skip to main content
10.1145/3560831.3564258acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
short-paper

Program Synthesis-based Simplification of MBA Obfuscated Malware with Restart Strategies

Published: 07 November 2022 Publication History

Abstract

Program obfuscation is one of the frequently used methods to make malware hard to analyze. Among the various obfuscation techniques, Mixed Boolean-Arithmetic (MBA) obfuscation, which mixes arithmetic and Boolean operations in an expression, is often considered hard to solve. Recently, synthesis-based methods have emerged to simplify MBA-obfuscated expressions. However, despite promising results, they still have limitations. Fortunately, recent work in super optimization shows that stochastic synthesis is generally sped up by a proper restart strategy. We adopt this principle to enhance the performance of existing works. Experimental results show that we would achieve improvement in the rate of correct answers and better length reduction.

References

[1]
T. Blazytko, M. Contag, C. Aschermann, and T. Holz. 2017. Syntia: Synthesizing the semantics of obfuscated code. In 26th USENIX Security Symposium. 643--659.
[2]
C. Collberg. 2021. The tigress c obfuscator. (Dec. 2021). https://tigress.wtf.
[3]
R. David, L. Coniglio, and M. Ceccato. 2020. Qsynth-a program synthesis based approach for binary code deobfuscation. In BAR 2020 Workshop.
[4]
N. Eyrolles, L. Goubin, and M. Videau. 2016. Defeating mba-based obfuscation. In Proceedings of the 2016 ACM Workshop on Software PROtection. 27--38.
[5]
W. Feng, B. Liu, D. Xu, Q. Zheng, and Y. Xu. 2020. Neureduce: Reducing mixed boolean-arithmetic expressions by recurrent neural network. In Findings of the Association for Computational Linguistics: EMNLP 2020. 635--644.
[6]
S. Gulwani, O. Polozov, and R. Singh. 2017. Program Synthesis. Foundations and Trends in Programming Languages, Vol. 4, 1--2 (2017), 1--119. https://doi.org/10.1561/2500000010
[7]
P. Junod, J. Rinaldini, J. Wehrli, and J. Michielin. 2015. Obfuscator-LLVM -- Software Protection for the Masses. In Proceedings of the IEEE/ACM 1st International Workshop on Software Protection, SPRO'15, May 19th, 2015. 3--9.
[8]
J. R. Koenig, O. Padon, and A. Aiken. 2021. Adaptive restarts for stochastic synthesis. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 696--709.
[9]
B. Liu, J. Shen, J. Ming, Q. Zheng, J. Li, and D. Xu. 2021. MBA-Blast: Unveiling and Simplifying Mixed Boolean-Arithmetic Obfuscation. In 30th USENIX Security Symposium. 1701--1718.
[10]
M. Luby, A. Sinclair, and D. Zuckerman. 1993. Optimal speedup of Las Vegas algorithms. Inform. Process. Lett., Vol. 47, 4 (1993), 173--180.
[11]
G. Menguy, S. Bardin, R. Bonichon, and C. de S. Lima. 2021. Search-Based Local Black-Box Deobfuscation: Understand, Improve and Mitigate. In In Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2513--2525.
[12]
Mrphrazer. 2021. Mrphrazer/msynth: Code deobfuscation framework to Simplify MBA expressions. https://github.com/mrphrazer/MSynth. (Oct. 2021).
[13]
J. Salwan, S. Bardin, and M. Potet. 2018. Symbolic deobfuscation: From virtualized code back to the original. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 372--392.
[14]
E. Schkufza, R. Sharma, and A. Aiken. 2013. Stochastic superoptimization. ACM SIGARCH Computer Architecture News, Vol. 41, 1 (2013), 305--316.
[15]
M. Schloegel, T. Blazytko, M. Contag, C. Aschermann, J. Basler, T. Holz, and A. R. Abbasi. 2021. Loki: Hardening Code Obfuscation Against Automated Attacks. ArXiv, Vol. abs/2106.08913 (2021).
[16]
S. Schrittwieser, S. Katzenbeisser, J. Kinder, G. Merzdovnik, and E. R. Weippl. 2016. Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis? ACM Comput. Surv., Vol. 49, 1 (2016), 4:1--4:37. https://doi.org/10.1145/2886012
[17]
Werew. 2021. qsynth-artifacts: Synthesis artifacts for qsynth. (Aug. 2021). https://github.com/werew/qsynth-artifacts.
[18]
D. Xu, J. Ming, Y. Fu, and D. Wu. 2018. VMHunt: A verifiable approach to partially-virtualized binary code simplification. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 442--458.
[19]
B. Yadegari and S. Debray. 2014. Bit-level taint analysis. In Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation. 255--264.
[20]
B. Yadegari and S. Debray. 2015. Symbolic execution of obfuscated code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 732--744.
[21]
Z3. 2022. The Z3 Theorem Prover. (Aug. 2022). https://github.com/Z3Prover/z3.
[22]
Y. Zhou, A. Main, Y. Xiang Gu, and H. Johnson. 2007. Information Hiding in Software with Mixed Boolean-Arithmetic Transforms. In Information Security Applications, 8th International Workshop, WISA (LNCS), Vol. 4867. Springer, 61--75. io

Cited By

View all
  • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
  • (2023)Assessing Opaque Predicates: Unveiling the Efficacy of Popular Obfuscators with a Rapid Deobfuscator2023 30th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC60848.2023.00093(651-652)Online publication date: 4-Dec-2023

Index Terms

  1. Program Synthesis-based Simplification of MBA Obfuscated Malware with Restart Strategies

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    Checkmate '22: Proceedings of the 2022 ACM Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks
    November 2022
    34 pages
    ISBN:9781450398817
    DOI:10.1145/3560831
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 07 November 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. deobfuscation
    2. mba expressions
    3. restart strategies

    Qualifiers

    • Short-paper

    Funding Sources

    • Institute for Information and Communications Technology Planning and Evaluation (IITP)

    Conference

    CCS '22
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)38
    • Downloads (Last 6 weeks)5
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
    • (2023)Assessing Opaque Predicates: Unveiling the Efficacy of Popular Obfuscators with a Rapid Deobfuscator2023 30th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC60848.2023.00093(651-652)Online publication date: 4-Dec-2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media