VODKA: Virtualization Obfuscation Using Dynamic Key Approach
The virtualization obfuscation technique is known to possess excellent security among software protection techniques. However, research has shown that virtualization obfuscation techniques can be analyzed by automated analysis tools because the deobfuscate virtualization obfuscation methodology is fixed. In this situation, additional protection techniques of the virtualization structure have been studied to supplement the protection strength of virtualization obfuscation. However, most of the proposed protection schemes require a special assumption or significantly increase the overhead of the program to be protected.
In this paper, we propose a delayed analysis method for a lightweight virtualization structure that does not require a strong assumption. Hence, we propose a new virtual code protection scheme combining an anti-analysis technique and dynamic key, and explain its mechanism. This causes correspondence ambiguity between the virtual code and the handler code, thus causing analysis delay. In addition, we show the result of debugging or dynamic instrumentation experiment when the additional anti-analysis technique is applied.
KeywordsVirtualization obfuscation Dynamic key Anti-analysis Software protection
This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).
- 1.Banescu, S., Collberg, C., Pretschner, A.: Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning. In: Proceedings of the 26th USENIX Security Symposium (2017)Google Scholar
- 2.Wang, H., Fang, D., Li, G., Yin, X., Zhang, B., Gu, Y.: NISLVMP: improved virtual machine-based software protection. In: 2013 9th International Conference on Computational Intelligence and Security (CIS), pp. 479–483. IEEE (2013)Google Scholar
- 5.Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)Google Scholar
- 6.Banescu, S., Pretschner, A.: A tutorial on software obfuscation. In: Advances in Computers. Elsevier, Amsterdam (2018)Google Scholar
- 7.Rolles, R.: Unpacking virtualization obfuscators. In: 3rd USENIX Workshop on Offensive Technologies (WOOT) (2009)Google Scholar
- 8.Liang, M., Li, Z., Zeng, Q., Fang, Z.: Deobfuscation of virtualization-obfuscated code through symbolic execution and compilation optimization. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds.) ICICS 2017. LNCS, vol. 10631, pp. 313–324. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89500-0_28CrossRefGoogle Scholar
- 9.Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 275–284. ACM (2011)Google Scholar
- 10.Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 674–691. IEEE (2015)Google Scholar
- 13.Lee, K.J., Kim, S.H., Lee, D.H.: Anti-debugging scheme with time-based key generation. J. Secur. Eng. 10, 291–304 (2013)Google Scholar
- 14.Dynamic binary instrumentation. http://uninformed.org/index.cgi?v=7&a=1&p=3
- 15.Basic block. https://en.wikipedia.org/wiki/Basic_block
- 16.VMProtect. http://vmpsoft.com/
- 17.Themida. https://oreans.com/
- 18.LordNoteworthy: Public malware techniques used in the wild: virtual machine, emulation, debuggers, sandbox detection (2018). https://github.com/LordNoteworthy/al-khaser
- 20.OllyDbg. http://www.ollydbg.de/
- 23.DynamoRIO. http://www.dynamorio.org/