symbolic deobfuscation
play

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin - PowerPoint PPT Presentation

May 15, 2023 •249 likes •664 views

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

  1. CODE PROTECTION: the promises and limits of symbolic deobfuscation Sébastien Bardin (CEA LIST) Sébastien Bardin – GreHack 2017 | 1

  2. ABOUT MY LAB @CEA [Paris-Saclay, France] Sébastien Bardin – GreHack 2017 | 2

  3. IN A NUTSHELL • Challenge: code deobfuscation • Standard tools (dynamic, syntactic) not enough • Semantic methods can help [obfuscation preserves semantic] Yet, need to be carefully adapted • • A tour on how symbolic methods can help • Explore and discover [SANER 2016] • Prove infeasibility [BH Europe 2016, S&P 2017] • Simplify [SSTIC 2017] Sébastien Bardin – GreHack 2017 | 3

  4. OUTLINE • Context • Code Protection • Semantic analysis • Symbolic deobfuscation • Basis: Symbolic execution • Part I: Explore & Discover -- crackme • Part II: Prove infeasibility -- malware x-tunnel • Part III: Simplify -- devirtualization • Conclusion Sébastien Bardin – GreHack 2017 | 4

  5. MATE: MAN-AT-THE-END ATTACK MATE: Man-At-The-End Attacker is on the computer • R/W the code • Execute step by step • Patch on-the-fly New field MITM: Man-In-The-Middle Attacker is on the network • Observe messages • Forge messages Known crypto solutions Sébastien Bardin – GreHack 2017 | 5

  6. FACT: SOFTWARE IS JUST DATA • You can execute it • But you may prefer to: • Read it <reverse legacy code, or …………….. steal crypto keys> • Modify it <patch a bug, or ………………………. bypass a security check> Code & Data attack Code & Data protection (MATE) (obfuscation) Sébastien Bardin – GreHack 2017 | 6

  7. <aparté> NOT SO HARD FOR EXPERTS Sébastien Bardin – GreHack 2017 | 7

  8. A SOLUTION: OBFUSCATION State of the art • No usable math-proven solution • Useful ad hoc solutions (strength?) Transform P into P’ such that • P’ behaves like P • P’ roughly as efficient as P • P’ is very hard to understand Sébastien Bardin – GreHack 2017 | 8

  9. OBFUSCATION IN PRACTICE • self-modification • encryption • virtualization • code overlapping • opaque predicates • callstack tampering • … Sébastien Bardin – GreHack 2017 | 9

  10. EXAMPLE: OPAQUE PREDICATE Constant-value predicates (always true, always false) • dead branch points to spurious code • goal = waste reverser time & efforts Sébastien Bardin – GreHack 2017 | 10

  11. EXAMPLE: STACK TAMPERING Alter the standard compilation scheme: ret do not go back to call • hide the real target • return site is spurious code Sébastien Bardin – GreHack 2017 | 11

  12. EXAMPLE: VIRTUALIZATION long secret(long x) { …… Bytecodes - Custom ISA return x; } Fetching Turns code P into Decoding • a proprietary bytecode program • + a homemade VM (runtime) Dispatcher • Easy to recover the VM structure Operator 1 Operator 2 Operator 3 • But does not say anything about P Terminator Sébastien Bardin – GreHack 2017 | 12

  13. DEOBFUSCATION • Ideally, get P back from P’ • Or, get close enough • Or, help understand P Sébastien Bardin – GreHack 2017 | 13

  14. WHY WORKING ON DEOBFUSCATION? <in an ethical manner> • Software protection • Assess the power of current obfuscation schemes • Special case: white-box crypto <hide keys> • Malware analysis Comprehension: help to understand the malware <goal, functions, weaknesses> • Detection: remove the protection layer • Sébastien Bardin – GreHack 2017 | 14

