LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code

Opaque predicates have been widely used to insert superfluous branches for control flow obfuscation. Opaque predicates can be seamlessly applied together with other obfuscation methods such as junk code to turn reverse engineering attempts into arduous work. Previous efforts in detecting opaque predicates are far from mature. They are either ad hoc, designed for a specific problem, or have a considerably high error rate. This paper introduces LOOP, a Logic Oriented Opaque Predicate detection tool for obfuscated binary code. Being different from previous work, we do not rely on any heuristics; instead we construct general logical formulas, which represent the intrinsic characteristics of opaque predicates, by symbolic execution along a trace. We then solve these formulas with a constraint solver. The result accurately answers whether the predicate under examination is opaque or not. In addition, LOOP is obfuscation resilient and able to detect previously unknown opaque predicates. We have developed a prototype of LOOP and evaluated it with a range of common utilities and obfuscated malicious programs. Our experimental results demonstrate the efficacy and generality of LOOP. By integrating LOOP with code normalization for matching metamorphic malware variants, we show that LOOP is an appealing complement to existing malware defenses.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[3]  Matias Madou Application security through program obfuscation , 2006 .

[4]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[5]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[6]  Aleksandrina Kovacheva,et al.  Efficient Code Obfuscation for Android , 2013, IAIT.

[7]  Pascal Junod,et al.  Obfuscator-LLVM -- Software Protection for the Masses , 2015, 2015 IEEE/ACM 1st International Workshop on Software Protection.

[8]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[9]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[10]  Bart Coppens,et al.  Feedback-driven binary code diversification , 2013, TACO.

[11]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[12]  Koen De Bosschere,et al.  Program obfuscation: a quantitative approach , 2007, QoP '07.

[13]  Jens Palsberg,et al.  Experience with software watermarking , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[14]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[16]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[17]  Saumya K. Debray,et al.  Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[18]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2001, 2001 International Conference on Dependable Systems and Networks.

[19]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[20]  Debin Gao,et al.  Linear Obfuscation to Combat Symbolic Execution , 2011, ESORICS.

[21]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[22]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[23]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[24]  Debin Gao,et al.  iBinHunt: Binary Hunting with Inter-procedural Control Flow , 2012, ICISC.

[25]  Minh Ngoc Ngo,et al.  Detecting large number of infeasible paths through recognizing their patterns , 2007, ESEC-FSE '07.

[26]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[27]  Kevin Coogan,et al.  Deobfuscation of virtualization-obfuscated software: a semantics-based approach , 2011, CCS '11.

[28]  Zhenkai Liang,et al.  Golden implementation driven software debugging , 2010, FSE '10.

[29]  Koen De Bosschere,et al.  LOCO: an interactive code (De)obfuscation tool , 2006, PEPM '06.

[30]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[31]  Fangfang Zhang,et al.  Program Logic Based Software Plagiarism Detection , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[32]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[33]  Mattia Monga,et al.  Code Normalization for Self-Mutating Malware , 2007, IEEE Security & Privacy.

[34]  Mario Vento,et al.  A (sub)graph isomorphism algorithm for matching large graphs , 2004, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[35]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[36]  Mario Jino,et al.  Identification of potentially infeasible program paths by monitoring the search for test data , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[37]  Clark D. Thomborson,et al.  Securing Mobile Agents Control Flow Using Opaque Predicates , 2005, KES.

[38]  Stephen Drape,et al.  Intellectual Property Protection using Obfuscation , 2010 .

[39]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[40]  Bart Preneel,et al.  A general model for hiding control flow , 2010, DRM '10.

[41]  Koen De Bosschere,et al.  Opaque Predicates Detection by Abstract Interpretation , 2006, AMAST.

[42]  Christian S. Collberg,et al.  Software watermarking via opaque predicates: Implementation, analysis, and attacks , 2006, Electron. Commer. Res..

[43]  Debin Gao,et al.  Denial-of-Service Attacks on Host-Based Generic Unpackers , 2009, ICICS.

[44]  Genevieve Arboit,et al.  A Method for Watermarking Java Programs via Opaque Predicates , 2002 .

[45]  Haibo Chen,et al.  Control flow obfuscation with information flow tracking , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[46]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.