Advertisement

VODKA: Virtualization Obfuscation Using Dynamic Key Approach

  • Jae-Yung Lee
  • Jae Hyuk SukEmail author
  • Dong Hoon LeeEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11402)

Abstract

The virtualization obfuscation technique is known to possess excellent security among software protection techniques. However, research has shown that virtualization obfuscation techniques can be analyzed by automated analysis tools because the deobfuscate virtualization obfuscation methodology is fixed. In this situation, additional protection techniques of the virtualization structure have been studied to supplement the protection strength of virtualization obfuscation. However, most of the proposed protection schemes require a special assumption or significantly increase the overhead of the program to be protected.

In this paper, we propose a delayed analysis method for a lightweight virtualization structure that does not require a strong assumption. Hence, we propose a new virtual code protection scheme combining an anti-analysis technique and dynamic key, and explain its mechanism. This causes correspondence ambiguity between the virtual code and the handler code, thus causing analysis delay. In addition, we show the result of debugging or dynamic instrumentation experiment when the additional anti-analysis technique is applied.

Keywords

Virtualization obfuscation Dynamic key Anti-analysis Software protection 

Notes

Acknowledgement

This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).

References

  1. 1.
    Banescu, S., Collberg, C., Pretschner, A.: Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning. In: Proceedings of the 26th USENIX Security Symposium (2017)Google Scholar
  2. 2.
    Wang, H., Fang, D., Li, G., Yin, X., Zhang, B., Gu, Y.: NISLVMP: improved virtual machine-based software protection. In: 2013 9th International Conference on Computational Intelligence and Security (CIS), pp. 479–483. IEEE (2013)Google Scholar
  3. 3.
    Averbuch, A., Kiperberg, M., Zaidenberg, N.J.: Truly-protect: an efficient VM-based software protection. IEEE Syst. J. 7(3), 455–466 (2013)CrossRefGoogle Scholar
  4. 4.
    Kuang, K., Tang, Z., Gong, X., Fang, D., Chen, X., Wang, Z.: Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling. Comput. Secur. 74, 202–220 (2018)CrossRefGoogle Scholar
  5. 5.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)Google Scholar
  6. 6.
    Banescu, S., Pretschner, A.: A tutorial on software obfuscation. In: Advances in Computers. Elsevier, Amsterdam (2018)Google Scholar
  7. 7.
    Rolles, R.: Unpacking virtualization obfuscators. In: 3rd USENIX Workshop on Offensive Technologies (WOOT) (2009)Google Scholar
  8. 8.
    Liang, M., Li, Z., Zeng, Q., Fang, Z.: Deobfuscation of virtualization-obfuscated code through symbolic execution and compilation optimization. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds.) ICICS 2017. LNCS, vol. 10631, pp. 313–324. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89500-0_28CrossRefGoogle Scholar
  9. 9.
    Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 275–284. ACM (2011)Google Scholar
  10. 10.
    Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 674–691. IEEE (2015)Google Scholar
  11. 11.
    Guillot, Y., Gazet, A.: Automatic binary deobfuscation. J. Comput. Virol. 6(3), 261–276 (2010)CrossRefGoogle Scholar
  12. 12.
    Park, M.C., Koo, W.K., Suh, D.G., Kim, I.S., Lee, D.H.: TSTR: two-stage tamper response in tamper-resistant software. IET Softw. 10(3), 81–88 (2016)CrossRefGoogle Scholar
  13. 13.
    Lee, K.J., Kim, S.H., Lee, D.H.: Anti-debugging scheme with time-based key generation. J. Secur. Eng. 10, 291–304 (2013)Google Scholar
  14. 14.
    Dynamic binary instrumentation. http://uninformed.org/index.cgi?v=7&a=1&p=3
  15. 15.
  16. 16.
  17. 17.
  18. 18.
    LordNoteworthy: Public malware techniques used in the wild: virtual machine, emulation, debuggers, sandbox detection (2018). https://github.com/LordNoteworthy/al-khaser
  19. 19.
    Hong, S.H., Park, Y.S.: The design and implementation of pin plugin tool to bypass anti-debugging techniques, pp. 33–42, October 2016CrossRefGoogle Scholar
  20. 20.
  21. 21.
  22. 22.
  23. 23.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Graduate School of Information SecurityKorea UniversitySeoulKorea

Personalised recommendations