointer based ◦ cmp ecx, eax ◦ Concurrence based jz <trap_addr> ◦ Environment based Corollary : ◦ the dead branch allow to ▫ growing the code (artificially) drowning the genuine code ▫

  13. Call stack tampering Definition : Alter the standard address instr compilation scheme of calls 80483d1 call +5 and ret instructions 80483d6 pop edx 80483d7 add edx, 8 Corollary : 80483da push edx real ret target hidden, and ◦ 80483db ret returnsite potentially not code Impede the recovery of ◦ 80483dc .byte {invalid} control flow edges 80483de [...] ◦ Impede the high-level function recovery In addition, able to characterize the tampering with alignment and multiplicity Need to handle the tail call optimization..

  14. Deobfuscation ◦ Revert the transformation (sometimes impossible) ◦ Simplify the code to facilitate later analyses

  15. Disassembly Notations Correct : only genuine (executable) ◦ instructions are disassembled Complete : All genuine instructions ◦ are disassembled Standard approaches static dynamic symbolic scale ⚫ ⚫ ⚫ robust (obfuscation) ⚫ ⚫ ⚫ correct ⚫ ⚫ ⚫ complete ⚫ ⚫ ⚫

  16. Disassembly Notations Correct : only genuine (executable) ◦ instructions are disassembled Complete : All genuine instructions ◦ jmp are disassembled eax Standard approaches ◦ Static disassembly static dynamic symbolic scale ⚫ ⚫ ⚫ robust (obfuscation) ⚫ ⚫ ⚫ correct ⚫ ⚫ ⚫ complete ⚫ ⚫ ⚫ dynamic jump

  17. Disassembly Notations Correct : only genuine (executable) ◦ instructions are disassembled Complete : All genuine instructions ◦ jmp are disassembled eax Standard approaches ◦ Static disassembly Dynamic disassembly ◦ static dynamic symbolic scale ⚫ ⚫ ⚫ robust (obfuscation) ⚫ ⚫ ⚫ correct ⚫ ⚫ ⚫ complete ⚫ ⚫ ⚫ dynamic jump input dependent

  18. 2 Dynamic Symbolic Execution a.k.a Concolic Execution

  19. Dynamic Symbolic Execution Definition: Symbolic Execution is the mean of executing a program using symbolic values (logical symbols) rather than actual values (bitvectors) in order to obtain in-out relationship of a path. How to reach “OK” ? Source Code (C) Formula: int f(int a, int b) { a < 10 ∧ a > b a < 10 if (a < 10) { if (a > b) { printf(“Ok”); } a > b Solution: } a=5, b=1 } print(“OK”)

  20. Why using DSE ? More difficult to hide the semantic of the program than its syntactical form.

  21. Intermediate Representation (IR) → Encode the semantic of a Language DBA machine instruction bv bitvector (constant value) Advantages: l := loc (addr + offset) ◦ bitvector size e := v | bv | ⊥ | ⊤ @ [ e ] (read memory) statically known e ◇ e | ◇ e side-effect free ◦ lhs := v (variable) ◦ bit-precise v{i,j} (extraction) @[ e ] (write memory) Shortcomings: inst := lhs := e goto e | goto l ◦ no floats ite (c)? goto l1; goto l2 ◦ no thread modeling assert e | assume e .. no self-modification ◦ ◦ no exception ◦ x86(32) only Many other similar IR: REIL, BIL, VEX, LLVM IR, MIASM IR, Binary Ninja IR

  22. DBA example Decoding: imul eax, dword ptr[esi+0x14], 7 res32 := @[esi (32) + 0x14 (32) ] * 7 (32) temp64 := (exts @[esi (32) + 0x14 (32) ] 64) * (exts 7 (32) 64) OF := (temp64 (64) ≠ (exts res32 (32) 64)) SF := ⊥ ZF := ⊥ CF := OF (1) eax := res32 (32)

