Probfuscation: An Obfuscation Approach Using Probabilistic Control Flows

  • Andre PawlowskiEmail author
  • Moritz Contag
  • Thorsten Holz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


Sensitive parts of a program, such as proprietary algorithms or licensing information, are often protected with the help of code obfuscation techniques. Many obfuscation schemes transform the control flow of the protected program. Typically, the control flow of obfuscated programs is deterministic, i.e., recorded execution traces do not differ for multiple executions using the same input values. An adversary can take advantage of this behavior and create multiple traces to perform analyses on the target program in order to deobfuscate it.

In this paper, we introduce an obfuscation approach which yields probabilistic control flow within a given method. That is, for the same input values, multiple execution traces differ, whilst preserving semantics. This effectively renders analyses relying on multiple traces impractical. We have implemented a prototype and applied it to several different programs. Our experimental results show that our approach can be used to ensure divergent traces for the same input values and that it can significantly improve the resilience against dynamic analysis.


  1. 1.
    Anckaert, B., Jakubowski, M., Venkatesan, R.: Proteus: virtualization for diversified tamper-resistance. In: Proceedings of the ACM Workshop on Digital Rights Management (2006)Google Scholar
  2. 2.
    Chan, P.P., Collberg, C.: A method to evaluate CFG comparison algorithms. In: International Conference on Quality Software (QSIC) (2014)Google Scholar
  3. 3.
    Chen, H., Yuan, L., Wu, X., Zang, B., Huang, B., Yew, P.C.: Control flow obfuscation with information flow tracking. In: Annual IEEE/ACM International Symposium on Microarchitecture (2009)Google Scholar
  4. 4.
    Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)Google Scholar
  5. 5.
    Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: ACM Symposium on Principles of Programming Languages (POPL) (1998)Google Scholar
  6. 6.
    Collberg, C.: The Tigress C Diversifier/Obfuscator.
  7. 7.
    Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: ACM Conference on Computer and Communications Security (CCS) (2011)Google Scholar
  8. 8.
    Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  9. 9.
    Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  10. 10.
    Fang, H., Wu, Y., Wang, S., Huang, Y.: Multi-stage binary code obfuscation using improved virtual machine. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 168–181. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Guy_Smith: Common Compiler Infrastructure: Metadata API.
  12. 12.
    Hu, X., Chiueh, T.C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM Conference on Computer and Communications Security (CCS) (2009)Google Scholar
  13. 13.
  14. 14.
  15. 15.
    Lee, B., Kim, Y., Kim, J.: binOb+: a framework for potent and stealthy binary obfuscation. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2010)Google Scholar
  16. 16.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy (S&P) (2007)Google Scholar
  17. 17.
    Oreans Technologies: Code Virtualizer: Total Obfuscation against Reverse Engineering.
  18. 18.
    Pawlowski, A., Contag, M., Holz, T.: Probfuscation: An Obfuscation Approach using Probabilistic Control Flows. In: Technical Report TR-HGI-2016-002, Ruhr University Bochum (2016)Google Scholar
  19. 19.
    Popov, I.V., Debray, S.K., Andrews, G.R.: Binary obfuscation using signals. In: USENIX Security Symposium (2007)Google Scholar
  20. 20.
    Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. (TOPLAS) 16(5), 1467–1471 (1994)CrossRefGoogle Scholar
  21. 21.
    Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy (S&P) (2009)Google Scholar
  22. 22.
    VMProtect Software: VMProtect: Software protection against reversing and cracking.
  23. 23.
    Wang, C., Davidson, J., Hill, J., Knight, J.: Protection of software-based survivability mechanisms. In: International Conference on Dependable Systems and Networks, 2001, DSN 2001 (2001)Google Scholar
  24. 24.
    Wang, P., Wang, S., Ming, J., Jiang, Y., Wu, D.: Translingual obfuscation. In: IEEE European Symposium on Security and Privacy (Euro S&P) (2016)Google Scholar
  25. 25.
    Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: IEEE Symposium on Security and Privacy (S&P) (2015)Google Scholar
  26. 26.
    Zeng, Z., Tung, A.K., Wang, J., Feng, J., Zhou, L.: Comparing stars: on approximating graph edit distance. In: International Conference on Very Large Data Bases (VLDB) (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-Security (HGI)Ruhr-Universität BochumBochumGermany

Personalised recommendations