Linear obfuscation to combat symbolic execution

Authors:
Zhi Wang;Jiang Ming;Chunfu Jia;Debin Gao
Affiliations:
College of Information Technical Science, Nankai University, China;College of Information Sciences & Technology, Pennsylvania State University;College of Information Technical Science, Nankai University, China;School of Information Systems, Singapore Management University, Singapore
Venue:
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Year:
2011

Citing 24
Cited 0

Symbolic execution and program testing

Communications of the ACM
Obfuscation of executable code to improve resistance to static disassembly

Proceedings of the 10th ACM conference on Computer and communications security
DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Using symbolic execution to guide test generation: Research Articles

Software Testing, Verification & Reliability
CUTE: a concolic unit testing engine for C

Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Replayer: automatic protocol replay by binary analysis

Proceedings of the 13th ACM conference on Computer and communications security
EXE: automatically generating inputs of death

Proceedings of the 13th ACM conference on Computer and communications security
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Creating Vulnerability Signatures Using Weakest Preconditions

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Bouncer: securing software by blocking bad input

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
Binary obfuscation using signals

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Testing for buffer overflows with length abstraction

ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
BinHunt: Automatically Finding Semantic Differences in Binary Programs

ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Loop-extended symbolic execution on binary programs

Proceedings of the eighteenth international symposium on Software testing and analysis
Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
binOb+: a framework for potent and stealthy binary obfuscation

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
RWset: attacking path explosion in constraint-based test generation

TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Identifying Dormant Functionality in Malware Programs

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs

OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Dynamic test generation to find integer bugs in x86 binary linux programs

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Execution generated test cases: how to make systems code crash itself

SPIN'05 Proceedings of the 12th international conference on Model Checking Software

Quantified Score

Hi-index	0.00

Visualization

Abstract

Trigger-based code (malicious in many cases, but not necessarily) only executes when specific inputs are received. Symbolic execution has been one of the most powerful techniques in discovering such malicious code and analyzing the trigger condition. We propose a novel automatic malware obfuscation technique to make analysis based on symbolic execution difficult. Unlike previously proposed techniques, the obfuscated code from our tool does not use any cryptographic operations and makes use of only linear operations which symbolic execution is believed to be good in analyzing. The obfuscated code incorporates unsolved conjectures and adds a simple loop to the original code, making it less than one hundred bytes longer and hard to be differentiated from normal programs. Evaluation shows that applying symbolic execution to the obfuscated code is inefficient in finding the trigger condition. We discuss strengths and weaknesses of the proposed technique.