The Next Generation of Virtualization-based Obfuscators

Presented at REcon 2022, June 3, 2022, 5 p.m. (60 minutes)

Our talk first gives an overview of contemporary code obfuscation schemes, where we focus on the design & architecture of virtual machines. Then, we work out the weaknesses of well-established approaches and discuss how modern virtual machines can be broken in a (semi-)automated fashion. Afterward, we present the core design principles behind the next generation of virtual machines and highlight how they abuse inherent weaknesses of the deobfuscation techniques in order to provide long-lasting resilience. We conclude the talk by pointing out that such techniques will shape the landscape of modern obfuscation in the next few years; further, we outline required advances in code deobfuscation research to tackle such virtual machines. Code obfuscation has become a vital tool to protect, for example, intellectual property against the prying eyes of competitors. Generally speaking, obfuscation makes program code more complex and thus less intelligible. In our talk, we first give an overview of contemporary code obfuscation schemes. We focus on the design & architecture of virtual machines and discuss the weaknesses of well-established approaches: One being that they mostly rely on fixed instruction set architectures and weak obfuscation of their individual components. A variety of deobfuscation attacks including compiler optimizations, symbolic execution and program synthesis are highly efficient in deobfuscating individual VM components; they even allow us to automate the reconstruction of the underlying code which should be protected by the virtual machine. As a consequence, both academia and industry are currently working towards the next generation of virtual machines, aiming for resilience against such attacks. We present the core design principles behind such next-gen virtual machines and highlight how they abuse inherent weaknesses of the analysis techniques. Following this, we introduce concrete methods that center around generating target-specific instruction set architectures and intertwined VM components. While some of these methods use theoretic underpinnings to withstand specific attacks, we show that their combination even has beneficial synergy effects. We conclude the talk by pointing out that such techniques will shape the landscape of modern obfuscation in the next few years; further, we outline required advances in code deobfuscation research to tackle such virtual machines.

Presenters:

• Moritz Schloegel
  Moritz Schloegel is a binary security researcher and final-year PhD student at Ruhr-Universität Bochum. His research focuses on automated finding, understanding, and exploitation of bugs. Beyond this, he loves digging into code (de-)obfuscation, in particular looking at automated attacks and countermeasures thereof.
• Tim Blazytko
  Tim Blazytko is a well-known binary security researcher and co-founder of emproof GmbH. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.

Links:

• https://cfp.recon.cx/2022/talk/7WJ3QL/

Similar Presentations:

• REcon 2022 / Under the hood of Wslink’s multilayered virtual machine
• REcon Brussels 2018 / Breaking state-of-the-art binary code obfuscation
• Black Hat Asia 2018 / Breaking State-of-the-Art Binary Code Obfuscation via Program Synthesis