Beruflich Dokumente
Kultur Dokumente
of Obfuscated Code
Tim Blazytko, Moritz Contag, Cornelius Aschermann,
and Thorsten Holz, Ruhr-Universität Bochum
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/blazytko
U1 U2
UU* UU+ a b
Figure 6: The left-most U in U3 U2 U1 ∗ + is the top-
most-right-most non-terminal in the abstract syntax tree.
(The indices are provided for illustrative purposes only.)
Ub+ UUU++ Ua+ UUU*+
the x86 architecture. For every data type (U8 , Example 4. The expression (U + (U ∗U)) is represented
U16 , U32 and U64 ), we define the set of operations as U U U ∗ +. If we successively replace the right-most
as O = {+,−,∗,/s ,/,%s ,%,∧,∨,⊕,,,a ,−1 ,¬, U, the algorithm is unlikely to find expressions such as
sign_ext, zero_ext, extract, ++, 1}, where the ((a + b) + (b ∗ (b ∗ a))), since it is directed into the subex-
operations are binary addition, subtraction, multiplication, pression with the multiplication. Instead, replacing the
signed/unsigned division, signed/unsigned remainder, top-most-right-most non-terminal directs the search to the
bitwise and/or/xor, logical left shift, logical/arithmetic top-most addition and then explores the subexpressions.
right shift as well as unary minus and complement.
The unary operations sign_ext and zero_ext extend
smaller data types to signed/unsigned larger data types.
4.3 Random Playout
Conversely, the unary operator extract transforms One of the key concepts of MCTS are random playouts.
larger data types into smaller data types by extracting the They are used to determine the outcome of a node; this
respective least significant bits. Since the x86 architecture outcome is represented by a reward. In the first step,
allows register concatenation (e. g., for division), we we randomly apply production rules to the current node,
employ the binary operator ++ to concatenate two until we obtain a terminal expression. To avoid infinite
expressions of the same data type. Finally, to synthesize derivations, we set a maximum playout depth. This max-
expressions such as increment and decrement, we use the imum playout depth defines how often a non-terminal
constant 1 as niladic operator. The input set V consists symbol can be mapped to rules that contain non-terminal
of |V | = n variables, where n represents the number of symbols; at the latest we reached the maximum, we map
inputs. non-terminals only to terminal expressions. This happens
in a top-most-right-most manner. Afterwards, we evaluate
Tree Structure. The sentential form U is the root node the expression for all inputs from the I/O samples.
of the MCTS tree. Its child nodes are other expressions
that are produced by applying the production rules to a Example 5. Assuming a maximum playout depth of 2
single non-terminal symbol of the parent. The expression and the expression U U ∗, the first top-most-right-most U
depth (referred to as layer) is equivalent to the number of is randomly substituted with U U ∗, the second one with
derivation steps, as depicted in Figure 5. U U +. After that, the remaining non-terminal symbols
are randomly replaced with variables: U U ∗ ⇒ U U U ∗
Example 3. The root node U is an expression of layer 0. ∗ ⇒ U U + U U ∗ ∗ ⇒ · · · ⇒ a a + b a ∗ ∗. A random
Its children are a, b, U U +, and U U ∗, where a and b are playout for U U + is a b b + +.
terminal expressions of layer 1. Assuming that the right- For the I/O sample (2, 2) → 4, we evaluate g(2, 2) = 0
most U in an expression is replaced, the children of U U + for g(a, b) = ((a + a) ∗ (b ∗ a)) mod (28 ) and h(2, 2) = 6
are U b +, U a +, U U U + +, and U U U ∗ +. To obtain for h(a, b) = (a + (b + b)) mod 28 .
