symbolic deobfuscation
play

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin - PowerPoint PPT Presentation

May 15, 2023 •249 likes •664 views

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

  1. CODE PROTECTION: the promises and limits of symbolic deobfuscation Sébastien Bardin (CEA LIST) Sébastien Bardin – GreHack 2017 | 1

  2. ABOUT MY LAB @CEA [Paris-Saclay, France] Sébastien Bardin – GreHack 2017 | 2

  3. IN A NUTSHELL • Challenge: code deobfuscation • Standard tools (dynamic, syntactic) not enough • Semantic methods can help [obfuscation preserves semantic] Yet, need to be carefully adapted • • A tour on how symbolic methods can help • Explore and discover [SANER 2016] • Prove infeasibility [BH Europe 2016, S&P 2017] • Simplify [SSTIC 2017] Sébastien Bardin – GreHack 2017 | 3

  4. OUTLINE • Context • Code Protection • Semantic analysis • Symbolic deobfuscation • Basis: Symbolic execution • Part I: Explore & Discover -- crackme • Part II: Prove infeasibility -- malware x-tunnel • Part III: Simplify -- devirtualization • Conclusion Sébastien Bardin – GreHack 2017 | 4

  5. MATE: MAN-AT-THE-END ATTACK MATE: Man-At-The-End Attacker is on the computer • R/W the code • Execute step by step • Patch on-the-fly New field MITM: Man-In-The-Middle Attacker is on the network • Observe messages • Forge messages Known crypto solutions Sébastien Bardin – GreHack 2017 | 5

  6. FACT: SOFTWARE IS JUST DATA • You can execute it • But you may prefer to: • Read it <reverse legacy code, or …………….. steal crypto keys> • Modify it <patch a bug, or ………………………. bypass a security check> Code & Data attack Code & Data protection (MATE) (obfuscation) Sébastien Bardin – GreHack 2017 | 6

  7. <aparté> NOT SO HARD FOR EXPERTS Sébastien Bardin – GreHack 2017 | 7

  8. A SOLUTION: OBFUSCATION State of the art • No usable math-proven solution • Useful ad hoc solutions (strength?) Transform P into P’ such that • P’ behaves like P • P’ roughly as efficient as P • P’ is very hard to understand Sébastien Bardin – GreHack 2017 | 8

  9. OBFUSCATION IN PRACTICE • self-modification • encryption • virtualization • code overlapping • opaque predicates • callstack tampering • … Sébastien Bardin – GreHack 2017 | 9

  10. EXAMPLE: OPAQUE PREDICATE Constant-value predicates (always true, always false) • dead branch points to spurious code • goal = waste reverser time & efforts Sébastien Bardin – GreHack 2017 | 10

  11. EXAMPLE: STACK TAMPERING Alter the standard compilation scheme: ret do not go back to call • hide the real target • return site is spurious code Sébastien Bardin – GreHack 2017 | 11

  12. EXAMPLE: VIRTUALIZATION long secret(long x) { …… Bytecodes - Custom ISA return x; } Fetching Turns code P into Decoding • a proprietary bytecode program • + a homemade VM (runtime) Dispatcher • Easy to recover the VM structure Operator 1 Operator 2 Operator 3 • But does not say anything about P Terminator Sébastien Bardin – GreHack 2017 | 12

  13. DEOBFUSCATION • Ideally, get P back from P’ • Or, get close enough • Or, help understand P Sébastien Bardin – GreHack 2017 | 13

  14. WHY WORKING ON DEOBFUSCATION? <in an ethical manner> • Software protection • Assess the power of current obfuscation schemes • Special case: white-box crypto <hide keys> • Malware analysis Comprehension: help to understand the malware <goal, functions, weaknesses> • Detection: remove the protection layer • Sébastien Bardin – GreHack 2017 | 14

  15. DEOBFUSCATION NEEDS TOOLING • Strongly rely on human expert • While obfuscation is automatic Proper tool support • Explore (find hidden parts) • Prove (identify spurious code) • Simplify Sébastien Bardin – GreHack 2017 | 15

