Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saumya Debray The University of Arizona Tucson, AZ 85721.

Published byRylee Larkey Modified over 10 years ago

Similar presentations

Presentation on theme: "Saumya Debray The University of Arizona Tucson, AZ 85721."— Presentation transcript:

1 Saumya Debray The University of Arizona Tucson, AZ 85721

2 The Problem  Rapid analysis and understanding of malware code essential for swift response to new threats ‒ Malicious software are usually heavily obfuscated against analysis  Existing approaches to reverse engineering such code are primitive ‒ not a lot of high-level tool support ‒ requires a lot of manual intervention ‒ slow, cumbersome, potentially error-prone  Delays development of countermeasures

3 Goals Develop automated techniques for analysis and reverse engineering of obfuscated binaries  semantics-based ‒ output is functionally equivalent to, but simpler than, the input program  generality ‒ should work on any obfuscation  even ones we haven’t thought of yet! ‒ should minimize assumptions about obfuscations

4 Challenges  can’t make assumptions about obfuscations ‒ what do we leverage for deobfuscation? ‒ distinguishing code we care about from code we don’t  how do we know which instructions we care about?  scale ‒ “needle in haystack”  no. of instructions executed increases by  270 x (VMprotect) to  4300 x (Themida) [Lau 2008]  anti-analysis defenses ‒ runtime unpacking ‒ anti-emulation, anti-debug checks

5 Our Approach  no obfuscation-specific assumptions ‒ treat programs as input-to-output transformations ‒ use semantics-preserving transformations to simplify execution traces  dynamic analysis to handle runtime unpacking Taint analysis (bit-level) Control flow reconstruction Semantics- preserving transformations input program control flow graph map flow of values from input to output simplify logic of input-to-output transformation reconstruct logic of simplified computation

6 Ex 1:Emulation-based Obfuscation  examination of the code reveals only the emulator’s logic ‒ actual program logic embedded in byte code  lots of “chaff” during execution ‒ separating emulator logic from payload logic tricky  emulators can be nested Obfuscator input program random seed bytecode logic (data) emulator (code) mutation engine

7 Ex 2:Return-Oriented Programs (ROP)  Originally designed to bypass anti-code-injection defenses ‒ stitches together existing code fragments ( “gadgets” ), e.g., in system libraries  Logic can be difficult to discern ‒ gadgets are typically scattered across many different functions and/or libraries ‒ gadgets can overlap in memory in weird ways ‒ control flow structures (if-else, loops, function calls) are typically implemented using non-standard idioms

8 Example 1 (emulation-obfuscation) factorial (Themida)

9 Example 2 (ROP) o originalROP factorial

10 Interactions between Obfuscations Example: Unpacking + Emulation unpack output input instructions “tainted” as propagating values from input to output execution trace input-to-output computation (further simplified) used to construct control flow graph

11 Results  Ex. 1. binary search : Themida originalobfuscated (cropped) deobfuscated

12 Results  Ex. 2. Hunatcha (drive infection code) : ExeCryptor originalobfuscated (cropped) deobfuscated

13 Results  Ex. 3. Stuxnet (encryption routine) : Code Virtualizer originalobfuscated (cropped) deobfuscated

14 Results  Ex. 3. fibonacci: ROP originalobfuscated deobfuscated

15 Results  Ex. 4. Win32/Kryptik.OHY: Code Virtualizer obfuscateddeobfuscated multiple layers of runtime code generation unpacking cod e initial unpacker is emulation-obfuscated the CFG shown materializes incrementally

16 Results: CFG Similarity

17 Lessons and Issues  Static vs. dynamic analysis ‒ multiple layers of runtime code generation/unpacking limits utility of static analysis ‒ dynamic analysis can run into problems of scale  O(n 2 ) algorithms impractical ; even O(n log n) can be problematic  trade memory space for execution time/complexity  code coverage — multi-path exploration?  Taint propagation ‒ byte/word-level analyses may not be precise enough  we use (enhanced) bit-level taint propagation  Simplified trace → CFG: NP-hard ‒ semantic considerations?

18 Conclusions  Rapid analysis and understanding of malware code essential for swift response to new threats ‒ need to deal with advanced code obfuscations ‒ obfuscation-specific solutions tend to be fragile  We describe a semantics-based framework for automatic code deobfuscation ‒ no assumptions about the obfuscation(s) used ‒ promising results on obfuscators (e.g., Themida) not handled by prior research

19

20 Semantics-based simplification  Quasi-invariant locations: locations that have the same value at each use.  Our transformations (currently): ‒ Arithmetic simplification  adaptation of constant folding to execution traces  consider quasi-invariant locations as constants  controlled to avoid over-simplification ‒ Data movement simplification  use pattern-driven rules to identify and simplify data movement. ‒ Dead code elimination  need to consider implicit destinations, e.g., condition code flags.

Download ppt "Saumya Debray The University of Arizona Tucson, AZ 85721."

Similar presentations

© 2004 Wayne Wolf Topics Task-level partitioning. Hardware/software partitioning.  Bus-based systems.

© 2004 Wayne Wolf Topics Task-level partitioning. Hardware/software partitioning.  Bus-based systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Loop Unrolling & Predication CSE 820. Michigan State University Computer Science and Engineering Software Pipelining With software pipelining a reorganized.

Loop Unrolling & Predication CSE 820. Michigan State University Computer Science and Engineering Software Pipelining With software pipelining a reorganized.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Preventing Reverse Engineering by Obfuscating Bharath Kumar.

Preventing Reverse Engineering by Obfuscating Bharath Kumar.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Reverse Engineering © SERG Code Cloning: Detection, Classification, and Refactoring.

Reverse Engineering © SERG Code Cloning: Detection, Classification, and Refactoring.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.

CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
CS 104 Introduction to Computer Science and Graphics Problems

CS 104 Introduction to Computer Science and Graphics Problems
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Introduction & Overview CS4533 from Cooper & Torczon.

Introduction & Overview CS4533 from Cooper & Torczon.
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

Similar presentations

Ads by Google