Article

Static disassembly of obfuscated binaries

Authors:

Christopher Kruegel,

William Robertson,

Fredrik Valeur,

Giovanni VignaAuthors Info & Claims

SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

Page 18

Published: 13 August 2004 Publication History

Abstract

Disassembly is the process of recovering a symbolic representation of a program's machine code instructions from its binary representation. Recently, a number of techniques have been proposed that attempt to foil the disassembly process. These techniques are very effective against state-of-the-art disassemblers, preventing a substantial fraction of a binary program from being disassembled correctly. This could allow an attacker to hide malicious code from static analysis tools that depend on correct disassembler output (such as virus scanners).

The paper presents novel binary analysis techniques that substantially improve the success of the disassembly process when confronted with obfuscated binaries. Based on control flow graph information and statistical methods, a large fraction of the program's instructions can be correctly identified. An evaluation of the accuracy and the performance of our tool is provided, along with a comparison to several state-of-the-art disassemblers.

References

[1]

{1} B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (Im)possibility of Software Obfuscation. In Crypto, 2001.

Digital Library

[2]

{2} J. Bergeron, M. Debbabi, M.M. Erhioui, and B. Ktari. Static Analysis of Binary Code to Isolate Malicious Behaviors. In 8th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises , 1999.

Digital Library

[3]

{3} M. Christodorescu and Somesh Jha. Static Analysis of Executables to Detect Malicious Patterns. In 12th USENIX Security Symposium, 2003.

Digital Library

[4]

{4} C. Cifuentes and M. Van Emmerik. UQBT: Adaptable binary translation at low cost. IEEE Computer , 40(2-3), 2000.

Digital Library

[5]

{5} C. Cifuentes and A. Fraboulet. Intraprocedural Static Slicing of Binary Executables. In International Conference on Software Maintenance (ICSM'97), Bari, Italy, October 1997.

Digital Library

[6]

{6} C. Cifuentes and K. Gough. Decompilation of Binary Programs. Software Practice & Experience, 25(7):811-829, July 1995.

Digital Library

[7]

{7} F. B. Cohen. Operating System Protection through Program Evolution. http://all. net/books/IP/evolve.html.

[8]

{8} C. Collberg and C. Thomborson. Watermarking, Tamper-Proofing, and Obfuscation - Tools for Software Protection. IEEE Transactions on Software Engineering, 28(8):735-746, August 2002.

Digital Library

[9]

{9} C. Collberg, C. Thomborson, and D. Low. A Taxonomy of Obfuscating Transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997.

[10]

{10} Free Software Foundation. GNU Binary Utilities , Mar 2002. http://www.gnu.org/ software/binutils/manual/.

[11]

{11} J.T. Giffin, S. Jha, and B.P. Miller. Detecting manipulated remote call streams. In 11th USENIX Security Symposium, 2002.

Digital Library

[12]

{12} W.C. Hsieh, D. Engler, and G. Back. Reverse-Engineering Instruction Encodings. In USENIX Annual Technical Conference, pages 133-146, Boston, Mass., June 2001.

Digital Library

[13]

{13} C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In 10th ACM Conference on Computer and Communications Security (CCS), pages 290-299, October 2003.

Digital Library

[14]

{14} T. Ogiso, Y. Sakabe, M. Soshi, and A. Miyaji. Software obfuscation on a theoretical basis and its implementation. IEICE Transactions on Fundamentals , E86-A(1), 2003.

[15]

{15} R. Sites, A. Chernoff, M. Kirk, M. Marks, and S. Robinson. Binary Translation. Digital Technical Journal, 4(4), 1992.

[16]

{16} Symantec. Understanding and Managing Polymorphic Viruses. http://www.symantec.com/ avcenter/whitepapers.html.

[17]

{17} G. Wroblewski. General Method of Program Code Obfuscation. In Proceedings of the International Conference on Software Engineering Research and Practice (SERP), Las Vegas, NV, June 2002.

Cited By

Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Grech NLagouvardos STsatiris ISmaragdakis Y(2022)Elipmoc: advanced decompilation of Ethereum smart contractsProceedings of the ACM on Programming Languages10.1145/35273216:OOPSLA1(1-27)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527321
Zhao YTang ZYe GGong XFang D(2021)Input-Output Example-Guided Data Deobfuscation on BinarySecurity and Communication Networks10.1155/2021/46460482021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/4646048
Show More Cited By

Recommendations

Static Analysis of the Disassembly against Malicious Code Obfuscated with Conditional Jumps
ICIS '08: Proceedings of the Seventh IEEE/ACIS International Conference on Computer and Information Science (icis 2008)

With the application of information technology and network, malicious codes have become a main threat to the computer security. In order to avoid being analyzed statically, malicious codes resort to various obfuscation techniques to hide themselves. ...
binOb+: a framework for potent and stealthy binary obfuscation
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

Reverse engineering is the process of discovering a high-level structure and its semantics from a lower-level structure. In order to prevent malicious use of reverse engineering against binaries, various techniques have been developed called binary ...
Exploiting an antivirus interface

We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

August 2004

352 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2004

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

76
Total Citations
View Citations
57
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Priyadarshan SNguyen HChouhan RSekar RCalandrino JTroncoso C(2023)SAFERProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620319(1451-1468)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620319
Grech NLagouvardos STsatiris ISmaragdakis Y(2022)Elipmoc: advanced decompilation of Ethereum smart contractsProceedings of the ACM on Programming Languages10.1145/35273216:OOPSLA1(1-27)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527321
Zhao YTang ZYe GGong XFang D(2021)Input-Output Example-Guided Data Deobfuscation on BinarySecurity and Communication Networks10.1155/2021/46460482021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/4646048
Qasem AShirani PDebbabi MWang LLebel BAgba B(2021)Automatic Vulnerability Detection in Embedded Devices and FirmwareACM Computing Surveys10.1145/343289354:2(1-42)Online publication date: 5-Mar-2021
https://dl.acm.org/doi/10.1145/3432893
Jiang MZhou YLuo XWang RLiu YRen KKhurshid SPăsăreanu C(2020)An empirical study on ARM disassembly toolsProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397377(401-414)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397377
Gussoni ADi Federico AFezzardi PAgosta GSun HShieh SGu GAteniese G(2020)A Comb for Decompiled C CodeProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384766(637-651)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384766
Hur AKim JRyu Y(2019)Hiding Vulnerabilities of Internet of Things Software Using Anti-Tamper TechniqueProceedings of the 2019 4th International Conference on Intelligent Information Technology10.1145/3321454.3321466(46-50)Online publication date: 20-Feb-2019
https://dl.acm.org/doi/10.1145/3321454.3321466
Wenzl MMerzdovnik GUllrich JWeippl E(2019)From Hack to Elaborate Technique—A Survey on Binary RewritingACM Computing Surveys10.1145/331641552:3(1-37)Online publication date: 18-Jun-2019
https://dl.acm.org/doi/10.1145/3316415
Miller KKwon YSun YZhang ZZhang XLin ZAtlee JBultan TWhittle J(2019)Probabilistic disassemblyProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00121(1187-1198)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00121
Izumida TMori AHashimoto MAlvim MDelaune S(2018)Context-Sensitive Flow Graph and Projective Single Assignment Form for Resolving Context-Dependency of Binary CodeProceedings of the 13th Workshop on Programming Languages and Analysis for Security10.1145/3264820.3264826(48-53)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3264820.3264826
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents