Skip to main content
SpringerLink
Log in

Zero Footprint Opaque Predicates: Synthesizing Opaque Predicates from Naturally Occurring Invariants

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

  • 1417 Accesses

Abstract

A popular control-flow obfuscation approach used to protect software is inserting opaque predicates. However, recent research has questioned the usefulness of opaque predicates with the realization that simple heuristic attacks can effectively detect them. In this paper, we introduce a novel approach to construct opaque predicates that prevents both heuristic attacks and automated attacks by having opaque predicates syntactically and semantically resemble real predicates.

Our approach uses abstract interpretation to infer variables’ value sets. From each value set, we synthesize an opaque predicate that 1) evaluates all items in its value set to the same truth value and 2) shares real predicates’ common syntactic features.

Our opaque predicates syntactically resemble real predicates because they share real predicates’ common syntactic features and their invariants are naturally occurring as they are inferred from the program’s semantics. Previous approaches to constructing opaque predicates are susceptible to heuristic attacks because they use synthetic invariants that can inadvertently introduce unnatural code.

Our opaque predicates semantically resemble real predicates because the naturally occurring invariants they use are based on value sets. Like real predicates’ variables, our opaque predicates’ variables can also take on different values during runtime. From our evaluation, we show promising results that our opaque predicates can withstand automated attacks. Current state-of-the-art deobfuscation, dynamic symbolic execution, can only detect 41% of our opaque predicates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/yellowbyte/zero-footprint-opaque-predicates.

  2. 2.

    https://ftp.gnu.org/gnu/coreutils/coreutils-8.32.tar.gz.

  3. 3.

    https://www.sqlite.org/2020/sqlite-amalgamation-3330000.zip.

  4. 4.

    https://nginx.org/download/nginx-1.18.0.tar.gz.

  5. 5.

    https://www.bennewitz.com/bluefish/stable/source/bluefish-2.2.11.tar.gz.

  6. 6.

    https://git.frama-c.com/pub/open-source-case-studies.

References

  1. Andriesse, D., Chen, X., Van Der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 583–600 (2016)

    Google Scholar 

  2. Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 177–189. IEEE (2017)

    Google Scholar 

  3. Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24723-4_2

    Chapter  Google Scholar 

  4. Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 189–200 (2016)

    Google Scholar 

  5. Bardin, S., David, R., Marion, J.Y.: Backward-bounded DSE: targeting infeasibility questions on obfuscated codes. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 633–651. IEEE (2017)

    Google Scholar 

  6. Bauman, E., Lin, Z., Hamlen, K.W.: Superset disassembly: Statically rewriting x86 binaries without heuristics. In: NDSS (2018)

    Google Scholar 

  7. Blazytko, T., Contag, M., Aschermann, C., Holz, T.: Syntia: synthesizing the semantics of obfuscated code. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 643–659 (2017)

    Google Scholar 

  8. Bodík, R., Jobstmann, B.: Algorithmic program synthesis: introduction. Int. J. Softw. Tools Technol. Transfer 15, 397–411 (2013)

    Google Scholar 

  9. Brunet, P., Creusillet, B., Guinet, A., Martinez, J.M.: Epona and the obfuscation paradox: transparent for users and developers, a pain for reversers. In: Proceedings of the 3rd ACM Workshop on Software Protection, pp. 41–52 (2019)

    Google Scholar 

  10. Canet, G., Cuoq, P., Monate, B.: A value analysis for c programs. In: 2009 Ninth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 123–124. IEEE (2009)

    Google Scholar 

  11. Collberg, C.: The tigress c diversifier/obfuscator (2015). Accessed 14 Aug 2015

    Google Scholar 

  12. Collberg, C., Myles, G., Huntwork, A.: Sandmark-a tool for software protection research. IEEE Secur. Privacy 1(4), 40–49 (2003)

    Article  Google Scholar 

  13. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)

    Google Scholar 

  14. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 238–252 (1977)

    Google Scholar 

  15. Dalla Preda, M., Giacobazzi, R.: Control code obfuscation by abstract interpretation. In: Third IEEE International Conference on Software Engineering and Formal Methods (SEFM 2005), pp. 301–310. IEEE (2005)

    Google Scholar 

  16. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  17. Drape, S.: Intellectual property protection using obfuscation (2010)

    Google Scholar 

  18. Flores-Montoya, A., Schulte, E.: Datalog disassembly. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1075–1092 (2020)

    Google Scholar 

  19. Horwitz, S.: Precise flow-insensitive may-alias analysis is NP-hard. ACM Trans. Program. Lang. Syst. (TOPLAS) 19(1), 1–6 (1997)

    Article  Google Scholar 

  20. Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM-software protection for the masses. In: 2015 IEEE/ACM 1st International Workshop on Software Protection, pp. 3–9. IEEE (2015)