the layer 3 expression b a +, the following derivation
steps are applied: U ⇒ U U + ⇒ U a + ⇒ b a +. We set terminal nodes to inactive after their evaluation,
since they already are end states of the game; there is
To direct the search towards outer expressions, we re- no possibility to improve the node’s reward by random
place the top-most-right-most non-terminal. If we, in- playouts. As a result, MCTS will not take these nodes
Collberg et al. [9] which uses the technique to encode inte- Table 3: Trace window statistics and synthesis perfor-
ger variables and expressions in which they are used [11]. mance for Tigress (MBA), VMProtect (VMP), Themida
Further, Tigress also supports common arithmetic encod- (flavor Tiger White, TM), and ROP gadgets.
ings to increase an expression’s complexity, albeit not MBA VMP TM ROP
based on MBAs [10]. #trace windows 500 12,577 2,448 78
For example, the rather simple expression x + y + z is #unique windows 500 449 106 78
transformed into the layer 23 expression (((x ⊕ y) + ((x ∧ #instructions per window 116 49 258 3
#inputs per window 5 2 15 3
y) 1)) ∨ z) + (((x ⊕ y) + ((x ∧ y) 1)) ∧ z) using its
#outputs per window 1 2 10 2
arithmetic encoding option. In a second transformation #synthesis tasks 500 1,123 1,092 178
step, Tigress encodes it into a linear MBA expression of I/O sampling time (s) 110 118 60 17
layer 383 (omitted due to complexity). Such expressions overall synthesis time (s) 2,020 4,160 9,946 829
are hard to simplify symbolically. synthesis time per task (s) 4.0 3.7 9.1 4.7
Evaluation Results. We evaluated our approach to sim- To get a better feeling for this probabilistic behavior, we
plify MBA expressions using Syntia. As a testbed, we compared the cumulative numbers of synthesized MBA
built a C program which calls 500 randomly generated expressions for 10 subsequent runs. Figure 7 shows the
functions. Each of these random functions takes 5 in- results averaged over 15 separate experiments. On aver-
put variables and returns an expression of layer 3 to 5. age, the first run synthesizes 89.6% (448 expressions) of
Then, we applied the arithmetic encoding provided by the 500 expressions. A second run yields 22 new expres-
Tigress, followed by the linear MBA encoding. The re- sions (94.0%), while a third run reveals 10 more expres-
sulting program contained expressions of up to 2, 821 sions (96.0%). While converging to 500, the number of
layers, the average layer being 156. The arithmetic encod- newly synthesized expressions decreases in subsequent
ing is applied to highlight that our approach is invariant runs. Comparing the fifth and the eighth run, we only
to the code’s increased symbolic complexity and is only found 5 new expressions (from 489 to 494). After the
concerned with semantical complexity. ninth run, Syntia synthesized 495 (99.0%) of the MBA
Based on a concrete execution trace it can be observed expressions.
that the 500 functions use, on average, 5 memory inputs
(as parameters are passed on the stack) and one register 6.3 VM Instruction Handler
output (the register containing the return value). Table 3
shows statistics for the analysis run using the configura- As introduced in Section 2.1.1, an instruction handler of
tion vector (1.5, 50000, 50, 0). The first two components a Virtual Machine implements the effects of an atomic in-
indicate a strong focus on exploration in favor of exploita- struction according to the custom VM-ISA. It operates on
tion; due to the small number of synthesis tasks, we used the VM context and can perform arbitrarily complex tasks.
50 I/O samples to obtain more precise results. As handlers are heavily obfuscated, manual analysis of a
The sampling phases completed in less than two min- handler’s semantics is a time-consuming task.
utes. Overall, the 500 synthesis tasks were finished
in about 34 minutes, i. e., in 4.0 seconds per expres- Attacking VMs. When faced with virtualization-based
sion. We were able to synthesize 448 out of 500 expres- obfuscations, an attacker typically has two options. For
sions (89.6%). The remaining expressions are not found one, she can analyze the interpreter and, for each han-
due to the probabilistic nature of our algorithm; after 4 dler, extract all information required to re-translate the
subsequent runs, we synthesized 489 expressions (97.8%) bytecode back to native instruction. Especially in face of
in total. handler duplication and bytecode blinding, this requires
9 Conclusion
Deobfuscation. Rolles provides an academic analysis
of a VM-based obfuscator and outlines a possible attack With our prototype implementation of Syntia we have
on such schemes in general [44]. He proposes using shown that program synthesis can aid in deobfuscation
static analysis to re-translate the VM’s bytecode back into of real-world obfuscated code. In general, our approach
native instructions. This, however, requires minute analy- is vastly different in nature compared to proposed deob-
sis of each obfuscator and hence is time-consuming and fuscation techniques and hence may succeed in scenarios
prone to minor modifications of the scheme. Kinder is where approaches requiring precise code semantics fail.
