research-article

Symbolic Execution of Obfuscated Code

Authors:

Babak Yadegari,

Saumya DebrayAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 732 - 744

https://doi.org/10.1145/2810103.2813663

Published: 12 October 2015 Publication History

Get Access

References

[1]

U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. 16th Annual Network and Distributed System Security Symposium (NDSS 2009), Feb. 2009.

Google Scholar

[2]

U. Bayer, A. Moser, C. Kruegel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1), Aug. 2006.

Crossref

Google Scholar

[3]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. X. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In Botnet Detection: Countering the Largest Security Threat, volume 36, pages 65-88. 2008.

Google Scholar

[4]

C. Cadar and D. Engler. Execution generated test cases: How to make systems code crash itself. In Model Checking Software, pages 2-23. Springer, 2005.

Digital Library

Google Scholar

[5]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC), 12(2):10, 2008.

Digital Library

Google Scholar

[6]

C. Cadar, P. Godefroid, S. Khurshid, C. S. P¿s¿reanu, K. Sen, N. Tillmann, and W. Visser. Symbolic execution for software testing in practice: preliminary assessment. In Proceedings of the 33rd International Conference on Software Engineering, pages 1066-1071. ACM, 2011.

Digital Library

Google Scholar

[7]

L. Cavallaro, P. Saxena, and R. Sekar. Anti-taint-analysis: Practical evasion techniques against information flow based malware defense. Stony Brook University, Stony Brook, New York, 2007.

Google Scholar

[8]

L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In Detection of Intrusions, Malware and Vulnerability Analysis (DIMVA), July 2008.

Digital Library

Google Scholar

[9]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 380-394. IEEE, 2012.

Digital Library

Google Scholar

[10]

V. Chipounov, V. Kuznetsov, and G. Candea. S2e: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Mar. 2011.

Digital Library

Google Scholar

[11]

J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis, pages 196-206. ACM, 2007.

Digital Library

Google Scholar

[12]

K. Coogan, G. Lu, and S. Debray. Deobfuscating virtualization-obfuscated software: A semantics-based approach. In Proc. ACM Conference on Computer and Communications Security (CCS), pages 275-284, Oct. 2011.

Digital Library

Google Scholar

[13]

J. R. Crandall, G. Wassermann, D. A. S. de Oliveira, Z. Su, S. F. Wu, and F. T. Chong. Temporal search: detecting hidden malware timebombs with virtual machines. In ASPLOS-XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, pages 25-36, Oct. 2006.

Digital Library

Google Scholar

[14]

A. Decker, D. Sancho, M. Goncharov, and R. McArdle. Ilomo: A study of the ilomo/clampi botnet. Technical report, Trend Micro, Aug. 2009.

Google Scholar

[15]

W. Drewry and T. Ormandy. Flayer: Exposing application internals. WOOT, 7:1-9, 2007.

Digital Library

Google Scholar

[16]

N. Falliere. Inside the jaws of Trojan. Clampi. Technical report, Symantec Corp., Nov. 2009.

Google Scholar

[17]

P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation (PLDI), pages 213-223. ACM, June 2005.

Digital Library

Google Scholar

[18]

C. Hauser, F. Tronel, L. Mé, and C. J. Fidge. Intrusion detection in distributed systems, an approach based on taint marking. In Proc. 2013 IEEE International Conference on Communications (ICC), pages 1962-1967, 2013.

Crossref

Google Scholar

[19]

C. Hauser, F. Tronel, J. F. Reid, and C. J. Fidge. A taint marking approach to confidentiality violation detection. In Proc. 10th Australasian Information Security Conference (AISC 2012), Jan. 30 2012.

Digital Library

Google Scholar

[20]

Intel. IntelÂ¿ 64 and ia-32 architectures software developer's manual. 2015.

Google Scholar

[21]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: Dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.

Google Scholar

[22]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385-394, 1976.

Digital Library

Google Scholar

[23]

C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proc. 13th USENIX Security Symposium, Aug. 2004.

Digital Library

Google Scholar

[24]

A. Lakhotia, E. U. Kumar, and M. Venable. A method for detecting obfuscated calls in malicious binaries. IEEE Transactions on Software Engineering, 31(11):955-968, 2005.