  15. DEOBFUSCATION NEEDS TOOLING • Strongly rely on human expert • While obfuscation is automatic Proper tool support • Explore (find hidden parts) • Prove (identify spurious code) • Simplify Sébastien Bardin – GreHack 2017 | 15

  16. <aparté> STATE-OF-THE-ART TOOLS ARE NOT ENOUGH FOR DEOBFUSCATION Just add mov %eax,%ecx mov %ecx,%eax and break results • Static (syntactic): too fragile • Dynamic: too incomplete Sébastien Bardin – GreHack 2017 | 16

  17. SOLUTION? SEMANTIC PROGRAM ANALYSIS • From formal methods for safety-critical systems • Semantic = meaning of the program • Possibly well adapted Semantic preserved Can reason about by obfuscation sets of executions • find rare events • prove, simplify • Symbolic deobfuscation + strong • Explore and discover [SANER 2016] theoretical ground • Prove infeasibility [Black Hat EU 2016, S&P 2017] • Simplify [SSTIC 2017] Sébastien Bardin – GreHack 2017 | 17

  18. <En aparté > ABOUT FORMAL METHODS Clear success in safety-critical Sébastien Bardin – GreHack 2017 | 18

  19. OK but … WHICH APPROACH? (Formal Method Zoo) • Abstract interpretation • Weakest precondition • Model Checking • Property-directed checking • Symbolic model checking • Symbolic execution • Bounded model checking • Interactive theorem proving • Counter-example guided model checking • Type systems • Interpolation-based model checking • Correct by construction • k-induction • ….. Constraints • Not too hard to adapt to binary level • Robust to nasty low-level tricks Sébastien Bardin – GreHack 2017 | 19

  20. SYMBOLIC EXECUTION (2005) Given a path of a program • Compute its « path predicate » f • Solution of f  input following the path • Solve it with powerful existing solvers Sébastien Bardin – GreHack 2017 | 20

  21. SYMBOLIC EXECUTION (2005) Good points: • No false positive = find real paths • Robust (symb. + dynamic) • Extend rather well to binary code Given a path of a program • Compute its « path predicate » f • Solution of f  input following the path • Solve it with powerful existing solvers Sébastien Bardin – GreHack 2017 | 21

  22. BINSEC: SYMBOLIC DEOBFUSCATION Sébastien Bardin – GreHack 2017 | 22

  23. PART I: EXPLORE Forward reasoning • Follows path • Find new branch / jumps • Standard DSE setting Advantages • Find new real paths • Even rare paths « dynamic analysis on steroids » Sébastien Bardin – GreHack 2017 | 23

  24. Solve for new dynamic targets IN PRACTICE • Get a first target • Then solve for a new one • Get it, solve again , … • Get them all! Sébastien Bardin – GreHack 2017 | 24

  25. EXAMPLE: FIND THE GOOD PATH Sébastien Bardin – GreHack 2017 | 25

  26. PART II: PROVE Prove that something is always true (resp. false) Many such issues in reverse • is a branch dead? • does the ret always return to the call? • have i found all targets of a dynamic jump? • does this expression always evaluate to 15? • … Not addressed by DSE • Cannot enumerate all paths Sébastien Bardin – GreHack 2017 | 26

  27. BACKWARD SYMBOLIC EXECUTION • Prove infeasible Explore & discover Sébastien Bardin – GreHack 2017 | 27

  28. CASE-STUDY: PACKERS Packers: legitimate software protection tools (basic malware: the sole protection) Sébastien Bardin – GreHack 2017 | 28

  29. CASE-STUDY: PACKERS (fun facts) Sébastien Bardin – GreHack 2017 | 29

  30. CASE-STUDY: THE XTUNNEL MALWARE (part of DNC hack) Two heavily obfuscated samples • Many opaque predicates Goal: detect & remove protections • Identify 50% of code as spurious • Fully automatic, < 3h Sébastien Bardin – GreHack 2017 | 30

