qsynth a program synthesis approach for binary code
play

QSynth - A Program Synthesis approach for Binary Code Deobfuscation - PowerPoint PPT Presentation

May 29, 2023 •280 likes •1.12k views

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

  1. QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it> February 23th, 2020 - San Diego, California www.quarkslab.com

  2. Talk Outline Context: ◮ Need to address highly obfuscated binaries ◮ Few approaches address data obfuscation Goal: deobfuscating expression (obfuscated with data transformations) 2 / 26

  3. Talk Outline Context: ◮ Need to address highly obfuscated binaries ◮ Few approaches address data obfuscation Goal: deobfuscating expression (obfuscated with data transformations) Takeway We provide a synthesis approach addressing various obfuscations and that supersede the state-of-the-art in both speed and accuracy 2 / 26

  4. Table of Contents Background Software obfuscation Deobfuscation techniques Our Synthesis Approach Goal & Contributions Approach steps Experimental Benchmarks Experimental Setup Benchmarks Conclusion 3 / 26

  5. Obfuscation types Control-Flow Obfuscation Hiding the logic and algorithm of the program Virtualization, Opaque predicates, CFG-flattening, Split, Merge, Packing, Implicit Flow, MBA, Loop-Unrolling... Example ⇒ 4 / 26

  6. Obfuscation types Control-Flow Obfuscation Data-Flow Obfuscation Hiding the logic and algorithm of the Hiding data, constants, strings, APIs, program keys etc. Virtualization, Opaque predicates, Data encoding, MBA, Arithmetic CFG-flattening, Split, Merge, Packing, Encoding, Whitebox, Array Split, Fold and Implicit Flow, MBA, Loop-Unrolling... Merge, Variable Splitting... Example (((((( a ∧¬ b )+ b ) << 1 ) ∧¬ (( a ∨ b ) − ⇒ a + b ( a ∧ b ))) << 1 ) − (((( a ∧¬ b )+ b ) << 1 ) ⊕ (( a ∨ b ) − ( a ∧ b )))) 4 / 26

  7. Obfuscation types Control-Flow Obfuscation Data-Flow Obfuscation Hiding the logic and algorithm of the Hiding data, constants, strings, APIs, program keys etc. Virtualization, Opaque predicates, Data encoding, MBA, Arithmetic CFG-flattening, Split, Merge, Packing, Encoding, Whitebox, Array Split, Fold and Implicit Flow, MBA, Loop-Unrolling... Merge, Variable Splitting... Example (((((( a ∧¬ b )+ b ) << 1 ) ∧¬ (( a ∨ b ) − ⇒ a + b ( a ∧ b ))) << 1 ) − (((( a ∧¬ b )+ b ) << 1 ) ⊕ (( a ∨ b ) − ( a ∧ b )))) Problem: Reverting an obfuscating transformation is hard. 4 / 26

  8. Deobfuscation Let’s focus on two deobfuscation techniques: Dynamic Symbolic Execution Program Synthesis 5 / 26

  9. Symbolic Execution Definition Mean of executing a program using symbolic values (logical symbols) rather than real values (bitvectors) in order to obtain an in-out relationship of a path 6 / 26

  10. Symbolic Execution Definition Mean of executing a program using symbolic values (logical symbols) rather than real values (bitvectors) in order to obtain an in-out relationship of a path Dynamic Symbolic Execution (a.k.a. concolic) ◮ Properties: work on dynamic paths and use runtime values ◮ Advantages: path sure to be feasible and thwart various obfuscations 6 / 26

  11. Symbolic Execution: Example ⇒ In this context used to extract symbolic expressions (e.g. b) Symbolic State 7 / 26

  12. Symbolic Execution: Example ⇒ In this context used to extract symbolic expressions (e.g. b) Symbolic State φ b = b 7 / 26

  13. Symbolic Execution: Example ⇒ In this context used to extract symbolic expressions (e.g. b) Symbolic State φ b = b φ b = b + ( a | − 1 ) − 1 7 / 26

  14. Symbolic Execution: Example ⇒ In this context used to extract symbolic expressions (e.g. b) Symbolic State φ b = b φ b = b + ( a | − 1 ) − 1 φ b = b + ( a | − 1 ) − 1 − (( ∼ a ) & − 1 ) 7 / 26

