论文信息 - Towards Static Analysis of Virtualization-Obfuscated Binaries

Towards Static Analysis of Virtualization-Obfuscated Binaries

Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into byte code for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible. In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and byte code. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the byte code program. To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal byte code locations only. We lift an existing analysis implemented in the Jakstab static analyzer and present preliminary results for processing a virtualization-obfuscated binary.

Johannes Kinder

[1] Helmut Veith,et al. An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[2] Rolf Rolles,et al. Unpacking Virtualization Obfuscators , 2009, WOOT.

[3] Helmut Veith,et al. Precise static analysis of untrusted driver binaries , 2010, Formal Methods in Computer Aided Design.

[4] Helmut Veith,et al. Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[5] Stefan Katzenbeisser,et al. Proactive Detection of Computer Worms Using Model Checking , 2010, IEEE Transactions on Dependable and Secure Computing.

[6] Xavier Rival,et al. Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[7] Patrick Cousot,et al. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[8] Jonathon T. Giffin,et al. Automatic Reverse Engineering of Malware Emulators , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9] Kevin Coogan,et al. Deobfuscation of virtualization-obfuscated software: a semantics-based approach , 2011, CCS '11.

[10] Sorin Lerner,et al. ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[11] Saumya K. Debray,et al. Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).