We thank the reviewers for their valuable feedback. This lenge of Computer Go: Monte Carlo Tree Search and Extensions.
Communications of the ACM (2012).
work was supported by the German Research Foundation
(DFG) research training group UbiCrypt (GRK 1817) and [18] G ODEFROID , P., AND TALY, A. Automated Synthesis of Sym-
bolic Instruction Encodings from I/O Samples. In ACM SIGPLAN
by ERC Starting Grant No. 640110 (BASTION). Notices (2012).
[19] G RAZIANO , M., BALZAROTTI , D., AND Z IDOUEMBA , A. ROP-
References MEMU: A Framework for the Analysis of Complex Code-Reuse
Attacks. In ACM Symposium on Information, Computer and Com-
[1] A NDRIESSE , D., B OS , H., AND S LOWINSKA , A. Parallax: Im- munications Security (ASIACCS) (2016).
plicit Code Integrity Verification using Return-Oriented Program-
ming. In Conference on Dependable Systems and Networks (DSN) [20] G UINET, A., E YROLLES , N., AND V IDEAU , M. Arybo: Ma-
(2015). nipulation, Canonicalization and Identification of Mixed Boolean-
Arithmetic Symbolic Expressions. In GreHack Conference (2016).
[2] BANESCU , S., C OLLBERG , C., G ANESH , V., N EWSHAM , Z.,
AND P RETSCHNER , A. Code Obfuscation against Symbolic Exe- [21] G ULWANI , S. Dimensions in Program Synthesis. In Proceedings
cution Attacks. In Annual Computer Security Applications Con- of the 12th international ACM SIGPLAN symposium on Principles
ference (ACSAC) (2016). and practice of declarative programming (2010).
[3] BANSAL , S., AND A IKEN , A. Automatic Generation of Peephole [22] G ULWANI , S., J HA , S., T IWARI , A., AND V ENKATESAN , R.
Superoptimizers. In ACM Sigplan Notices (2006). Synthesis of Loop-free Programs. ACM SIGPLAN Notices (2011).
[4] B ELL , J. R. Threaded Code. Communications of the ACM (1973). [23] H EULE , S., S CHKUFZA , E., S HARMA , R., AND A IKEN , A. Strat-
[5] B ROWNE , C. B., P OWLEY, E., W HITEHOUSE , D., L UCAS , ified synthesis: Automatically Learning the x86-64 Instruction
S. M., C OWLING , P. I., ROHLFSHAGEN , P., TAVENER , S., Set. In ACM SIGPLAN Conference on Programming Language
P EREZ , D., S AMOTHRAKIS , S., AND C OLTON , S. A Survey Design and Implementation (PLDI) (2016).
of Monte Carlo Tree Search Methods. IEEE Transactions on [24] J HA , S., G ULWANI , S., S ESHIA , S. A., AND T IWARI , A. Oracle-
Computational Intelligence and AI in Games (2012). guided Component-based Program Synthesis. In ACM/IEEE 32nd
[6] C AVALLARO , L., S AXENA , P., AND S EKAR , R. Anti-Taint- International Conference on Software Engineering (2010).
Analysis: Practical Evasion Techniques against Information Flow [25] K IM , D.-W., K IM , K.-H., JANG , W., AND C HEN , F. F. Unre-
based Malware Defense. Secure Systems Lab at Stony Brook lated Parallel Machine Scheduling with Setup Times using Simu-
University, Tech. Rep (2007). lated Annealing. Robotics and Computer-Integrated Manufactur-
[7] C AZENAVE , T. Monte carlo beam search. IEEE Transactions on ing (2002).