  15. Symbolic Execution: Example ⇒ In this context used to extract symbolic expressions (e.g. b) Symbolic State φ b = b φ b = b + ( a | − 1 ) − 1 φ b = b + ( a | − 1 ) − 1 − (( ∼ a ) & − 1 ) φ b = b + ( a | − 1 ) − 1 − (( ∼ a ) & − 1 ) − 1 + ((( b + ( a | − 1 ) − 1 − (( ∼ a )& − 1 )) × ( b + . . . Question: How to simplify the φ b expression? (Knowing that the quality of the result depends on the syntactic complexity of the obfuscated expression) 7 / 26

  16. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program 8 / 26

  17. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output Obfuscated Program 8 / 26

  18. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output 1, 2 3 Obfuscated Program 8 / 26

  19. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output 1, 2 3 2, 2 4 Obfuscated Program 8 / 26

  20. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output 1, 2 3 2, 2 4 Obfuscated 2, 3 5 Program 8 / 26

  21. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output 1, 2 3 ⇒ a + b 2, 2 4 Obfuscated 2, 3 5 Program 8 / 26

  22. Program Synthesis Definition Program synthesis consists in automatically deriving a program from: ◮ a high-level specification (typically its I/O behaviour) ◮ additional constraints: ◮ Compilation: a faster program ◮ Deobfuscation: a smaller or more readable program Example Input Output 1, 2 3 ⇒ a + b 2, 2 4 Obfuscated 2, 3 5 Program Problem Synthesizing programs (expressions) with complex behaviors is hard . 8 / 26

  23. Table of Contents Background Software obfuscation Deobfuscation techniques Our Synthesis Approach Goal & Contributions Approach steps Experimental Benchmarks Experimental Setup Benchmarks Conclusion 9 / 26

  24. Key Intuition Symbolic Execution + Capture full semantic - Influenced by syntactic complexity 10 / 26

  25. Key Intuition Symbolic Execution Program Synthesis + Only influenced by semantic + Capture full semantic complexity - Influenced by syntactic - Black-box ⇒ big search space complexity 10 / 26

  26. Key Intuition Symbolic Execution Program Synthesis + Only influenced by semantic + Capture full semantic complexity - Influenced by syntactic - Black-box ⇒ big search space complexity Idea : Using symbolic execution to reduce the synthesis search space 10 / 26

  27. Contributions A synthesis approach using an Offline Enumerative Search based on pre-computed lookup tables combined with an Abstract Syntax Tree simplification algorithm which outperform similar approach of the state-of-the-art (e.g. Syntia) 11 / 26

  28. QSynth: Overview Enumerative Synthesis Oracle (generated once for all) inputs equivalent outputs expression Obfuscated Execution Obfuscated Simplification program trace expressions synthesized Execution tracing Dynamic Symbolic Strategy expressions Execution (DBI) (for each sub-expression) 12 / 26

  29. QSynth: Overview Enumerative Synthesis Oracle (generated once for all) inputs equivalent outputs expression Obfuscated Execution Obfuscated Simplification program trace expressions synthesized Execution tracing Dynamic Symbolic Strategy expressions Execution (DBI) (for each sub-expression) Tool: QBDI 12 / 26

  30. Execution Tracing Original Dynamic Binary Instrumentation mov qword [0x000232c0], 8 mov r13, rax test rax, rax Using QBDI : QuarkslaB Dynamic binary je 0x42a7 xor r8d, r8d Instrumentation (similar to Pin, DynamoRIO) xor edx, edx xor esi, esi + multi-architecture & platform Instrumentation - no (direct) thread support mov qword [0x000232c0], 8 ; Some code ... mov r13, rax Qtracer (a qbditool like Pin ‘‘pintools’’) ; Some code ... test rax, rax ; Some code ... je <patched address> ◮ gather instruction executed with their ; Some code ... xor r8d, r8d concrete state (registers and memory) ; Some code ... xor edx, edx ; Some code ... ◮ Data are consolidated in database xor esi, esi ; Some code ... (SQLite, PostgresSQL etc.) Instrumented https://qbdi.quarkslab.com/ 13 / 26

Recommend

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay

Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay

Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay Murali, Chris Jermaine Programming is hard Program synthesis, debugging, verification, repair Can we automate these processes? Decades of prior

1.59k views • 143 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation

From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation

Need for Data . . . Program Synthesis Wave Algorithm for . . . Boolean Logic . . . From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation . . . A Seemingly Natural . . . Counter-Example to . . .