    Google Scholar 

  21. Kinder, J., Veith, H.: Jakstab: a static analysis platform for binaries. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 423–427. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_40

    Chapter  Google Scholar 

  22. Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. Formal Aspects Comput. 27(3), 573–609 (2015)

    Article  MathSciNet  Google Scholar 

  23. LaFosse, P.: Automated opaque predicate removal (2017). https://binary.ninja/2017/10/01/automated-opaque-predicate-removal.html

  24. Madou, M., Van Put, L., De Bosschere, K.: LOCO: an interactive code (De)obfuscation tool. In: Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, pp. 140–144. ACM (2006)

    Google Scholar 

  25. Maroneze, A.: Parsing realistic code bases with Frama-C (2018). https://blog.frama-c.com/index.php?post/2018/07/06/Parsing-realistic-code-bases-with-Frama-C

  26. Miller, K., Kwon, Y., Sun, Y., Zhang, Z., Zhang, X., Lin, Z.: Probabilistic disassembly. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 1187–1198. IEEE (2019)

    Google Scholar 

  27. Ming, J., Xu, D., Wang, L., Wu, D.: Loop: logic-oriented opaque predicate detection in obfuscated binary code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 757–768. ACM (2015)

    Google Scholar 

  28. Møller, A., Schwartzbach, M.I.: Static program analysis. Notes, pp. 3–7 (2012)

    Google Scholar 

  29. Navas, J.A., Schachte, P., Søndergaard, H., Stuckey, P.J.: Signedness-agnostic program analysis: precise integer bounds for low-level code. In: Jhala, R., Igarashi, A. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 115–130. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35182-2_9

    Chapter  Google Scholar 

  30. Palsberg, J., Krishnaswamy, S., Kwon, M., Ma, D., Shao, Q., Zhang, Y.: Experience with software watermarking. In: Proceedings 16th Annual Computer Security Applications Conference (ACSAC 2000), pp. 308–316. IEEE (2000)

    Google Scholar 

  31. Redini, N., Wang, R., Machiry, A., Shoshitaishvili, Y., Vigna, G., Kruegel, C.: BinTrimmer: towards static binary debloating through abstract interpretation. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 482–501. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_23

    Chapter  Google Scholar 

  32. Sheridan, B., Sherr, M.: On manufacturing resilient opaque constructs against static analysis. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 39–58. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_3

    Chapter  Google Scholar 

  33. Thomborson, C., Collberg, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 184–196. ACM (1998)

    Google Scholar 

  34. Torlak, E., Bodik, R.: Growing solver-aided languages with rosette. In: Proceedings of the 2013 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, pp. 135–152 (2013)

    Google Scholar 

  35. Vector 35: Binary Ninja: A New Type of Reversing Platform. https://binary.ninja/

  36. Votipka, D., Rabin, S., Micinski, K., Foster, J.S., Mazurek, M.L.: An observational investigation of reverse engineers’ processes. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1875–1892 (2020)

    Google Scholar 

  37. Wang, Z., Ming, J., Jia, C., Gao, D.: Linear obfuscation to combat symbolic execution. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 210–226. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_12

    Chapter  Google Scholar 

  38. Wartell, R., Zhou, Y., Hamlen, K.W., Kantarcioglu, M., Thuraisingham, B.: Differentiating code from data in x86 binaries. In: Gunopulos, D., Hofmann, T., Malerba, D., Vazirgiannis, M. (eds.) ECML PKDD 2011. LNCS (LNAI), vol. 6913, pp. 522–536. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23808-6_34

    Chapter  Google Scholar 

  39. Xu, D., Ming, J., Wu, D.: Generalized dynamic opaque predicates: a new control flow obfuscation method. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 323–342. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_20

    Chapter  Google Scholar 

  40. Xu, H., Zhou, Y., Kang, Y., Tu, F., Lyu, M.: Manufacturing resilient bi-opaque predicates against symbolic execution. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 666–677. IEEE (2018)

    Google Scholar 

  41. Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691. IEEE (2015)

    Google Scholar 

  42. Zobernig, L., Galbraith, S.D., Russello, G.: When are opaque predicates useful? In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 168–175. IEEE (2019)

    Google Scholar 

Download references

Acknowledgments

This research was supported by a generous gift from the Herman P. & Sophia Taubman Foundation. We would also like to thank the anonymous reviewers for their helpful comments and our shepherd, Sam L. Thomas, for guiding us through the revision process.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of California, Irvine, USA

    Yu-Jye Tung & Ian G. Harris

Authors
  1. Yu-Jye Tung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ian G. Harris
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yu-Jye Tung .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tung, YJ., Harris, I.G. (2021). Zero Footprint Opaque Predicates: Synthesizing Opaque Predicates from Naturally Occurring Invariants. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation