Abstract
Many software vendors use data obfuscation to make it hard for reverse engineers to recover the layout, value and meaning of the variables in a program. The research question in this paper is whether the state-of-the-art data obfuscations techniques are good enough. For this purpose, we evaluate two of the most popular data obfuscation methods: (1) splitting a single variable over multiple memory location, (2) splitting and merging two variables over multiple memory locations. While completely automated and flawless recovery of obfuscated variables is not yet possible, the outcome of our research is that the obfuscations are very vulnerable to reversing by means of automated analysis. We were able to deobfuscate the obfuscated variables in real world programs with false positive rates below 5%, and false negative rates typically below 10%.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Codevirtualizer: Total obfuscations against reverse engineering (2008), http://oreans.com/codevirtualizer.php
Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., Preneel, B.: Program obfuscation: a quantitative approach. In: Proc. of the 2007 ACM Workshop on Quality of Protection, QoP 2007 (2007)
Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proc. of the 6th ACM Conference on Computer and Communications Security (1999)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)
Ceccato, M., Di Penta, M., Nagra, J., Falcarin, P., Ricca, F., Torchiano, M., Tonella, P.: Towards experimental evaluation of code obfuscation techniques. In: Proc. of the 4th ACM Workshop on Quality of Protection (2008)
Chipounov, V., Kuznetsov, V., Candea, G.: S2E: A platform for in vivo multi-path analysis of software systems. In: 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS (2011)
Chow, S., Gu, Y., Johnson, H., Zakharov, V.A.: An approach to the obfuscation of control-flow of sequential computer programs. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 144–155. Springer, Heidelberg (2001)
Collberg, C., Carter, E., Debray, S., Huntwork, A., Kececioglu, J., Linn, C., Stepp, M.: Dynamic path-based software watermarking. In: Proc. of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, PLDI 2004 (2004)
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (2009)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Sciences, The University of Auckland, Auckland, New Zealand (1997)
Collberg, C., Thomborson, C., Low, D.: Breaking Abstractions and Unstructuring Data Structures. In: Proc. of IEEE International Conference on Computer Languages, ICCL 1998 (1998)
Collberg, C., Thomborson, C., Low, D.: Obfuscation techniques for enhancing software security (2003)
Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proc. of the 18th ACM Conference on Computer and Communications Security, CCS 2011 (2011)
Preda, M.D., Madou, M., De Bosschere, K., Giacobazzi, R.: Opaque predicates detection by abstract interpretation. In: Johnson, M., Vene, V. (eds.) AMAST 2006. LNCS, vol. 4019, pp. 81–95. Springer, Heidelberg (2006)
Ding, C., Kennedy, K.: Inter-array Data Regrouping. In: Carter, L., Ferrante, J. (eds.) LCPC 1999. LNCS, vol. 1863, pp. 149–163. Springer, Heidelberg (2000)
Ding, C., Zhong, Y.: Predicting whole-program locality through reuse distance analysis. In: Proc. of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, PLDI 2003 (2003)
Guillot, Y., Gazet, A.: Automatic binary deobfuscation. Journal in Computer Virology (2010)
Intel. Pin - A Dynamic Binary Instrumentation Tool (2011), http://www.pintool.org/
Irdeto. Application security, http://irdeto.com/en/application-security.html
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In: Proc. of the 8th Annual International Conference on Virtual Execution Environments, VEE 2012 (2012)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proc. of the 13th Conference on USENIX Security Symposium, SSYM 2004(2004)
Lakhotia, A., Uday, E.: Stack shape analysis to detect obfuscated calls in binaries. In: Proc. of 4th IEEE International Workshop on Source Code Analysis and Manipulation (2004)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proc. of the 10th ACM Conference on Computer and Communications Security, CCS 2003 (2003)
Madou, M., Anckaert, B., De Sutter, B., De Bosschere, K.: Hybrid static-dynamic attacks against software protection mechanisms. In: Proc. of the 5th ACM Workshop on Digital Rights Management, DRM 2005 (2005)
Majumdar, A., Drape, S.J., Thomborson, C.D.: Slicing obfuscations: design, correctness, and evaluation. In: In Proc. of the 2007 ACM workshop on Digital Rights Management, DRM 2007 (2007)
Morpher. Software protection service, http://www.morpher.com/
Saidi, H., Porrass, P., Yegneswaran, V.: Experiences in malware binary deobfuscation. In: The 20th Virus Bulletin International Conference (2010)
Semantic Designs. C source code obfuscator, http://www.semdesigns.com/products/obfuscators/CObfuscator.html
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proc. of the 2009 30th IEEE Symposium on Security and Privacy (2009)
Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proc. of the 18th Annual Network & Distributed System Security Symposium, NDSS 2011 (2011)
SourceFormatX. Codemorph source code obfuscator, http://www.sourceformat.com/code-obfuscator.htm
Stunnix, http://stunnix.com/
Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: Reverse engineering obfuscated code. In: Proc. of the 12th Working Conference on Reverse Engineering, WCRE 2005 (2005)
Wang, C., Hill, J., Knight, J.C., Davidson, J.W.: Protection of software-based survivability mechanisms. In: Proc. of the 2001 International Conference on Dependable Systems and Networks, DSN 2001 (2001)
Wheeler, D.A.: Sloccount, http://www.dwheeler.com/sloccount/
Wu, Z., Gianvecchio, S., Xie, M., Wang, H.: Mimimorphism: a new approach to binary code obfuscation. In: Proc. of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)
Zhong, Y., Orlovich, M., Shen, X., Ding, C.: Array regrouping and structure splitting using whole-program reference affinity. In: Proc. of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, PLDI 2004(2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Slowinska, A., Haller, I., Bacs, A., Baranga, S., Bos, H. (2014). Data Structure Archaeology: Scrape Away the Dirt and Glue Back the Pieces!. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-08509-8_1
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08508-1
Online ISBN: 978-3-319-08509-8
eBook Packages: Computer ScienceComputer Science (R0)