Code obfuscation is done to protect the logic of a program from easy analysis. A security analyst needs to spend considerable amount of time trying to de-obfuscate an executable by static analysis. The paper proposes the use of differential execution analysis to reduce obfuscation and constraint identification. Differential execution analysis filters critical instructions to analyze, from rest of instructions by comparing execution of program under different inputs using Dynamic Binary Instrumentation. After analysis, a reduced graph is generated out of dynamic execution trace showing reduced set of instructions as blocks separated by constraints placed on inputs.


Obfuscation Differential Execution Dynamic Binary Instrumentation Constraints Reduced Graph 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Johnson, N.M., Caballero, J., Chen, K.Z., McCamant, S., Poosankam, P., Reynaud, D., Song, D.: Differential Slicing: Identifying Causal Execution Differences for Security Applications. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 347–362 (2011)Google Scholar
  2. 2.
    Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, pp. 121–132 (2012)Google Scholar
  3. 3.
    Clause, J., Li, W., Orso, A.: Dytan: A Generic Dynamic Taint Analysis Framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206 (2007)Google Scholar
  4. 4.
    Saxena, P., Sekar, R., Puranik, V.: Efficient Fine-Grained Binary Instrumentation with Applications to Taint-Tracking. In: Proceedings of the 6th Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 74–83 (2008)Google Scholar
  5. 5.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Wallace, S., Reddi, V.J., Hazelwood, K., Lowney, G.: Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 190–200 (2005)Google Scholar
  6. 6.
    PIN, Dynamic Binary Instrumentation Framework by Intel,
  7. 7.
    You, I., Yim, K.: Malware Obfuscation Techniques: A Brief Survey. In: Proceedings of the 2010 IEEE Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010)Google Scholar
  8. 8.
    Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Proceedings of 10th ACM Conference on Computer and Communications Security, pp. 290–299 (2003)Google Scholar
  9. 9.
    Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static Disassembly of Obfuscated Binaries. In: Proceedings of the 13th Conference on USENIX Security Symposium, pp. 255–270 (2004)Google Scholar
  10. 10.
    Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: Reverse Engineering Obfuscated Code. In: Proceedings of the 12th Working Conference on Reverse Engineering, pp. 45–54 (2005)Google Scholar
  11. 11.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Lahiri, S.K., Vaswani, K., Hoare, C.A.R.: Differential Static Analysis: Opportunities, Applications and Challenges. In: Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, pp. 201–204 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • R. Reno Robert
    • 1
  1. 1.TIFAC CORE in Cyber SecurityAmrita Vishwa VidyapeethamCoimbatoreIndia

Personalised recommendations