Skip to main content
SpringerLink
Log in

Where is the Virtual Machine Within Cpython?

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13877))

Included in the following conference series:

Abstract

It is known that code interpreters (also known as Virtual Machine (VM)) may be used for binary code obfuscation. For instance, this is the underlying technique on which the packer VMProtect is based. Our long-term objective is to attack such obfuscations. Here, we concentrate on the identification of the implementation of the VM. It is quite standard to consider that a VM is implemented through a single fetch and a single dispatch mechanism, see for instance [SBP18]. But in practice, such a hypothesis is very restrictive. For instance, the standard implementation of python does not fulfill it. We give a generic model of virtual machine implementation with an experimental validation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    the standard application to run python programs. Those can be run via other programs such as pypy, but that latter one is not based on an interpreter.

  2. 2.

    at least intentionally.

  3. 3.

    For threaded interpreters, such as cpython when compiled with --with-computed-gotos flag.

  4. 4.

    Here meaning that there is a syntax.

  5. 5.

    Actually given by the Operating System.

  6. 6.

    In practice, the source code of CPython, implements both forms of interpreters: https://github.com/python/cpython/blob/main/Python/ceval.c.

  7. 7.

    For instance a virtual program such that for all instruction, the next instruction to be executed is positioned at the address of the current virtual instruction + \(\varDelta \).

  8. 8.

    https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-dynamic-binary-instrumentation-tool.html.

  9. 9.

    In practice, once a first group of dispatches has been extracted using the following method, we use the assumption that the interpreter is within a function in order to add the dispatches that are followed by only one instruction.

  10. 10.

    See for instance https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/.

  11. 11.

    Total detected - Correctly detected.

References

  • Blazytko, T.: Analysis of virtualization-based obfuscation. In: r2con2021, editor, r2con2021 - witchcraft edition (2021)

    Google Scholar 

  • Bouverot, M.: Shallow description of the python virtual machine

    Google Scholar 

  • Dang, B., Gazet, A., Bachaalany, E., Josse, S.: Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation. Wiley, Hoboken (2014)

    Google Scholar 

  • Ignatiev, A., Morgado, A., Marques-Silva, J.: PySAT: a python toolkit for prototyping with SAT oracles. In: Beyersdorff, O., Wintersteiger, C.M. (eds.) SAT 2018. LNCS, vol. 10929, pp. 428–437. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94144-8_26

    Chapter  MATH  Google Scholar 

  • Jones, N.: Computability and Complexity: From a Programming Perspective. The MIT Press, Cambridge (1997)

    Book  MATH  Google Scholar 

  • Kalysch, A., Götzfried, J., Müller, T.: VMAttack: deobfuscating virtualization-based packed binaries. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES 2017, New York, NY, USA. Association for Computing Machinery (2017)

    Google Scholar 

  • Liang, M., Li, Z., Zeng, Q., Fang, Z.: Deobfuscation of virtualization-obfuscated code through symbolic execution and compilation optimization. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds.) ICICS 2017. LNCS, vol. 10631, pp. 313–324. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89500-0_28

    Chapter  Google Scholar 

  • Salwan, J., Bardin, S., Potet, M.-L.: Symbolic deobfuscation: from virtualized code back to the original. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 372–392. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_17

    Chapter  Google Scholar 

  • Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94–109 (2009)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank the ORION program for its contribution to the funding of A. Ithayakumar’s research internship. This work has benefited from a government grant managed by the Agence Nationale de la Recherche with the reference ANR-20-SFRI-0009.

Author information

Authors and Affiliations

  1. Carbone Team, Lorraine University - CNRS - LORIA, Nancy, France

    Guillaume Bonfante & Anuyan Ithayakumar

Authors
  1. Guillaume Bonfante
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anuyan Ithayakumar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anuyan Ithayakumar .

Editor information

Editors and Affiliations

  1. University of Ottawa, Ottawa, ON, Canada

    Guy-Vincent Jourdan

  2. Université Grenoble Alpes, Grenoble, France

    Laurent Mounier

  3. University of Ottawa, Ottawa, ON, Canada

    Carlisle Adams

  4. University Toulouse III Paul Sabatier, Toulouse, France

    Florence Sèdes

  5. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bonfante, G., Ithayakumar, A. (2023). Where is the Virtual Machine Within Cpython?. In: Jourdan, GV., Mounier, L., Adams, C., Sèdes, F., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2022. Lecture Notes in Computer Science, vol 13877. Springer, Cham. https://doi.org/10.1007/978-3-031-30122-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30122-3_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30121-6

  • Online ISBN: 978-3-031-30122-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation