一种抵抗符号执行的路径分支混淆技术

doi:10.3969/j.issn.0372-2112.2015.05.006

电子学报 ›› 2015, Vol. 43 ›› Issue (5): 870-878.DOI: 10.3969/j.issn.0372-2112.2015.05.006

一种抵抗符号执行的路径分支混淆技术

王志, 贾春福, 刘伟杰, 王晓初, 张海宁, 于晓旭, 陈喆

南开大学计算机与控制工程学院, 天津 300071

收稿日期:2014-02-24 修回日期:2014-08-04 出版日期:2015-05-25
- 通讯作者:
- 贾春福
- 作者简介:
- 王志男,1981年8月出生,山西长治人,现为南开大学计算机与控制工程学院讲师,主要研究方向为二进制代码混淆和恶意代码分析与防治.E-mail:zwang@nankai.edu.cn
- 基金资助:
- 国家自然科学基金 (No.61300242,No.61272423,No.60973141); 国家“973”重点基础研究发展计划 (No.2013CB834204); 中央高校基本科研业务费专项资金 (No.65121012); 南开大学-腾讯联合项目

Branch Obfuscation to Combat Symbolic Execution

WANG Zhi, JIA Chun-fu, LIU Wei-jie, WANG Xiao-chu, ZHANG Hai-ning, YU Xiao-xu, CHEN Zhe

College of Computer and Control Engineering, Nankai University, Tianjin 300071, China

Received:2014-02-24 Revised:2014-08-04 Online:2015-05-25 Published:2015-05-25
- Supported by:
- National Natural Science Foundation of China (No.61300242, No.61272423, No.60973141); National Key Basic Research Program of China (973 Program) (No.2013CB834204); Fundamental Research Funds for the Central Universities (No.65121012); Nankai University-Tencent Joint Project

摘要/Abstract

摘要：

程序在动态执行过程中泄露了大量的路径分支信息,这些路径分支信息是其内部逻辑关系的二进制表示.符号执行技术可以自动地收集并推理程序执行过程所泄露的路径信息,可用于逆向工程并可削弱代码混淆的保护强度.哈希函数可以有效保护基于等于关系的路径分支信息,但是难以保护基于上下边界判断的不等关系的路径分支信息.将保留前缀算法与哈希函数相结合提出了一种新的路径分支混淆技术,将符号执行推理路径分支信息的难度等价到逆向推理哈希函数的难度.该路径分支混淆方法在SPECint-2006程序测试集上进行了实验,试验结果表明该混淆方法能有效保护程序路径分支信息,具有实用性.

关键词: 代码混淆, 符号执行, 哈希函数, 保留前缀加密

Abstract:

At run time,a large number of program branching information is leaked.Branching information is the binary representation of program internal logic.Symbolic execution could automatically collect and reason about the leaked branch information,which could be used for reverse engineering and weaken the strength of code obfuscation.Hash function can effectively safeguard equal branch conditions,but it can't be used to protect branching information containing unequal trigger conditions,such as greater than or less than.In this paper,a new branch obfuscation approach combining prefix-preserving algorithm and hash function,which extends the protection scope of hash function.The strength and resilience of the branch obfuscation are discussed.This branch obfuscation approach has been tested on 7 programs from the SPECint-2006 benchmark suite,and the experimental results show that this approach could effectively mitigate branch information leaking,yet practical in terms of performance.

Key words: code obfuscation, symbolic execution, Hash function, prefix-preserving encryption

中图分类号:

TP311

王志, 贾春福, 刘伟杰, 等. 一种抵抗符号执行的路径分支混淆技术[J]. 电子学报, 2015, 43(5): 870-878.

WANG Zhi, JIA Chun-fu, LIU Wei-jie, et al. Branch Obfuscation to Combat Symbolic Execution[J]. Acta Electronica Sinica, 2015, 43(5): 870-878.