  16. <aparté> STATE-OF-THE-ART TOOLS ARE NOT ENOUGH FOR DEOBFUSCATION Just add mov %eax,%ecx mov %ecx,%eax and break results • Static (syntactic): too fragile • Dynamic: too incomplete Sébastien Bardin – GreHack 2017 | 16

  17. SOLUTION? SEMANTIC PROGRAM ANALYSIS • From formal methods for safety-critical systems • Semantic = meaning of the program • Possibly well adapted Semantic preserved Can reason about by obfuscation sets of executions • find rare events • prove, simplify • Symbolic deobfuscation + strong • Explore and discover [SANER 2016] theoretical ground • Prove infeasibility [Black Hat EU 2016, S&P 2017] • Simplify [SSTIC 2017] Sébastien Bardin – GreHack 2017 | 17

  18. <En aparté > ABOUT FORMAL METHODS Clear success in safety-critical Sébastien Bardin – GreHack 2017 | 18

  19. OK but … WHICH APPROACH? (Formal Method Zoo) • Abstract interpretation • Weakest precondition • Model Checking • Property-directed checking • Symbolic model checking • Symbolic execution • Bounded model checking • Interactive theorem proving • Counter-example guided model checking • Type systems • Interpolation-based model checking • Correct by construction • k-induction • ….. Constraints • Not too hard to adapt to binary level • Robust to nasty low-level tricks Sébastien Bardin – GreHack 2017 | 19

  20. SYMBOLIC EXECUTION (2005) Given a path of a program • Compute its « path predicate » f • Solution of f  input following the path • Solve it with powerful existing solvers Sébastien Bardin – GreHack 2017 | 20

  21. SYMBOLIC EXECUTION (2005) Good points: • No false positive = find real paths • Robust (symb. + dynamic) • Extend rather well to binary code Given a path of a program • Compute its « path predicate » f • Solution of f  input following the path • Solve it with powerful existing solvers Sébastien Bardin – GreHack 2017 | 21

  22. BINSEC: SYMBOLIC DEOBFUSCATION Sébastien Bardin – GreHack 2017 | 22

  23. PART I: EXPLORE Forward reasoning • Follows path • Find new branch / jumps • Standard DSE setting Advantages • Find new real paths • Even rare paths « dynamic analysis on steroids » Sébastien Bardin – GreHack 2017 | 23

  24. Solve for new dynamic targets IN PRACTICE • Get a first target • Then solve for a new one • Get it, solve again , … • Get them all! Sébastien Bardin – GreHack 2017 | 24

  25. EXAMPLE: FIND THE GOOD PATH Sébastien Bardin – GreHack 2017 | 25

  26. PART II: PROVE Prove that something is always true (resp. false) Many such issues in reverse • is a branch dead? • does the ret always return to the call? • have i found all targets of a dynamic jump? • does this expression always evaluate to 15? • … Not addressed by DSE • Cannot enumerate all paths Sébastien Bardin – GreHack 2017 | 26

  27. BACKWARD SYMBOLIC EXECUTION • Prove infeasible Explore & discover Sébastien Bardin – GreHack 2017 | 27

  28. CASE-STUDY: PACKERS Packers: legitimate software protection tools (basic malware: the sole protection) Sébastien Bardin – GreHack 2017 | 28

  29. CASE-STUDY: PACKERS (fun facts) Sébastien Bardin – GreHack 2017 | 29

  30. CASE-STUDY: THE XTUNNEL MALWARE (part of DNC hack) Two heavily obfuscated samples • Many opaque predicates Goal: detect & remove protections • Identify 50% of code as spurious • Fully automatic, < 3h Sébastien Bardin – GreHack 2017 | 30

  31. CASE-STUDY: THE XTUNNEL MALWARE (fun facts) • Protection seems to rely only on opaque predicates • Only two families of opaque predicates • Yet, quite sophisticated original OPs • interleaving between payload and OP computation • sharing among OP computations • possibly long dependencies chains (avg 8.7, upto 230) • Sébastien Bardin – GreHack 2017 | 31

  32. PART III: SIMPLIFY Why? recover hidden simple expressions • Junk code, junk computations • Opaque values • Duplicate code • Complex patterns (MBAs) Symbolic reasoning a priori well adapted • Normalization / rewrite rules: (a+b-a)  b • Solver-based proof: solve(a+b-a =!= b) Sébastien Bardin – GreHack 2017 | 32