  31. CASE-STUDY: THE XTUNNEL MALWARE (fun facts) • Protection seems to rely only on opaque predicates • Only two families of opaque predicates • Yet, quite sophisticated original OPs • interleaving between payload and OP computation • sharing among OP computations • possibly long dependencies chains (avg 8.7, upto 230) • Sébastien Bardin – GreHack 2017 | 31

  32. PART III: SIMPLIFY Why? recover hidden simple expressions • Junk code, junk computations • Opaque values • Duplicate code • Complex patterns (MBAs) Symbolic reasoning a priori well adapted • Normalization / rewrite rules: (a+b-a)  b • Solver-based proof: solve(a+b-a =!= b) Sébastien Bardin – GreHack 2017 | 32

  33. CASE-STUDY: DEVIRTUALIZATION (tool Triton) Bytecode long secret(long x) { long secret’( long x) { …… …… return x; return x; } } Simplify Goal & merge • Small protected hash functions Discard VM part Optimizations • Get the original function back Binary Triton AST Arybo LLVM- Binary code (+ simplif.) IR IR code Sébastien Bardin – GreHack 2017 | 33

  34. CASE-STUDY: DEVIRTUALIZATION (tool Triton) TIGRESS Challenge • 7 (classes of) challenges • 5 codes per class • Original codes: hash-like functions • Focus on challenges 0-4 • Only challenge 1 was solved Solve challenges 0 - 4 (25 samples) • very close to the original codes • sometimes even smaller! • very efficient (<1min on 20/25) Sébastien Bardin – GreHack 2017 | 34

  35. CASE-STUDY: DEVIRTUALIZATION (tool Triton) • Opcode duplicate: merged! • 2-level VM (challenge 4): still ok • Also tested vs each VM-option Sébastien Bardin – GreHack 2017 | 35

  36. REMINDER: SYMBOLIC DEOBFUSCATION • EXPLORE • PROVE • SIMPLIFY Sébastien Bardin – GreHack 2017 | 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp;

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp;

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp; Sbastien Bardin CEA LIST Who are we ? #Robin David #Sbastien Bardin PhD Student Full-time researcher at CEA LIST at CEA LIST Where

771 views • 58 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, Kry CTF-player, HackingForSoju 1 About me

695 views • 23 slides
Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1. Obfuscating Arithmetic 2. Opaque Expressions 3. Control Flow Flattening 4. Constructing Opaque Expressions 5. Generic Deobfuscation 6. Turning up

1.39k views • 95 slides
DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA LIST, QuarksLab) Jean-Yves Marion (LORIA) Sbastien Bardin et al. Dagstuhl2017 | 1 IN A NUTSHELL Challenge: malware deobfuscation

641 views • 36 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with computers, phones, sensors Records constantly Intro We worked on one system used for alcohol craving and drinking prediction Collected

422 views • 23 slides
Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research domain: system software compilers, binary rewriting tools, whole program optimization (binary &amp; Java), virtualization, run-time environments

680 views • 45 slides
Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 / 16 Overview Symbolic So far in this course we dealt with MATLAB variables that were placeholders for numeric types (e.g., scalars, vectors,

953 views • 17 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko (firstname.lastname@aalto.fi) Department of Computer Science and Engineering, Aalto University &amp; Helsinki Institute for

522 views • 41 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June 9th, 2005 p. 1/29 Introduction There are currently two ways of handling loops in KeY: Symbolic execution - repeated unwinding of loops Can be

434 views • 29 slides
Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting

Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting

Quantifiers and Functions in Intuitionistic Logic Association for Symbolic Logic Spring Meeting Seattle, April 12, 2017 Rosalie Iemhoff Utrecht University, the Netherlands 1 / 37 Quantifiers are complicated. 2 / 37 Even more so in

519 views • 37 slides
t r rt t

t r rt t

rt trt t sts t rsts t r rt t

282 views • 17 slides

More recommend