nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

Combating Control Flow Linearization

verfasst von : Julian Kirsch, Clemens Jonischkeit, Thomas Kittel, Apostolis Zarras, Claudia Eckert

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Piracy is a persistent headache for software companies that try to protect their assets by investing both time and money. Program code obfuscation as a sub-field of software protection is a mechanism widely used toward this direction. However, effectively protecting a program against reverse-engineering and tampering turned out to be a highly non-trivial task that still is subject to ongoing research. Recently, a novel obfuscation technique called Control Flow Linearization (CFL) is gaining ground. While existing approaches try to complicate analysis by artificially increasing the control flow of a protected program, CFL takes the exact opposite direction: instead of increasing the complexity of the corresponding Control Flow Graph (CFG), the discussed obfuscation technique decreases the amount of nodes and edges in the CFG. In an extreme case, this means that the obfuscated program degenerates to one singular basic block, while still preserving its original semantics. In this paper, we present the DeMovfuscator, a system that is able to accurately break CFL obfuscation. DeMovfuscator can reconstruct the control flow, making only marginal assumptions about the execution environment of the obfuscated code. We evaluate both the performance and size overhead of CFL as well as the feasibility of our approach to deobfuscation. Overall, we show that even though CFL sounds like an ideal solution that can evade the state of the art deobfuscation approaches, it comes with its own limitations.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Election-Dependent Security Evaluation of Internet Voting Schemes

Nächstes Kapitel Ghost Patches: Fake Patches for Fake Vulnerabilities

https://kirschju.re/demov.

VMProtect - New-Generation Software Protection. https://vmpsoft.com/

The M/O/Vfuscator (2015). https://github.com/xoreaxeaxeax/movfuscator

Aucsmith, D.: Tamper resistant software: an implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1996). doi:10.1007/3-540-61996-8_49 CrossRef

Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24723-4_2 CrossRef

Borello, J.-M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)CrossRef

Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22110-1_37 CrossRef

Cadar, C., Dunbar, D., Engler, D.R., et al.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating System Design and Implementation (OSDI) (2008)

Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report (1997)

Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Conference on Computer and Communications Security (CCS) (2011)

10.

Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78800-3_24 CrossRef

11.

Dolan, S.: Mov is turing-complete. Technical report (2013)

12.

Dworkin, M.: Recommendation for block cipher modes of operation (2001)

13.

El-Khalil, R., Keromytis, A.D.: Hydan: hiding information in program binaries. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 187–199. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30191-2_15 CrossRef

14.

Fraser, C., Hanson, D.: A Retargetable C Compiler: Design and Implementation. Addison-Wesley, Reading (1995)MATH

15.

Ghosh, S., Hiser, J.D., Davidson, J.W.: Matryoshka: strengthening software protection via nested virtual machines. In: International Workshop on Software Protection (2015)

16.

Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM: software protection for the masses. In: International Workshop on Software Protection (2015)

17.

Oreans Technologies: Themida: advanced windows software protection systems. http://www.oreans.com/themida.php/

18.

Rolles, R.: Unpacking virtualization obfuscators. In: Workshop on Offensive Technologies (WOOT) (2009)

19.

Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: European Symposium on Research in Computer Security (2005)

20.

Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy (2009)

21.

Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: ISOC Network and Distributed System Security Symposium (NDSS) (2015)

22.

Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., Vigna, G.: SoK: (State of) the Art of War: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy (2015)

23.

StrongBit Technology: EXECryptor - Bulletproof Software Protection. http://www.strongbit.com/execryptor.asp

24.

Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: obstructing static analysis of programs. Technical report (2000)

25.

Wang, Z., Ming, J., Jia, C., Gao, D.: Linear obfuscation to combat symbolic execution. In: European Symposium on Research in Computer Security (2011)

26.

Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: IEEE Symposium on Security and Privacy (2015)

Titel: Combating Control Flow Linearization
verfasst von: Julian Kirsch
Clemens Jonischkeit
Thomas Kittel
Apostolis Zarras
Claudia Eckert
Verlag: Springer International Publishing
Buch: ICT Systems Security and Privacy Protection
Print ISBN: 978-3-319-58468-3

Electronic ISBN: 978-3-319-58469-0

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-58469-0_26

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"