Digital Library

Google Scholar

[25]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. ACM Conference on Programming Language Design and Implementation (PLDI), pages 190-200, Chicago, IL, June 2005.

Digital Library

Google Scholar

[26]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 231-245. IEEE, 2007.

Digital Library

Google Scholar

[27]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proc. IEEE Symposium on Security and Privacy, pages 231-245, 2007.

Digital Library

Google Scholar

[28]

S. Nanda, W. Li, L. Lam, and T. Chiueh. BIRD: Binary interpretation using runtime disassembly. In Proc. International Symposium on Code Generation and Optimization (CGO), 2006.

Digital Library

Google Scholar

[29]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.

Google Scholar

[30]

Oreans Technologies. Code virtualizer: Total obfuscation against reverse engineering. www.oreans.com/codevirtualizer.php.

Google Scholar

[31]

Oreans Technologies. Themida: Advanced windows software protection system. www.oreans.com/themida.php.

Google Scholar

[32]

G. Sarwar, O. Mehani, R. Boreli, and D. Kaafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In 10th International Conference on Security and Cryptography (SECRYPT), 2013.

Google Scholar

[33]

E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In IEEE Symposium on Security and Privacy, pages 317-331, 2010.

Digital Library

Google Scholar

[34]

K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 263-272, Sept. 2005.

Digital Library

Google Scholar

[35]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. In Proc. 2009 IEEE Symposium on Security and Privacy, May 2009.

Digital Library

Google Scholar

[36]

M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. 15th Network and Distributed System Security Symposium (NDSS), Feb. 2008.

Google Scholar

[37]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Proc. of the 4th International Conference on Information Systems Security, Dec. 2008.

Digital Library

Google Scholar

[38]

StrongBit Technology. EXECryptor -bulletproof software protection. www.strongbit.com/execryptor.asp.

Google Scholar

[39]

Tora. Devirtualizing FinSpy. http://linuxch.org/poc2012/Tora,DevirtualizingFinSpy.pdf.

Google Scholar

[40]

S. K. Udupa, S. K. Debray, and M. Madou. Deobfuscation: Reverse engineering obfuscated code. In Proc. 12th IEEE Working Conference on Reverse Engineering, pages 45-54, Nov. 2005.

Digital Library

Google Scholar

[41]

VMProtect Software. VMProtect -New-generation software protection. www.vmprotect.ru/

Google Scholar

[42]

VX Heavens. Vx heavens, 2011. http://vx.netlux.org/

Google Scholar

[43]

Z. Wang, J. Ming, C. Jia, and D. Gao. Linear obfuscation to combat symbolic execution. In Computer Security-ESORICS 2011, pages 210-226. Springer, 2011.

Digital Library

Google Scholar

[44]

Wei Ming Khoo. Taintgrind: a Valgrind taint analysis tool. https://github.com/wmkhoo/taintgrind.

Google Scholar

[45]

W. Xu, S. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical report, Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, 2005.

Google Scholar

[46]

B. Yadegari, B. Johannesmeyer, B. Whitely, and S. Debray. A generic approach to automatic deobfuscation of executable code. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2015.

Digital Library

Google Scholar

[47]

H. Yin and D. Song. Analysis of trigger conditions and hidden behaviors. In Automatic Malware Analysis, SpringerBriefs in Computer Science, pages 59-67. 2013.

Crossref

Google Scholar

Cited By

View all

Jin HLee JYang SKim KLee D(2024)A Framework to Quantify the Quality of Source Code ObfuscationApplied Sciences10.3390/app1412505614:12(5056)Online publication date: 10-Jun-2024
https://doi.org/10.3390/app14125056
Zhou AHu YXu XZhang C(2024) ARCTURUS: Full Coverage Binary Similarity Analysis with Reachability-guided EmulationACM Transactions on Software Engineering and Methodology10.1145/364033733:4(1-31)Online publication date: 11-Jan-2024
https://dl.acm.org/doi/10.1145/3640337
Borisov PKosolapov Y(2023)On the Characteristics of Symbolic Execution in the Problem of Assessing the Quality of Obfuscating TransformationsAutomatic Control and Computer Sciences10.3103/S014641162207001X56:7(595-605)Online publication date: 19-Feb-2023
https://doi.org/10.3103/S014641162207001X
Show More Cited By

