KEVIN COOGAN, GEN LU, SAUMYA DEBRAY DEPARTMENT OF COMUPUTER SCIENCE UNIVERSITY OF ARIZONA 報告者：張逸文 Deobfuscation of Virtualization- Obfuscated Software.

Slides:

Advertisements

Similar presentations

Saumya Debray The University of Arizona Tucson, AZ

Advertisements

Decompilation of Binary Programs Christina Cifuentes & K. John Gough School of Computing Science Queensland University of Technology Presented by Conny.

Pin : Building Customized Program Analysis Tools with Dynamic Instrumentation Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Java Bytecode Teodoro (Ted) Cipresso,

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

Execution of an instruction

Run time vs. Compile time

San Diego Supercomputer Center Performance Modeling and Characterization Lab PMaC Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Programming Logic and Design, Introductory, Fourth Edition1 Understanding Computer Components and Operations (continued) A program must be free of syntax.

Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

University of Palestine Department of Information Technology Done by: Montaser El sabea Supervisors: yassmen El Bobo Unified Modeling Language.

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Testing : A Roadmap Mary Jean Harrold Georgia Institute of Technology Presented by : Navpreet Bawa.

IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.

13/02/2009CA&O Lecture 04 by Engr. Umbreen Sabir Computer Architecture & Organization Instructions: Language of Computer Engr. Umbreen Sabir Computer Engineering.

Programmer's view on Computer Architecture by Istvan Haller.

COP 4620 / 5625 Programming Language Translation / Compiler Writing Fall 2003 Lecture 10, 10/30/2003 Prof. Roy Levow.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Computer Science and Software Engineering University of Wisconsin - Platteville 9. Recursion Yan Shi CS/SE 2630 Lecture Notes Partially adopted from C++

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Computer architecture Lecture 11: Reduced Instruction Set Computers Piotr Bilski.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Dr. José M. Reyes Álamo 1.  Review: ◦ Statement Labels ◦ Unconditional Jumps ◦ Conditional Jumps.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Control Flow Deobfuscation via Abstract Interpretation © Rolf Rolles, 2010.

Introduction to Computer Engineering ECE/CS 252, Fall 2010 Prof. Mikko Lipasti Department of Electrical and Computer Engineering University of Wisconsin.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Technology and Science, Osaka University Dependence-Cache.

RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.

Execution of an instruction

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.

Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.

Understanding the Behavior of Java Programs Tarja Systa Software Systems Lab. Tampere Univ. Sookmyung Women’s Univ. PSLAB Choi, yoon jeong.

A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.

1 Advanced Software Architecture Muhammad Bilal Bashir PhD Scholar (Computer Science) Mohammad Ali Jinnah University.

Operating System Protection Through Program Evolution Fred Cohen Computers and Security 1992.

Power Analysis of Embedded Software : A Fast Step Towards Software Power Minimization 指導教授 : 陳少傑教授組員 : R 張馨怡 R 林秀萍.

Formal Refinement of Obfuscated Codes Hamidreza Ebtehaj 1.

JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.

Code Obfuscation Tool for Software Protection. Outline  Why Code Obfuscation  Features of a code obfuscator Potency Resilience Cost  Classification.

Computer Organization Instructions Language of The Computer (MIPS) 2.

Procedures and Functions Procedures and Functions – subprograms – are named fragments of program they can be called from numerous places  within a main.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering CSCE 330 Programming Language Structures Operational Semantics (Slides mainly.

Review A program is… a set of instructions that tell a computer what to do. Programs can also be called… software. Hardware refers to… the physical components.

LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.

7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.

Windows Programming Lecture 03. Pointers and Arrays.

Application of Obfuscation Techniques on Android Applications

Names and Attributes Names are a key programming language feature

Compilers Principles, Techniques, & Tools Taught by Jing Zhang

ENERGY 211 / CME 211 Lecture 25 November 17, 2008.

Introduction to Compilers Tim Teitelbaum

Un</br>able’s MySecretSecrets

Methodology of a Compiler that Compresses Code using Echo Instructions

Address-Value Delta (AVD) Prediction

Optimization 薛智文 (textbook ch# 9) 薛智文 96 Spring.

Lecture 4: Instruction Set Design/Pipelining

Chapter 15 Debugging.