725 views • 24 slides
Hardware Design with VHDL Synthesis of VHDL Code ECE 443 Synthesis of VHDL Code This slide set

Hardware Design with VHDL Synthesis of VHDL Code ECE 443 Synthesis of VHDL Code This slide set

Hardware Design with VHDL Synthesis of VHDL Code ECE 443 Synthesis of VHDL Code This slide set covers Fundamental limitation of EDA software Realization of VHDL operator Realization of VHDL data type VHDL synthesis flow

511 views • 34 slides
Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler

Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler

Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler text Asm program ( p1.s p2.s ) Assembler binary Object program ( p1.o p2.o ) Libraries Linker binary Executable program ( p ) Sean Barker 2

284 views • 7 slides
Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1 Program Verification and Constraints Reasoning about program

422 views • 28 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology ACL2 Workshop, May, 2017 Goal Lift binary code into logic JVM bytecode x86 binary code Then verify against a spec using Axe

276 views • 24 slides
Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of

Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of

Scaling Program Synthesis by Exploiting Existing Code James Bornholt Emina Torlak University of Washington Synthesis: write programs automatically Syntax Semantics Synthesis: write programs automatically Syntax Semantics Synthesis: write

1.02k views • 87 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

348 views • 14 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

163 views • 13 slides
Writing Reusable Code Feedback at Scale with Mixed-Initiative Program Synthesis Andrew Head*,

Writing Reusable Code Feedback at Scale with Mixed-Initiative Program Synthesis Andrew Head*,

Writing Reusable Code Feedback at Scale with Mixed-Initiative Program Synthesis Andrew Head*, Elena Glassman*, Gustavo Soares*, Ryo Suzuki, Lucas Figueredo, Loris DAntoni, Bjrn Hartmann * These three authors contributed equally to the

388 views • 36 slides
An Approach to Synthesis of An Approach to Synthesis of Multiple-Valued Reversible

An Approach to Synthesis of An Approach to Synthesis of Multiple-Valued Reversible

An Approach to Synthesis of An Approach to Synthesis of Multiple-Valued Reversible Multiple-Valued Reversible Logic Circuits Logic Circuits Pawel Kerntopf Institute of Computer Science Warsaw University of Technology Warsaw, Poland 6th

414 views • 15 slides
! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

Coding ! Representing characters from some input alphabet using another alphabet . Example: input characters from the Latin Huffman Codes alphabet, output strings of binary digits. ! Fixed-length binary character code: for an input

326 views • 3 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni ,

Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni ,

Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni , Thomas Reps Program Synthesis Specification Solution Program Synthesizer Search space Program Synthesis is Un Unpredicta edictable ble

1.05k views • 41 slides
Synthesis Script for 8 x 8 Binary Multiplier load_library

Synthesis Script for 8 x 8 Binary Multiplier load_library

Synthesis Script for 8 x 8 Binary Multiplier load_library /linux_apps/ADK3.1/technology/leonardo/tsmc035_typ analyze &quot;../src/adder.vhd&quot; &quot;../src/RegN.vhd&quot; &quot;../src/mctrl.vhd&quot; &quot;../src/mult_comp.vhd&quot;

81 views • 4 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky

Optimizing Binary Translation of Dynamically Generated Code Byron Hawkins Brian Demsky University of California, Irvine Derek Bruening Qin Zhao Google, Inc. Profiling Bug detection Program analysis Security SPEC CPU 2006

1.15k views • 85 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
Code R Region B Based A Auto-Tu Tuning En Enabled C Compilers M. James Kalyan

Code R Region B Based A Auto-Tu Tuning En Enabled C Compilers M. James Kalyan

Code R Region B Based A Auto-Tu Tuning En Enabled C Compilers M. James Kalyan Xiang Wang Ahmed Eltantawy Yaoqing Gao Motivation Binary Developer 2 Motivation Binary Auto-Tuner 3 Approach .6% speedup over

604 views • 17 slides
Conditional Program Generation for Bimodal Program Synthesis Swarat Chaudhuri Rice University

Conditional Program Generation for Bimodal Program Synthesis Swarat Chaudhuri Rice University

Conditional Program Generation for Bimodal Program Synthesis Swarat Chaudhuri Rice University www.cs.rice.edu/~swarat (Joint work with Chris Jermaine, Vijay Murali, and Letao Qi) Program synthesis [Simon 1963, Summers 1977, Manna-Waldinger

411 views • 22 slides

More recommend