Index Terms

Symbolic Execution of Obfuscated Code

Recommendations

Linear obfuscation to combat symbolic execution
ESORICS'11: Proceedings of the 16th European conference on Research in computer security

Trigger-based code (malicious in many cases, but not necessarily) only executes when specific inputs are received. Symbolic execution has been one of the most powerful techniques in discovering such malicious code and analyzing the trigger condition. We ...
Metadata recovery from obfuscated programs using machine learning
SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

Obfuscation is a mechanism used to hinder reverse engineering of programs. To cope with the large number of obfuscated programs, especially malware, reverse engineers automate the process of deobfuscation i.e. extracting information from obfuscated ...
DoSE: Deobfuscation based on Semantic Equivalence
SSPREW-8: Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop

Software deobfuscation is a key challenge in malware analysis to understand the internal logic of the code and establish adequate countermeasures. In order to defeat recent obfuscation techniques, state-of-the-art generic deobfuscation methodologies are ...

Comments

Information & Contributors

Information

Published In

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
1,062
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)3

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Jin HLee JYang SKim KLee D(2024)A Framework to Quantify the Quality of Source Code ObfuscationApplied Sciences10.3390/app1412505614:12(5056)Online publication date: 10-Jun-2024
https://doi.org/10.3390/app14125056
Zhou AHu YXu XZhang C(2024) ARCTURUS: Full Coverage Binary Similarity Analysis with Reachability-guided EmulationACM Transactions on Software Engineering and Methodology10.1145/364033733:4(1-31)Online publication date: 11-Jan-2024
https://dl.acm.org/doi/10.1145/3640337
Borisov PKosolapov Y(2023)On the Characteristics of Symbolic Execution in the Problem of Assessing the Quality of Obfuscating TransformationsAutomatic Control and Computer Sciences10.3103/S014641162207001X56:7(595-605)Online publication date: 19-Feb-2023
https://doi.org/10.3103/S014641162207001X
Li SMing JQiu PChen QLiu LBao HWang QJia CMeng WJensen CCremers CKirda E(2023)PackGenome: Automatically Generating Robust YARA Rules for Accurate Malware Packer DetectionProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616625(3078-3092)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616625
Jung CKim DChen AWang WZheng YLee KKwon YDwyer MDamian DZeller A(2022)Hiding critical program components via ambiguous translationProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510139(1120-1132)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510139
Filho ARodríguez RFeitosa E(2022)Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation FrameworksDigital Threats: Research and Practice10.1145/34804633:2(1-28)Online publication date: 8-Feb-2022
https://dl.acm.org/doi/10.1145/3480463
Wang HWang SXu DZhang XLiu X(2022)Generating Effective Software Obfuscation Sequences With Reinforcement LearningIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.304165519:3(1900-1917)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3041655
Ruaro NPagani FOrtolani SKruegel CVigna G(2022)SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833765(1066-1081)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833765
Zeng YPeng JZhao ZSong ZZhu HSun L(2022)SIFOL: Solving Implicit Flows in Loops for Concolic Execution2022 IEEE International Performance, Computing, and Communications Conference (IPCCC)10.1109/IPCCC55026.2022.9894348(290-297)Online publication date: 11-Nov-2022
https://doi.org/10.1109/IPCCC55026.2022.9894348
Lyles SDesantis MDonaldson JGallegos MNyholm HTaylor CMonteith K(2022)Machine Learning Analysis of Memory Images for Process Characterization and Malware Detection2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)10.1109/DSN-W54100.2022.00035(162-169)Online publication date: Jun-2022
https://doi.org/10.1109/DSN-W54100.2022.00035
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Linear obfuscation to combat symbolic execution

Metadata recovery from obfuscated programs using machine learning

DoSE: Deobfuscation based on Semantic Equivalence

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

References

Cited By

Index Terms

Recommendations

Linear obfuscation to combat symbolic execution

Metadata recovery from obfuscated programs using machine learning

DoSE: Deobfuscation based on Semantic Equivalence

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations