Abstract

Obfuscation is used to protect programs from analysis and reverse engineering. There are theoretically effective and resistant obfuscation methods, but most of them are not implemented in practice yet. The main reasons are large overhead for the execution of obfuscated code and the limitation of application only to a specific class of programs. On the other hand, a large number of obfuscation methods have been developed that are applied in practice. The existing approaches to the assessment of such obfuscation methods are based mainly on the static characteristics of programs. Therefore, the comprehensive (taking into account the dynamic characteristics of programs) justification of their effectiveness and resistance is a relevant task. It seems that such a justification can be made using machine learning methods, based on feature vectors that describe both static and dynamic characteristics of programs. In this paper, it is proposed to build such a vector on the basis of characteristics of two compared programs: the original and obfuscated, original and deobfuscated, obfuscated and deobfuscated. In order to obtain the dynamic characteristics of the program, a scheme based on a symbolic execution is constructed and presented in this paper. The choice of the symbolic execution is justified by the fact that such characteristics can describe the difficulty of comprehension of the program in dynamic analysis. The paper proposes two implementations of the scheme: extended and simplified. The extended scheme is closer to the process of analyzing a program by an analyst, since it includes the steps of disassembly and translation into intermediate code, while in the simplified scheme these steps are excluded. In order to identify the characteristics of symbolic execution that are suitable for assessing the effectiveness and resistance of obfuscation based on machine learning methods, experiments with the developed schemes were carried out. Based on the obtained results, a set of suitable characteristics is determined.

Highlights

  • Obfuscation is used to protect programs from analysis and reverse engineering. ere are theoretically e ective and resistant obfuscation methods, but most of them are not implemented in practice yet. e main reasons are large overhead for the execution of obfuscated code and the limitation of application only to a speci c class of programs

  • A large number of obfuscation methods have been developed that are applied in practice. e existing approaches to the assessment of such obfuscation methods are based mainly on the static characteristics of programs. erefore, the comprehensive justi cation of their e ectiveness and resistance is a relevant task

  • It seems that such a justi cation can be made using machine learning methods, based on feature vectors that describe both static and dynamic characteristics of programs

Read more

Summary

Известные подходы к оценке обфусцирующих преобразований

Один из первых способов комплексной оценки обфусцирующих преобразований предложен К. Эффективность обфускации определяется с использованием метрик качества программ из программной инженерии, таких как длина программы, цикломатическая сложность, сложность потока и структур данных, а также других метрик. Представляется, что с помощью этого показателя можно оценить эффективность обфусцирующих преобразований, поскольку такие преобразования могут оказывать влияние на энтропию кода программы (как в меньшую, так и в большую сторону). В работе [6] предложен иной подход: качество обфускации исходного кода оценивается по Колмогоровской сложности. Экспериментально установлено, что чем меньше сходство исходного кода и декомпилированного кода, тем выше Колмогоровская сложность для запутанной программы. Экспериментальный подход для оценки стойкости обфусцирующих преобразований описан в [8]. Но этот метод не подходит для автоматического анализа стойкости обфускации. Тем не менее в [13] символьное исполнение используется как способ анализа, без рассмотрения применимости в задачах оценки эффективности и стойкости обфускации

Схемы получения характеристик
Экспериментальное получение характеристик символьного исполнения
Характеристики символьного исполнения
Результаты экспериментов

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.