基于动态符号执行的不透明谓词反混淆算法
|
摘要
恶意软件、漏洞利用程序等层出不穷,这些程序通常会利用代码混淆来增加其分析难度,以此来延长生存周期。不透明谓词混淆是代码混淆中的主要方法之一。目前通过数据流分析消除程序中的不可达路径是不透明谓词的主要反混淆方法。文章提出一种基于动态符号执行的路径不可达分析的不透明谓词反混淆算法,通过控制流图分析得到每个函数的基本块,然后对含有分支的基本块进行路径可达性分析,去除不可达路径。原型系统实验结果表明,该算法的平均反混淆率在80%左右。
Malicious software and vulnerability exploitprograms emerge endlessly. They usually extend the life cycle by using obfuscated code and hence increase the difficulty to beanalyzed. The opaque predicate obfuscation is one of the main ways for code obfuscation. At present,the main de-obfuscating method for opaque predicates is to eliminate the unreachable path in the program through data flow analysis. This paper presents a scheme of path unreachability analysis on opaque predicate de-obfuscationbased on dynamic symbolic execution. Each function is obtained by control flow graph analysis of basic block. As for the path containing branches of basic block,the accessibility is analyzed and the inaccessiblepaths are eliminated. By analyzing the path reachability of branches,we can determine the true branches that will be executed. Our experiment result shows that the average de-obfuscation rate is at around 80%.
Malicious software and vulnerability exploitprograms emerge endlessly. They usually extend the life cycle by using obfuscated code and hence increase the difficulty to beanalyzed. The opaque predicate obfuscation is one of the main ways for code obfuscation. At present,the main de-obfuscating method for opaque predicates is to eliminate the unreachable path in the program through data flow analysis. This paper presents a scheme of path unreachability analysis on opaque predicate de-obfuscationbased on dynamic symbolic execution. Each function is obtained by control flow graph analysis of basic block. As for the path containing branches of basic block,the accessibility is analyzed and the inaccessiblepaths are eliminated. By analyzing the path reachability of branches,we can determine the true branches that will be executed. Our experiment result shows that the average de-obfuscation rate is at around 80%.
引文
[1]马洪亮,王伟,韩臻.混淆恶意Java Script代码的检测与反混淆方法研究[J].计算机学报,2017,40(7):1699-1713.
[2]郭军,王蕾,汤战勇,等.基于语义的二进制代码自动化反混淆方法[J].华中科技大学学报(自然科学版),2016,44(3):55-59.
[3]BALAKRISHNAN G,SANKARANARAYANAN S.SLR:Path-sensitive analysis through infeasible-path detection and syntactic language refinement[C]//Static Analysis.Heidelberg:Springer Berlin,2008,5079:238-254.
[4]COLLBERG C,THOMBORSON C,LOW D.Manufacturing cheap,resilient,andstealthy opaque constructs[C]//Proceedings of the25thACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.New York:ACM,1998:184-196.
[5]MAJUMDAR A,THOMBORSON C.Manufacturing opaque predicates in distributed systems for code obfuscation[C]//Proceedings of the 29thAustralasian Computer Science Conference.Darlinghurst:Australian Computer Society,2006:187-196.
[6]袁征,冯雁,温巧燕,等.构造一种新的混淆Java程序的不透明谓词[J].北京邮电大学学报,2007,30(6):103-106.
[7]苏庆,吴伟民,李忠良,等.混沌不透明谓词在代码混淆中的研究与应用[J].计算机科学,2013,40(6):155-159.
[8]KING J C.A new approach to program testing[J].ACM Sigplan Notices,1975,10(6):228-233.
[9]GODEFROID P,KLARLUND N,SEN K.DART:Directed automated random testing[J].Proc ACM SIGPLAN Conf on Programming Language Design and Implementation,2005,40(6):213-223.
