Symbolic execution of obfuscated code

Babak Yadegari, Saumya K Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

29 Citations (Scopus)

Abstract

Symbolic and concolic execution find important applications in a number of security-related program analyses, including analysis of malicious code. However, malicious code tend to very often be obfuscated, and current concolic analysis techniques have trouble dealing with some of these obfuscations, leading to imprecision and/or excessive resource usage. This paper discusses three such obfuscations: two of these are already found in obfuscation tools used by malware, while the third is a simple variation on an existing obfuscation technique. We show empirically that existing symbolic analyses are not robust against such obfuscations, and propose ways in which the problems can be mitigated using a combination of fine-grained bit-level taint analysis and architecture-aware constraint generations. Experimental results indicate that our approach is effective in allowing symbolic and concolic execution to handle such obfuscations.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages732-744
Number of pages13
Volume2015-October
ISBN (Print)9781450338325
DOIs
StatePublished - Oct 12 2015
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: Oct 12 2015Oct 16 2015

Other

Other22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
CountryUnited States
CityDenver
Period10/12/1510/16/15

Fingerprint

Malware

Keywords

  • Obfuscation
  • Reverse engineering
  • Symbolic execution
  • Taint analysis

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Yadegari, B., & Debray, S. K. (2015). Symbolic execution of obfuscated code. In Proceedings of the ACM Conference on Computer and Communications Security (Vol. 2015-October, pp. 732-744). Association for Computing Machinery. https://doi.org/10.1145/2810103.2813663

Symbolic execution of obfuscated code. / Yadegari, Babak; Debray, Saumya K.

Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. p. 732-744.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yadegari, B & Debray, SK 2015, Symbolic execution of obfuscated code. in Proceedings of the ACM Conference on Computer and Communications Security. vol. 2015-October, Association for Computing Machinery, pp. 732-744, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 10/12/15. https://doi.org/10.1145/2810103.2813663
Yadegari B, Debray SK. Symbolic execution of obfuscated code. In Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October. Association for Computing Machinery. 2015. p. 732-744 https://doi.org/10.1145/2810103.2813663
Yadegari, Babak ; Debray, Saumya K. / Symbolic execution of obfuscated code. Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. pp. 732-744
@inproceedings{c2814a32e24d44dcb08e8a31568df1f1,
title = "Symbolic execution of obfuscated code",
abstract = "Symbolic and concolic execution find important applications in a number of security-related program analyses, including analysis of malicious code. However, malicious code tend to very often be obfuscated, and current concolic analysis techniques have trouble dealing with some of these obfuscations, leading to imprecision and/or excessive resource usage. This paper discusses three such obfuscations: two of these are already found in obfuscation tools used by malware, while the third is a simple variation on an existing obfuscation technique. We show empirically that existing symbolic analyses are not robust against such obfuscations, and propose ways in which the problems can be mitigated using a combination of fine-grained bit-level taint analysis and architecture-aware constraint generations. Experimental results indicate that our approach is effective in allowing symbolic and concolic execution to handle such obfuscations.",
keywords = "Obfuscation, Reverse engineering, Symbolic execution, Taint analysis",
author = "Babak Yadegari and Debray, {Saumya K}",
year = "2015",
month = "10",
day = "12",
doi = "10.1145/2810103.2813663",
language = "English (US)",
isbn = "9781450338325",
volume = "2015-October",
pages = "732--744",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Symbolic execution of obfuscated code

AU - Yadegari, Babak

AU - Debray, Saumya K

PY - 2015/10/12

Y1 - 2015/10/12

N2 - Symbolic and concolic execution find important applications in a number of security-related program analyses, including analysis of malicious code. However, malicious code tend to very often be obfuscated, and current concolic analysis techniques have trouble dealing with some of these obfuscations, leading to imprecision and/or excessive resource usage. This paper discusses three such obfuscations: two of these are already found in obfuscation tools used by malware, while the third is a simple variation on an existing obfuscation technique. We show empirically that existing symbolic analyses are not robust against such obfuscations, and propose ways in which the problems can be mitigated using a combination of fine-grained bit-level taint analysis and architecture-aware constraint generations. Experimental results indicate that our approach is effective in allowing symbolic and concolic execution to handle such obfuscations.

AB - Symbolic and concolic execution find important applications in a number of security-related program analyses, including analysis of malicious code. However, malicious code tend to very often be obfuscated, and current concolic analysis techniques have trouble dealing with some of these obfuscations, leading to imprecision and/or excessive resource usage. This paper discusses three such obfuscations: two of these are already found in obfuscation tools used by malware, while the third is a simple variation on an existing obfuscation technique. We show empirically that existing symbolic analyses are not robust against such obfuscations, and propose ways in which the problems can be mitigated using a combination of fine-grained bit-level taint analysis and architecture-aware constraint generations. Experimental results indicate that our approach is effective in allowing symbolic and concolic execution to handle such obfuscations.

KW - Obfuscation

KW - Reverse engineering

KW - Symbolic execution

KW - Taint analysis

UR - http://www.scopus.com/inward/record.url?scp=84954093929&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954093929&partnerID=8YFLogxK

U2 - 10.1145/2810103.2813663

DO - 10.1145/2810103.2813663

M3 - Conference contribution

AN - SCOPUS:84954093929

SN - 9781450338325

VL - 2015-October

SP - 732

EP - 744

BT - Proceedings of the ACM Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -