Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Slides:

Advertisements

Similar presentations

Saumya Debray The University of Arizona Tucson, AZ

Advertisements

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.

Chapter 3 Loaders and Linkers

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

Automatic Compaction of OS Kernel Code via On-Demand Code Loading Haifeng He, Saumya Debray, Gregory Andrews The University of Arizona.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

F13 Forensic tool analysis Dr. John P. Abraham Professor UTPA.

CSCI 5801: Software Engineering

Address Space Layout Permutation

Application Security Tom Chothia Computer Security, Lecture 14.

5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.

University of Maryland Compiler-Assisted Binary Parsing Tugrul Ince PD Week – 27 March 2012.

Chapter 5 Ordered List. Overview ● Linear collection of entries  All the entries are arranged in ascending or descending order of keys.

Instituto de Informática and Dipartimento di Automatica e Informatica Universidade Federal do Rio Grande do Sul and Politecnico di Torino Porto Alegre,

KEVIN COOGAN, GEN LU, SAUMYA DEBRAY DEPARTMENT OF COMUPUTER SCIENCE UNIVERSITY OF ARIZONA 報告者：張逸文 Deobfuscation of Virtualization- Obfuscated Software.

Introduction. 2COMPSCI Computer Science Fundamentals.

1 CSC103: Introduction to Computer and Programming Lecture No 11.

CSc 453 Runtime Environments Saumya Debray The University of Arizona Tucson.

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.

DBPD: A Dynamic Birthmark-based Software Plagiarism Detection Tool

CSc 453 Final Code Generation Saumya Debray The University of Arizona Tucson.

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.

Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Exceptional Control Flow Topics Exceptions except1.ppt CS 105 “Tour of the Black Holes of Computing”

Program Design. The design process How do you go about writing a program? –It’s like many other things in life Understand the problem to be solved Develop.

A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.

Machine Independent Assembler Features

Program Obfuscation: A Quantitative Approach Presented by: Mariusz Jakubowski Microsoft Research Third Workshop on Quality of Protection October 29 th,

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD.

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Digital Computer Concept and Practice Copyright ©2012 by Jaejin Lee Control Unit.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Formal Refinement of Obfuscated Codes Hamidreza Ebtehaj 1.

CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.

1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.

Code Obfuscation Tool for Software Protection. Outline  Why Code Obfuscation  Features of a code obfuscator Potency Resilience Cost  Classification.

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

CS223: Software Engineering Lecture 19: Unit Testing.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.

ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Overview: Using Hardware.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Application of Obfuscation Techniques on Android Applications

Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,

Attacking an obfuscated cipher by injecting faults

DATA STRUCTURES AND OBJECT ORIENTED PROGRAMMING IN C++

Un</br>able’s MySecretSecrets

Assembler Design Options

Unit Test Pattern.

Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.

INSTRUCTION SET DESIGN

Presentation transcript:

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona) Presented by Ming Jiang

Introduction This paper addresses the problem of making it hard to reverse engineering binary programs by making it difficult to disassemble binary code statically. Binaries are obfuscated by changing many control transfers into signals (traps) and inserting bogus control transfers and “junk” instructions after the signals. Binary Obfuscation Using Signals 2

Two Assumptions By Disassemble 1. the address where each instruction begins can be determined; 2. control transfer instructions can be identified and their targets determined. This paper shows how the second of these assumptions can be violated, such that actual control transfers in the program cannot be identified by a static disassembler. Binary Obfuscation Using Signals 3

Two Disassembly Algorithms Linear sweep: The linear sweep algorithm begins disassembly at the input program's first executable location, and simply sweeps through the entire text section disassembling each instruction as it is encountered. E.g., GNU Utility – Objdump Recursive traversal: starts at the program's main entry point and proceeds by following each branch instruction encountered in a depth- first or breadth-first manner. E.g., IDA Pro Neither approach is 100% precise. Binary Obfuscation Using Signals 4

Overview Binary Obfuscation Using Signals 5

Key Aspects of the Approach 1. A variety of different instructions and addresses can be used to raise a signal at runtime. mprotect() change protection 2. The address used to generate the trap need not be a determinate value. Binary Obfuscation Using Signals 6

Key Aspects of the Approach 3. A variety of different traps can be used. SIGFPE floating point exception SIGILL illegal instruction SIGSEGV illegal memory usage 4. The location following the trap-generating instruction is unreachable, but this is not evident from standard control flow analyses. Binary Obfuscation Using Signals 7

Flip Conditional Branches JZ Address L: code after JNZ L JMP Address L: code after Binary Obfuscation Using Signals 8 This transformation increasing the set of candidate locations where obfuscation can be applied.

Inserting Bogus Code confuse the control flow analysis of the program improve the stealthiness of the obfuscation Binary Obfuscation Using Signals 9

Signal Handing– Normal Case Binary Obfuscation Using Signals 10

Signal Handing– Obfuscated Case Binary Obfuscation Using Signals 11

Evaluation Metric Obfuscations are evaluated with respect to: Potency (disassembly errors) -To what degree is a human reader confused Resilience (control flow errors) -How well are automatic deobfuscation attacks resisted Cost-How much time/space overhead is added Stealth-How well does obfuscated code blend in with the original code. Whether the obfuscation process introduces any atypical instruction sequence signatures that could be used to identify the obfuscation code statically. Binary Obfuscation Using Signals 12

The IDA Pro, which is considered the best commercial disassembler, fails to disassemble 57% of the original instructions, over-reports control flow edges by 41%. However, obfuscation method slows down program execution because of signal processing overhead, the average slow-down is 21%. Binary Obfuscation Using Signals 13

Distribution of Individual Opcodes Binary Obfuscation Using Signals 14

Distribution of Opcode Pairs Binary Obfuscation Using Signals 15

16 Thank you! Questions? Thank you! Questions? Thank you