Abstract
Sensitive parts of a program, such as proprietary algorithms or licensing information, are often protected with the help of code obfuscation techniques. Many obfuscation schemes transform the control flow of the protected program. Typically, the control flow of obfuscated programs is deterministic, i.e., recorded execution traces do not differ for multiple executions using the same input values. An adversary can take advantage of this behavior and create multiple traces to perform analyses on the target program in order to deobfuscate it.
In this paper, we introduce an obfuscation approach which yields probabilistic control flow within a given method. That is, for the same input values, multiple execution traces differ, whilst preserving semantics. This effectively renders analyses relying on multiple traces impractical. We have implemented a prototype and applied it to several different programs. Our experimental results show that our approach can be used to ensure divergent traces for the same input values and that it can significantly improve the resilience against dynamic analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anckaert, B., Jakubowski, M., Venkatesan, R.: Proteus: virtualization for diversified tamper-resistance. In: Proceedings of the ACM Workshop on Digital Rights Management (2006)
Chan, P.P., Collberg, C.: A method to evaluate CFG comparison algorithms. In: International Conference on Quality Software (QSIC) (2014)
Chen, H., Yuan, L., Wu, X., Zang, B., Huang, B., Yew, P.C.: Control flow obfuscation with information flow tracking. In: Annual IEEE/ACM International Symposium on Microarchitecture (2009)
Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)
Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: ACM Symposium on Principles of Programming Languages (POPL) (1998)
Collberg, C.: The Tigress C Diversifier/Obfuscator. http://tigress.cs.arizona.edu
Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: ACM Conference on Computer and Communications Security (CCS) (2011)
Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: Symposium on Network and Distributed System Security (NDSS) (2015)
Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Symposium on Network and Distributed System Security (NDSS) (2015)
Fang, H., Wu, Y., Wang, S., Huang, Y.: Multi-stage binary code obfuscation using improved virtual machine. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 168–181. Springer, Heidelberg (2011)
Guy_Smith: Common Compiler Infrastructure: Metadata API. https://ccimetadata.codeplex.com/
Hu, X., Chiueh, T.C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM Conference on Computer and Communications Security (CCS) (2009)
Junod, P.: Obfuscator-LLVM. https://github.com/obfuscator-llvm/obfuscator/wiki
Kushner, D.: Steamed: Valve Software Battles Video-game Cheaters. http://spectrum.ieee.org/consumer-electronics/gaming/steamed-valve-software-battles-videogame-cheaters
Lee, B., Kim, Y., Kim, J.: binOb+: a framework for potent and stealthy binary obfuscation. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2010)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy (S&P) (2007)
Oreans Technologies: Code Virtualizer: Total Obfuscation against Reverse Engineering. http://oreans.com/codevirtualizer.php
Pawlowski, A., Contag, M., Holz, T.: Probfuscation: An Obfuscation Approach using Probabilistic Control Flows. In: Technical Report TR-HGI-2016-002, Ruhr University Bochum (2016)
Popov, I.V., Debray, S.K., Andrews, G.R.: Binary obfuscation using signals. In: USENIX Security Symposium (2007)
Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. (TOPLAS) 16(5), 1467–1471 (1994)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy (S&P) (2009)
VMProtect Software: VMProtect: Software protection against reversing and cracking. http://vmpsoft.com/
Wang, C., Davidson, J., Hill, J., Knight, J.: Protection of software-based survivability mechanisms. In: International Conference on Dependable Systems and Networks, 2001, DSN 2001 (2001)
Wang, P., Wang, S., Ming, J., Jiang, Y., Wu, D.: Translingual obfuscation. In: IEEE European Symposium on Security and Privacy (Euro S&P) (2016)
Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: IEEE Symposium on Security and Privacy (S&P) (2015)
Zeng, Z., Tung, A.K., Wang, J., Feng, J., Zhou, L.: Comparing stars: on approximating graph edit distance. In: International Conference on Very Large Data Bases (VLDB) (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Pawlowski, A., Contag, M., Holz, T. (2016). Probfuscation: An Obfuscation Approach Using Probabilistic Control Flows. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-40667-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40666-4
Online ISBN: 978-3-319-40667-1
eBook Packages: Computer ScienceComputer Science (R0)