ROPOB: Obfuscating Binary Code via Return Oriented Programming

Software reverse engineering has been widely employed for software reuse, serving malicious purposes, such as software plagiarism and malware camouflage. To raise the bar for adversaries to perform reverse engineering, plenty of work has been proposed to introduce obfuscation into the to-be-protected software. However, existing obfuscation methods are either inefficient or hard to be deployed. In this paper, we propose an obfuscation scheme for binaries based on Return Oriented Programming (ROP), which aims to serve as an efficient and deployable anti-reverse-engineering approach. Our basic idea is to transform direct control flow to indirect control flow. The strength of our scheme derives from the fact that static analysis is typically insufficient to pinpoint target address of indirect control flow. We implement a tool, ROPOB, to achieve obfuscation in Commercial-off-the-Shelf (COTS) binaries, and test ROPOB with programs in SPEC2006. The results show that ROPOB can successfully transform all identified direct control flow, without causing execution errors. The overhead is acceptable: the average performance overhead is less than 10% when obfuscation coverage is over 90%.

[1]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[2]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[3]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[4]  Debin Gao,et al.  Packed, Printable, and Polymorphic Return-Oriented Programming , 2011, RAID.

[5]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[6]  Jonathon T. Giffin,et al.  Automatic Reverse Engineering of Malware Emulators , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  David Brumley,et al.  Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring , 2013, USENIX Security Symposium.

[8]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[9]  Sencun Zhu,et al.  Replacement Attacks on Behavior Based Software Birthmark , 2011, ISC.

[10]  Haibo Chen,et al.  Control flow obfuscation with information flow tracking , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[11]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[12]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[13]  Wenke Lee,et al.  From Zygote to Morula: Fortifying Weakened ASLR on Android , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[15]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[17]  Barton P. Miller,et al.  Safety checking of machine code , 2000, PLDI '00.

[18]  Arun Lakhotia,et al.  A method for detecting obfuscated calls in malicious binaries , 2005, IEEE Transactions on Software Engineering.

[19]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[20]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[21]  T. Laszlo,et al.  OBFUSCATING C++ PROGRAMS VIA CONTROL FLOW FLATTENING , 2009 .

[22]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[23]  John C. Knight,et al.  A security architecture for survivability mechanisms , 2001 .

[24]  Gregory R. Andrews,et al.  Binary Obfuscation Using Signals , 2007, USENIX Security Symposium.

[25]  Debin Gao,et al.  RopSteg: program steganography with return oriented programming , 2014, CODASPY '14.

[26]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[27]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).