Computational Intelligence and AI in Games (2012). [26] K INDER , J. Towards Static Analysis of Virtualization-Obfuscated
[8] C HASLOT, G. Monte-Carlo Tree Search. PhD thesis, Universiteit Binaries. In IEEE Working Conference on Reverse Engineering
Maastricht, 2010. (WCRE) (2012).
[9] C OLLBERG , C., M ARTIN , S., M YERS , J., AND NAGRA , J. Dis- [27] K IRKPATRICK , S., G ELATT, C. D., AND V ECCHI , M. P. Opti-
tributed Application Tamper Detection via Continuous Software mization by Simulated Annealing. Science (1983).
Updates. In Annual Computer Security Applications Conference
(ACSAC) (2012). [28] K LINT, P. Interpretation Techniques. Software, Practice and
Experience (1981).
[10] C OLLBERG , C., M ARTIN , S., M YERS , J., AND Z IMMER -
MAN , B. Documentation for Arithmetic Encodings in [29] KOCSIS , L., AND S ZEPESVÁRI , C. Bandit based Monte-Carlo
Tigress. http://tigress.cs.arizona.edu/transformPage/ Planning. In European Conference on Machine Learning (2006).
docs/encodeArithmetic. [30] K RAHMER , S. x86-64 Buffer Overflow Exploits and the Borrowed
[11] C OLLBERG , C., M ARTIN , S., M YERS , J., AND Z IMMERMAN , Code Chunks Exploitation Technique, 2005.
B. Documentation for Data Encodings in Tigress. http:// [31] L IBERATORE , P. The Complexity of Checking Redundancy of
tigress.cs.arizona.edu/transformPage/docs/encodeData. CNF Propositional Formulae. In International Conference on
[12] C OLLBERG , C., T HOMBORSON , C., AND L OW, D. Manufactur- Agents and Artificial Intelligence (2002).
ing Cheap, Resilient, and Stealthy Opaque Constructs. In ACM
[32] L IM , J., AND YOO , S. Field Report: Applying Monte Carlo Tree
Symposium on Principles of Programming Languages (POPL)
Search for Program Synthesis. In International Symposium on
(1998).
Search Based Software Engineering (2016).
[13] C OOGAN , K., L U , G., AND D EBRAY, S. Deobfuscation
of Virtualization-obfuscated Software: A Semantics-Based Ap- [33] L U , K., X IONG , S., AND G AO , D. RopSteg: Program Steganog-
proach. In ACM Conference on Computer and Communications raphy with Return Oriented Programming. In ACM Conference on
Security (CCS) (2011). Data and Application Security and Privacy (CODASPY) (2014).
[14] E YROLLES , N. Obfuscation with Mixed Boolean-Arithmetic Ex- [34] M A , H., L U , K., M A , X., Z HANG , H., J IA , C., AND G AO , D.
pressions: Reconstruction, Analysis and Simplification Tools. PhD Software Watermarking using Return-Oriented Programming. In
thesis, Université de Versailles Saint-Quentin-en-Yvelines, 2017. ACM Symposium on Information, Computer and Communications
Security (ASIACCS) (2015).
[15] E YROLLES , N., G OUBIN , L., AND V IDEAU , M. Defeating MBA-
based Obfuscation. In ACM Workshop on Software PROtection [35] M ARC , S EBAG , M., S ILVER , D., S ZEPESVÁRI , C., AND T EY-
(SPRO) (2016). TAUD , O. Nested Monte-Carlo Search. Communications of the
ACM (2012).
[16] F INNSSON , H. Generalized Monte-Carlo Tree Search Extensions
for General Game Playing. In AAAI Conference on Artificial [36] M ICROSOFT R ESEARCH. The Z3 Theorem Prover. https://
Intelligence (2012). github.com/Z3Prover/z3.