参考文献

[1] Falcarin P,et al.Guest editors' introduction:software protection[J].IEEE Software,2011,28(2):24-27.
[2] The Compliance Gap:BSA Global Software Survey[EB/OL].Washington,DC:BSA,June 2014[2014-08-01].http://globalstudy.bsa.org/2013/downloads/studies/2013GlobalSurvey_Study_en.pdf.
[3] Eighth Annual BSA and IDC Global Software Piracy Study[EB/OL].Washington,DC:BSA,2011[2013-01-26].http://portal.bsa.org/globalpiracy2010/downloads/study_pdf/2010_BSA_Piracy_Study-Standard.pdf.
[4] King J.Symbolic execution and program testing[J].Communications of the ACM,1976,19(7):385-394.
[5] Newsome J,Song D.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[A].Proceedings of the Network and Distributed System Security Symposium[C].Rosten,VA:Internet Society,2005.
[6] Ganesh V,Dill D.A decision procedure for bit-vectors and arrays[A].Proceedings of International Conference on Computer Aided Verification[C].Berlin:Springer,2007.519-531.
[7] Nethercote N,Seward J.Valgrind:a framework for heavyweight dynamic binary instrumentation[A].Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation[C].New York:ACM,2007.89-100.
[8] Wang C,Davidson J,Hill J,et al.Protection of software-based survivability mechanisms[A].Proceedings of the International Conference on Dependable Systems and Networks[C].Piscataway,NJ:IEEE,2001.193-202.
[9] Linn C,Debray S.Obfuscation of executable code to improve resistance to static disassembly[A].Proceedings of ACM Conference on Computer and Communication Security[C].New York,NY:ACM,2003.290-299.
[10] Myles G,Collberg C.Software watermarking via opaque predicates:implementation,analysis,and attacks[J].Electronic Commerce Research,2006,6(2):155-171.
[11] Birrer B,Raines R,Baldwin R,et al.Programfragmentation as a metamorphic software protection[A].Proceedings of the International Symposium on Information Assurance and Security[C].Piscataway,NJ:IEEE,2007.369-374.
[12] Xu J,Fan J,Ammar M,et al.Prefix-preserving IP address anonymization:measurement-based security evaluation and a new cryptography-based scheme[A].Proceedings of the IEEE International Conference on Network Protocols[C].Piscataway,NJ:IEEE,2002.280-289.
[13] Li J,Omiecinski E.Efficiency and security trade-off in supporting range queries on encrypted databases[A].Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security[C].Berlin:Springer,2005.69-83.
[14] Sharif M,Lanzi A,Giffin J,et al.Impeding malware analysis using conditional code obfuscation[A].Proceedings of the Network and Distributed System Security Symposium[C].Rosten,VA:Internet Society,2008.321-333.
[15] Amanatidis G,et al.Provably-secureschemes for basic query support in outsourced databases[A].Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and applications security[C].Berlin:Springer-Verlag,2007.14-30.
[16] Xiao L,Yen,I.Security analysis and enhancement for prefix-preserving encryption schemes[R].Richardson,Texas:Department of Computer Science,UT Dallas,2012.
[17] 贾春福,王志,刘昕,等.路径模糊:一种有效抵抗符号执行的二进制混淆技术[J].计算机研究与发展,2011,48(11):2111-2119. Jia Chunfu,Wang Zhi,Liu Xin,et al.Branch obfuscation:An efficient binary code obfuscation to impede symbolic execution[J].Journal of Computer Research and Development,2011,48(11):2111-2119.(in Chinese)
[18] Andriesse D and Bos H.Instruction-level steganography for covert trigger-based malware[A].Proceedings of Conference on Detection of Intrusion and Malware & Vulnerability Assessment[C].Berlin:Springer,2014.41-45.
[19] 王怀军,等.基于变形的二进制代码混淆技术研究[J].四川大学学报:工程科学版,2014,46(01):14-21. Wang Huaijun,Fang Dingyi,Li Guanghui,et al.Research on deformation based binary code obfuscation technology[J].Journal of Sichuan University (Engineering Science Edition),2014,46(01):14-21.(in Chinese)
[20] 何炎祥,等.基于程序流敏感的自修改代码混淆方法[J].计算机工程与科学,2012,34(1):79-85. HE Yan-xiang,CHEN Yong,WU Wei,et al.A program flow-sensitive self-modifying code obfuscation method[J].Computer Engineering & Science,2012,34(1):79-85.(in Chinese)
[21] Falcarin P,et al.Exploiting code mobility for dynamic binary obfuscation[A].Proceedings of the World Congress on Internet Security[C].Piscataway,NJ:IEEE,2011.114-120.
[22] Ceccato M,TonellaP.CodeBender:remote software protection using orthogonal replacement[J].IEEE Software,2011,28(2):28-34.
[23] Wang Zhi,Jia Chunfu,Liu Min,et al.Branch obfuscation using code mobility and signal[A].Proceedings of IEEE Workshop on Security,Trust,and Privacy for Software Applications[C].Piscataway,NJ:IEEE,2012.
[24] Wang Zhi,Ming Jiang,Jia Chunfu,et al.Linear obfuscation to combat symbolic execution[A].Proceedings of European Symposium on Research in Computer Security[C].Berlin:Springer,2011.210-226.

一种抵抗符号执行的路径分支混淆技术

Branch Obfuscation to Combat Symbolic Execution

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 11

编辑推荐

Metrics

[1]	尹安琪, 曲彤洲, 郭渊博, 汪定, 陈琳, 李勇飞. 格上基于密文标准语言的可证明安全两轮口令认证密钥交换协议[J]. 电子学报, 2022, 50(5): 1140-1149.
[2]	汪孙律, 杨秋松, 李明树. 一种针对格式文件的符号执行优化方法[J]. 电子学报, 2020, 48(12): 2417-2424.
[3]	杨超, 郭云飞, 扈红超, 刘文彦, 霍树民, 王亚文. 基于符号执行的软件缓存侧信道脆弱性检测技术[J]. 电子学报, 2019, 47(6): 1194-1200.
[4]	郭曦, 王盼. 基于依赖条件重构的程序符号值分析方法[J]. 电子学报, 2019, 47(3): 630-635.
[5]	陈喆, 贾春福, 宗楠, 郑万通. 随机森林在程序分支混淆中的应用[J]. 电子学报, 2018, 46(10): 2458-2466.
[6]	赵祖威, 冯世宁, 汤恩义, 陈鑫, 李宣东, 潘敏学, 赵晨. 一种符号执行制导的循环内界分析方法[J]. 电子学报, 2017, 45(11): 2582-2592.
[7]	徐超, 陈勇, 葛红美, 何炎祥. 基于符号执行的能耗错误检测方法[J]. 电子学报, 2016, 44(5): 1040-1050.
[8]	万勇兵, 徐中伟, 梅萌. 一种符号化执行的实时系统一致性测试生成方法[J]. 电子学报, 2013, 41(11): 2276-2284.
[9]	王洪波, 程时端, 林宇. 高速网络超连接主机检测中的流抽样算法研究[J]. 电子学报, 2008, 36(4): 809-818.
[10]	张串绒, 尹忠海, 肖国镇. 不使用Hash和Redundancy函数的认证加密方案[J]. 电子学报, 2006, 34(5): 874-877.
[11]	吕科;耿国华;周明全. 基于哈希方法的空间曲线匹配[J]. 电子学报, 2003, 31(2): 294-296.