Breaking State-of-the-Art Binary Code Obfuscation via Program Synthesis

Presented at Black Hat Asia 2018, March 22, 2018, 2:15 p.m. (60 minutes).

In modern businesses, code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex.

In our talk, we will give an overview of contemporary (binary) code obfuscation techniques, including Mixed Boolean-Arithmetic and Virtual Machines. We further note a common theme in state-of-the-art deobfuscation techniques: They mostly use a mixed approach of symbolic execution and taint analysis; two techniques that require precise analysis of the underlying code. Also, these techniques require a non-trivial amount of domain knowledge. This limits the applicability of these techniques and hints at the necessity of finding alternative approaches to tackle the problem of code obfuscation.

Consequently, we introduce program synthesis as a promising technique that is orthogonal to traditional deobfuscation techniques. As program synthesis can synthesize code of arbitrary code complexity, it is only limited by the complexity of the underlying code's semantic and thus overcomes some of the limitations traditional approaches suffer from.

We show how program synthesis-based techniques can be applied to modern, commercial protection systems such as Themida and VMProtect. Further, we discuss the role of program synthesis in the landscape of modern deobfuscation techniques.


Presenters:

  • Moritz Contag - PhD student, .
    Moritz Contag is a Ph.D. student at Ruhr-Universität Bochum and is interested in static program analysis. Recently, he applied such techniques to the automotive context and analyzed engine control unit firmware at scale. Other than that, he enjoys toying around with all sorts of code obfuscation – especially Virtual Machine-based schemes – and occasionally gets to participate in Capture the Flag contests with FluxFingers.
  • Tim Blazytko - Security Researcher, Ruhr-Universität Bochum
    Tim Blazytko is a security researcher at the Ruhr-Universität Bochum. His research focuses on automated binary reverse engineering and exploitation. Alongside his work as a PhD student, Tim performs security audits and malware analysis as a freelancer.

Links:

Similar Presentations: