Chosen-instruction attack against commercial code virtualization obfuscators
—Code virtualization is a well-known sophisticated obfuscation technique that uses custom virtual machines (VM) to emulate the semantics of original native instructions. Commercial VM-based obfuscators (e.g., Themida and VMProtect) are often abused by malware developers to conceal malicious behavior...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7354 https://ink.library.smu.edu.sg/context/sis_research/article/8357/viewcontent/ndss_22.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8357 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-83572022-10-06T02:29:47Z Chosen-instruction attack against commercial code virtualization obfuscators LI, Shijia JIA, Chunfu QIU, Pengda CHEN, Qiyuan MING, Jiang GAO, Debin —Code virtualization is a well-known sophisticated obfuscation technique that uses custom virtual machines (VM) to emulate the semantics of original native instructions. Commercial VM-based obfuscators (e.g., Themida and VMProtect) are often abused by malware developers to conceal malicious behaviors. Since the internal mechanism of commercial obfuscators is a black box, it is a daunting challenge for the analyst to understand the behavior of virtualized programs. To figure out the code virtualization mechanism and design deobfuscation techniques, the analyst has to perform reverse-engineering on large-scale highly obfuscated programs. This knowledge learning process suffers from painful cost and imprecision. In this project, we study how to automatically extract knowledge from the commercial VM-based obfuscator via a novel chosen-instruction attack (CIA) technique. Our idea is inspired by chosen-plaintext attack, which is a cryptanalysis attack model to gain information that reduces the security of the encryption scheme. Given a commercial VM-based obfuscator, we carefully construct input programs, proactively interact with the obfuscator, and extract knowledge from virtualized output programs. We propose using the anchor instruction and the guided simplification technique to efficiently locate and extract knowledge-related instructions from output programs, respectively. Our experimental results demonstrate that the modern commercial VM-based obfuscators are under the threat of CIA. We have discovered 760 anchor instructions and extracted 1,915 verified instruction mapping rules from the four most widely used commercial obfuscators. The extracted knowledge enables security analysts to understand virtualized malware and improve deobfuscation techniques. Besides, we also contributed the first fine-grained benchmark suite for systematically evaluating the deobfuscation techniques. The evaluation result shows that three state-of-the-art deobfuscation techniques are insufficient to defeat modern commercial VM-based obfuscators and can be improved by our extracted knowledge. 2022-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7354 https://ink.library.smu.edu.sg/context/sis_research/article/8357/viewcontent/ndss_22.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security OS and Networks |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security OS and Networks |
| spellingShingle |
Information Security OS and Networks LI, Shijia JIA, Chunfu QIU, Pengda CHEN, Qiyuan MING, Jiang GAO, Debin Chosen-instruction attack against commercial code virtualization obfuscators |
| description |
—Code virtualization is a well-known sophisticated obfuscation technique that uses custom virtual machines (VM) to emulate the semantics of original native instructions. Commercial VM-based obfuscators (e.g., Themida and VMProtect) are often abused by malware developers to conceal malicious behaviors. Since the internal mechanism of commercial obfuscators is a black box, it is a daunting challenge for the analyst to understand the behavior of virtualized programs. To figure out the code virtualization mechanism and design deobfuscation techniques, the analyst has to perform reverse-engineering on large-scale highly obfuscated programs. This knowledge learning process suffers from painful cost and imprecision. In this project, we study how to automatically extract knowledge from the commercial VM-based obfuscator via a novel chosen-instruction attack (CIA) technique. Our idea is inspired by chosen-plaintext attack, which is a cryptanalysis attack model to gain information that reduces the security of the encryption scheme. Given a commercial VM-based obfuscator, we carefully construct input programs, proactively interact with the obfuscator, and extract knowledge from virtualized output programs. We propose using the anchor instruction and the guided simplification technique to efficiently locate and extract knowledge-related instructions from output programs, respectively. Our experimental results demonstrate that the modern commercial VM-based obfuscators are under the threat of CIA. We have discovered 760 anchor instructions and extracted 1,915 verified instruction mapping rules from the four most widely used commercial obfuscators. The extracted knowledge enables security analysts to understand virtualized malware and improve deobfuscation techniques. Besides, we also contributed the first fine-grained benchmark suite for systematically evaluating the deobfuscation techniques. The evaluation result shows that three state-of-the-art deobfuscation techniques are insufficient to defeat modern commercial VM-based obfuscators and can be improved by our extracted knowledge. |
| format |
text |
| author |
LI, Shijia JIA, Chunfu QIU, Pengda CHEN, Qiyuan MING, Jiang GAO, Debin |
| author_facet |
LI, Shijia JIA, Chunfu QIU, Pengda CHEN, Qiyuan MING, Jiang GAO, Debin |
| author_sort |
LI, Shijia |
| title |
Chosen-instruction attack against commercial code virtualization obfuscators |
| title_short |
Chosen-instruction attack against commercial code virtualization obfuscators |
| title_full |
Chosen-instruction attack against commercial code virtualization obfuscators |
| title_fullStr |
Chosen-instruction attack against commercial code virtualization obfuscators |
| title_full_unstemmed |
Chosen-instruction attack against commercial code virtualization obfuscators |
| title_sort |
chosen-instruction attack against commercial code virtualization obfuscators |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7354 https://ink.library.smu.edu.sg/context/sis_research/article/8357/viewcontent/ndss_22.pdf |
| _version_ |
1770576318177476608 |