Dynamic Binary Translators and Instrumenters

Presentation transcript:

KEVIN COOGAN, GEN LU, SAUMYA DEBRAY DEPARTMENT OF COMUPUTER SCIENCE UNIVERSITY OF ARIZONA 報告者：張逸文 Deobfuscation of Virtualization- Obfuscated Software ADLab 1

Outline ADLab 2 Introduction Deobfuscation Experimental Evaluation Related Work Conclusion

Introduction （ 1/4 ） Basic about Reverse Engineering  Compilation  Decompilation ADLab 3

Introduction （ 2/4 ） ADLab 4 Virtualization obfuscators  VMProtect, Code Virtualizer VMProtectCode Virtualizer { VIRTUALIZER_START your code VIRTUALIZER_END }

Introduction （ 3/4 ） ADLab 5 The virtualization-obfuscated programs are resistant to static and dynamic analysis techniques  The executed code reveals only the structure and logic of the bytecode interpreter  Randomness VM Outside-in approach  Reverse engineer the VM interpreter  Individual byte code instructions  Recover the logic  The structure of the interpreter meets certain requirements

Introduction （ 4/4 ） ADLab 6 Programs interact with the system through system calls Identifying instructions that interact with the system Not recovering the original instructions Capturing behavior of the code General, using in a wide range

Deobfuscation ADLab 7 Static analysis v.s dynamic trace Identifying instructions that are known to be part of the original code No information about the specific structure of the interpreter

Deobfuscation ADLab 8 Overall approach ： 1. Tracing tool  Low level execution trace 2. Identifying system calls and their arguments  database 3. Instruction trace  Relevant instructions 4. Building a subtrace  Relevant subtrace

Deobfuscation ADLab 9 Value-based Dependence Analysis  Not recovering the original code  The process of deobfuscation must be semantics-preserving  Identifying instructions that affect the values of the arguments to system calls  Slicing algorithms --- control-dependent  Data dependencies  Use-definition chains --- link instructions that use a variable to the instruction that define it  Problem ：

Deobfuscation ADLab 10  Value-based dependence if( I defines a location l S) { I is marked as relevant; l is removed from S; the set of locations used by I is added to S; }  Problem ： a pointer to a structure I uses some locations  l 1, l 2, …, l d if ( I uses l i P to define l d ) l d is added to P if ( l i access a memory location ) [l i ] is added to M

Deobfuscation ADLab 11 Relevant Conditional Control Flow  Value-based dependence analysis doesn’t identify the associated control flow instructions  The occurring of conditional control flow  IA-32 architecture  setting the condition code flags in the eflags register  Not such simple!!  Examining target address  Equational Resoning System ： translate each instruction in the dynamic trace into an equivalent set of equations

Deobfuscation ADLab 12  Equational Resoning System  Identifies conditional dependencies  The left hand side variables in an equation is numbered by the order of its instruction appears  The right hand side variables is numbered by the instruction that defined it  Example 1.

Deobfuscation ADLab 13  Example 2.  Example 3.  Indirect jump

Deobfuscation ADLab 14  Example 4.  Used in VMProtect Target 20 = index1*4+0x10000

Deobfuscation ADLab 15

Deobfuscation ADLab 16

Deobfuscation ADLab 17 Relevant Call-Return Control Flow  Identifying functions ： the behavior of calls and returns  Knowing how them work allows one to use for other purposes  Behavior of Function Calls and Returns

Deobfuscation ADLab 18 registers call 改成 push 無法解決

Deobfuscation ADLab 19  Identification Approach  Call ： a code address is saved at the call site  Return ： the saved address is used for a control transfer at the return point

Deobfuscation ADLab 20 Relevant Dynamic Trace

Experimental Evaluation ADLab 21 Experimental Methodology  Compile original source code  Generate an original dynamic trace  Build an original subtrace  Virtualization-obfuscation technique  Generate an obfuscated dynamic trace  Build a relevant subtrace of the obfuscated subtrace  The obfuscated subtrace is matched to the original subtrace and scores are produced  The relevance score and obfuscation score are calculated

Experimental Evaluation ADLab 22 VX Heavens website

Related Work ADLab 23 Deobfuscation of code obfuscated via virtualization obfuscators  Rolles, Sharif, Falliere Programming language community  Partial evaluation

Conclusions ADLab 24 Virtualization-obfuscated programs are difficult to reverse engineer We present a different approach to identifying the flow of values to system call instructions

XD ~ ADLab 25