  23. DSE on a switch Source Code (C) enum E = {A, B, C} push ebp int myfun(int x) { mov ebp, esp cmp [esp+8], 3 switch(x) { case A: x+=0; break; case B: x+=1; break; case C: x+=2; break; mov eax, [ebp+8] ≤ ja @ret } } shl eax, 2 add eax, JMPTBL x86 assembly Symbolic Execution mov eax, [eax] > (input:esp, ebp, memory) push ebp @[esp] := ebp jmp eax mov ebp, esp ebp1 := esp 2 0 cmp [ebp+8], 3 1 @[ebp1+8] < 3 ja @ret mov eax, [ebp+8] eax1 := @[esp+8] shl eax, 2 eax2 := eax1 << 2 add eax, JMPTBL eax3 := eax2 + JMPTBL ret mov eax, [eax] eax4 := @[eax3] Path predicate φ : jmp eax eax4 == 2 (C) @[ebp1+8] < 3 ∧ eax4 == 2 [...] @[esp+8] < 3 ∧ @[(@[esp+8] ≪ 2) + JMPTBL] == 2 ret

  24. DSE Vs Static & Dynamic approaches Advantages : ◦ sound program execution (thanks to dynamic) path sure to be feasible (unlike static) ◦ ◦ next instruction always known (unlike static) ◦ loops are unrolled by design (unlike static) ◦ can generate new inputs (unlike dynamic) guided new paths discovery (unlike dynamic) ◦ ◦ thwart basic tricks (cover-overlapping etc) static dynamic symbolic scale ⚫ ⚫ ⚫ robust (obfuscation) ⚫ ⚫ ⚫ correct ⚫ ⚫ ⚫ complete ⚫ ⚫ ⚫ The challenge for DSE is to make it scale on huge path length and to cover all paths...

  25. 3 Backward-Bounded DSE Complementary approach for infeasibility-based problems

  26. BB-DSE : Example of a call stack tampering Goal call XX Checking that the return address cannot be tampered by the add [esp], 9 function cmp edx, [esp+4] ◼ false negative : miss the tampering (too small bound) jnz XX ◼ correct : find the tampering inc edx mov edx, 0 ◼ + ◼ complete : validate the mov eax, edx tampering for all paths ret

  27. Backward-Bounded DSE (new) Infeasibility query : Query aiming at proving the infeasibility of some events or configuration. (while traditional SE performs feasibility requests (paths, values) to paths over approximated generate satisfying inputs) paths Properties : lost in computation backward ◦ backward approach bounded solve infeasibility queries ◦ DSE ◦ goal-oriented computation bounded reasoning ◦ ◦ bound modulable for the need (forward) DSE bb-DSE feasibility queries ⚫ ⚫ infeasibility queries ⚫ ⚫ scale ⚫ ⚫ Not FP/FN free, but very low rates

  28. 4 Combination Intertwining Dynamic, Static and Symbolic

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1. Obfuscating Arithmetic 2. Opaque Expressions 3. Control Flow Flattening 4. Constructing Opaque Expressions 5. Generic Deobfuscation 6. Turning up

1.39k views • 95 slides
DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA LIST, QuarksLab) Jean-Yves Marion (LORIA) Sbastien Bardin et al. Dagstuhl2017 | 1 IN A NUTSHELL Challenge: malware deobfuscation

641 views • 36 slides
symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

664 views • 40 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with computers, phones, sensors Records constantly Intro We worked on one system used for alcohol craving and drinking prediction Collected

422 views • 23 slides
Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research domain: system software compilers, binary rewriting tools, whole program optimization (binary &amp; Java), virtualization, run-time environments

680 views • 45 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9

Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9

Ex. 8.4 7-4-2-1 code Codeconverter 7-4-2-1-code to BCD-code. When encoding the digits 0 ... 9 sometimes in the past a code having weights 7-4-2-1 instead of the binary code weights 8-4-2-1 was used. In the cases where a digit's code word

830 views • 66 slides
Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne

Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne

Clean Code 1 / 24 Clean Code What is clean code? Elegant and efficient. Bjarne Stroustrup Simple and direct. Readable. Grady Booch Understandable by others, tested, literate. Dave Thomas Code works pretty much as

351 views • 24 slides
Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation

Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation

Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation Target language Relocatable machine code Commercial compilers produce this Absolute machine code OS code must start at a particular memory

503 views • 19 slides
CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong

CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong

CloPlag A Study of Effects of Code Obfuscation to Code Similarity Detection Tools Chaiyong Ragkhitwetsagul, Jens Krinke, Albert Cabr Juan Cloned Code vs Plagiarised Code A result from source code Created in a similar way as code