  33. CASE-STUDY: DEVIRTUALIZATION (tool Triton) Bytecode long secret(long x) { long secret’( long x) { …… …… return x; return x; } } Simplify Goal & merge • Small protected hash functions Discard VM part Optimizations • Get the original function back Binary Triton AST Arybo LLVM- Binary code (+ simplif.) IR IR code Sébastien Bardin – GreHack 2017 | 33

  34. CASE-STUDY: DEVIRTUALIZATION (tool Triton) TIGRESS Challenge • 7 (classes of) challenges • 5 codes per class • Original codes: hash-like functions • Focus on challenges 0-4 • Only challenge 1 was solved Solve challenges 0 - 4 (25 samples) • very close to the original codes • sometimes even smaller! • very efficient (<1min on 20/25) Sébastien Bardin – GreHack 2017 | 34

  35. CASE-STUDY: DEVIRTUALIZATION (tool Triton) • Opcode duplicate: merged! • 2-level VM (challenge 4): still ok • Also tested vs each VM-option Sébastien Bardin – GreHack 2017 | 35

  36. REMINDER: SYMBOLIC DEOBFUSCATION • EXPLORE • PROVE • SIMPLIFY Sébastien Bardin – GreHack 2017 | 36

Recommend

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp;

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp;

Code Deobfuscation : Intertwining Dynamic, Static and Symbolic Approaches Robin David &amp; Sbastien Bardin CEA LIST Who are we ? #Robin David #Sbastien Bardin PhD Student Full-time researcher at CEA LIST at CEA LIST Where

771 views • 58 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, Kry CTF-player, HackingForSoju 1 About me

695 views • 23 slides
Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1. Obfuscating Arithmetic 2. Opaque Expressions 3. Control Flow Flattening 4. Constructing Opaque Expressions 5. Generic Deobfuscation 6. Turning up

1.39k views • 95 slides
DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA LIST, QuarksLab) Jean-Yves Marion (LORIA) Sbastien Bardin et al. Dagstuhl2017 | 1 IN A NUTSHELL Challenge: malware deobfuscation

641 views • 36 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with

Intro/Deobfuscation What's a Mobile Ambulatory Assessment System? Mobile Experiments with computers, phones, sensors Records constantly Intro We worked on one system used for alcohol craving and drinking prediction Collected

422 views • 23 slides
Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research

Advanced Anti-Deobfuscation Bjorn De Sutter ISSISP 2017 Paris 1 About me Research domain: system software compilers, binary rewriting tools, whole program optimization (binary &amp; Java), virtualization, run-time environments

680 views • 45 slides
Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 /

Symbolic Mathematics Dr. Mihail November 20, 2018 (Dr. Mihail) Symbolic November 20, 2018 1 / 16 Overview Symbolic So far in this course we dealt with MATLAB variables that were placeholders for numeric types (e.g., scalars, vectors,

953 views • 17 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data Lynne Billard University of Georgia lynne@stat.uga.edu Tribute to Professor Edwin Diday: Paris, France; 5 September 2007 Naturally occurring

635 views • 44 slides
6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests: Inheritance Recursive-Descent Parsing 22 April 2020 Symbolic Algebra Today well implement a symbolic algebra engine , designed to represent

811 views • 19 slides
Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid

Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid

Neural-Symbolic Integration Strategies Neural-Symbolic Integration Unification Hybrid Strategies Systems Neuronal Connectionist Hybrid Hybrid by Modeling Logic Systems by Translation Function Neural-Symbolic Learning Systems CILP:

670 views • 37 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Symbolic Dynamics . D. Ahmadi Dastjerdi University of Guilan February, 2017 (Symbolic

Symbolic Dynamics . D. Ahmadi Dastjerdi University of Guilan February, 2017 (Symbolic

. Symbolic Dynamics . D. Ahmadi Dastjerdi University of Guilan February, 2017 (Symbolic Dynamics) IPM 2017 February, 2017 1 / 66 Outline . . 1 Basic definitions and applications of general subshifts, . . 2 Coded systems, in particular

1.2k views • 66 slides

More recommend