[10]AVGERINOS T,CHA S K,HAO B L T,et al.AEG:automatic exploit generation[C]//Proc Network and Distributed System Security Symp.[S.l.]:NDSS,2011:1-18.
[11]CHA S K,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code[J].Security and Privacy,2012,19:380-394.
[12]安靖.动态符号执行关键技术研究[D].北京:北京邮电大学,2014.
[13]LUCKOW K,DIMJSEVC M,GIANNAKOPOULOU D,et al.JD art:A dynamic symbolic analysis framework[C]//Proc 22nd Int Conf on Tools and Algorithms for the Construction and Analysis of Systems.Heidelerg:Springer Berlin,2016:442-459.
[14]ZHANG Y,CLIEN Z,WANG J,et al.Regular property guided dynamic symbolic execution[C]//Proc 37th Int Conf on Software Engineering,2015,1:643-653.
[15]CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:Design,implementation,and applications[J].ACM Transactions on Computer Systems,2012,30(1):2.
[16]SHOSHITAISHVILI Y,WANG R,SALLS C,et al.SOK:(state of)the art of war:Offensive techniques in binary analysis[C]//In IEEE Symp on Security and Privacy.San Jose,CA,USA:IEEE,2016:138-157.
[2]郭军,王蕾,汤战勇,等.基于语义的二进制代码自动化反混淆方法[J].华中科技大学学报(自然科学版),2016,44(3):55-59.
[3]BALAKRISHNAN G,SANKARANARAYANAN S.SLR:Path-sensitive analysis through infeasible-path detection and syntactic language refinement[C]//Static Analysis.Heidelberg:Springer Berlin,2008,5079:238-254.
[4]COLLBERG C,THOMBORSON C,LOW D.Manufacturing cheap,resilient,andstealthy opaque constructs[C]//Proceedings of the25thACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.New York:ACM,1998:184-196.
[5]MAJUMDAR A,THOMBORSON C.Manufacturing opaque predicates in distributed systems for code obfuscation[C]//Proceedings of the 29thAustralasian Computer Science Conference.Darlinghurst:Australian Computer Society,2006:187-196.
[6]袁征,冯雁,温巧燕,等.构造一种新的混淆Java程序的不透明谓词[J].北京邮电大学学报,2007,30(6):103-106.
[7]苏庆,吴伟民,李忠良,等.混沌不透明谓词在代码混淆中的研究与应用[J].计算机科学,2013,40(6):155-159.
[8]KING J C.A new approach to program testing[J].ACM Sigplan Notices,1975,10(6):228-233.
[9]GODEFROID P,KLARLUND N,SEN K.DART:Directed automated random testing[J].Proc ACM SIGPLAN Conf on Programming Language Design and Implementation,2005,40(6):213-223.
[10]AVGERINOS T,CHA S K,HAO B L T,et al.AEG:automatic exploit generation[C]//Proc Network and Distributed System Security Symp.[S.l.]:NDSS,2011:1-18.
[11]CHA S K,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code[J].Security and Privacy,2012,19:380-394.
[12]安靖.动态符号执行关键技术研究[D].北京:北京邮电大学,2014.
[13]LUCKOW K,DIMJSEVC M,GIANNAKOPOULOU D,et al.JD art:A dynamic symbolic analysis framework[C]//Proc 22nd Int Conf on Tools and Algorithms for the Construction and Analysis of Systems.Heidelerg:Springer Berlin,2016:442-459.
[14]ZHANG Y,CLIEN Z,WANG J,et al.Regular property guided dynamic symbolic execution[C]//Proc 37th Int Conf on Software Engineering,2015,1:643-653.
[15]CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:Design,implementation,and applications[J].ACM Transactions on Computer Systems,2012,30(1):2.
[16]SHOSHITAISHVILI Y,WANG R,SALLS C,et al.SOK:(state of)the art of war:Offensive techniques in binary analysis[C]//In IEEE Symp on Security and Privacy.San Jose,CA,USA:IEEE,2016:138-157.