479 views • 31 slides
SOUTHWEST BCSW ENROLLMENT GROWTH FTES by ZIP CODE FTES by ZIP CODE 2013-14 FTES by ZIP CODE

SOUTHWEST BCSW ENROLLMENT GROWTH FTES by ZIP CODE FTES by ZIP CODE 2013-14 FTES by ZIP CODE

BAKERSFIELD COLLEGE SOUTHWEST BCSW ENROLLMENT GROWTH FTES by ZIP CODE FTES by ZIP CODE 2013-14 FTES by ZIP CODE 2014-15 FTES by ZIP CODE 2015-16 FTES by ZIP CODE 2016-17 FTES by ZIP CODE 2017-18 State Apportionment for Previous Three

343 views • 31 slides
Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables In our case, three-address code All variables

717 views • 38 slides
Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us

Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us

Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us IS HOW YOU SEE US This publication is funded by SIDA, the Swedish International Development Cooperation Agency, through MyRight- Empowers People

343 views • 20 slides
Left-Leaning Red-Black Trees Robert Sedgewick Princeton University Original version: Data

Left-Leaning Red-Black Trees Robert Sedgewick Princeton University Original version: Data

Left-Leaning Red-Black Trees Robert Sedgewick Princeton University Original version: Data structures seminar at Dagstuhl (Feb 2008) red-black trees made simpler (!) full delete() implementation This version: Analysis of Algorithms

1.06k views • 89 slides
COVID-19 Press Briefing May 1, 2020 CCBH Cases Lab-confirmed cases 1,237 Probable

COVID-19 Press Briefing May 1, 2020 CCBH Cases Lab-confirmed cases 1,237 Probable

COVID-19 Press Briefing May 1, 2020 CCBH Cases Lab-confirmed cases 1,237 Probable cases 441 Total cases 1,678 Age range 1week 101 years old Sex Female 54% Male 46% CCBH Cases Date of illness onset

159 views • 15 slides
OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee (* denotes equal contribution) Program Obfuscation Program Obfuscation Trusted Untrusted (except

1.34k views • 116 slides
FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1

FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1

DECOMPOSITION, ABSTRACTION, FUNCTIONS (download slides and .py files follow along!) 6.0001 LECTURE 4 1 6.0001 LECTURE 4 LAST TIME while loops vs for loops should know how to write both kinds should know when to

501 views • 35 slides
Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of

Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of

Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of Washington Synthesis: write programs automatically Syntax Semantics Synthesis: write programs automatically Syntax Semantics Synthesis: write

1.02k views • 87 slides
Black Hole Perturbation Toolkit Barry Wardell University College Dublin Advances in Computational

Black Hole Perturbation Toolkit Barry Wardell University College Dublin Advances in Computational

Black Hole Perturbation Toolkit Barry Wardell University College Dublin Advances in Computational Relativity, bhptoolkit.org ICERM, 16 th September 2020 Workshop outline - Overview of the toolkit (~30 minutes) - Tutorial: Getting started with

734 views • 25 slides
Numerical relativity: Triumphs and challenges of binary black hole simulations Mark A. Scheel

Numerical relativity: Triumphs and challenges of binary black hole simulations Mark A. Scheel

Numerical relativity: Triumphs and challenges of binary black hole simulations Mark A. Scheel Caltech SXS Collaboration: www.black-holes.org ROM-GR, Jun 06 2013 Mark A. Scheel (Caltech) Numerical relativity Jun 06 2013 1 / 37 Outline

680 views • 43 slides
KIA ORA DRAWER SLIDES Quality Cabinet Hardware 1 CONTENTS 3. Overview 4. Key

KIA ORA DRAWER SLIDES Quality Cabinet Hardware 1 CONTENTS 3. Overview 4. Key

KIA ORA DRAWER SLIDES Quality Cabinet Hardware 1 CONTENTS 3. Overview 4. Key Features 6. Soft Close Drawer Slides 7. Standard Drawer Slides 2 OVERVIEW WILSON &amp; BRADLEY In this brochure you will fjnd the latest range of

273 views • 8 slides

More recommend