Promises and Challenges of Symbolic...
Transcript of Promises and Challenges of Symbolic...
![Page 1: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/1.jpg)
| 1Sébastien Bardin – Journée Protection du code et des données 2018
Promises and Challenges of
Symbolic Deobfuscation
Sébastien Bardin
(CEA LIST)
Robin David, Jonathan Salwan, Adel Djoudi,
Richard Bonichon, Benjamin Farinier, Mathilde Ollivier, etc.
![Page 2: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/2.jpg)
| 2Sébastien Bardin – Journée Protection du code et des données 2018
ABOUT MY LAB @CEA [Paris-Saclay, France]
![Page 3: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/3.jpg)
| 3Sébastien Bardin – Journée Protection du code et des données 2018
IN A NUTSHELL
• MATE attacks and defenses is a hot topic
• IP protection, malware comprehension
• Symbolic deobfuscation as a game changer?
• Many successful case-studies
• Explore, Prove, Simplify
• This talk: a tour on symbolic deobfuscation
• Present the approach, highlight successes and limits
• [SANER 2016, FM 2016, BH Europe 2016, S&P 2017, DIMVA 2018]
![Page 4: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/4.jpg)
| 4Sébastien Bardin – Journée Protection du code et des données 2018
OUTLINE
• Context: MATE and deobfuscation
• Back to the basic: binary-level semantic analysis
• Symbolic deobfuscation & achievements
• State of the defense
• Conclusion
![Page 5: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/5.jpg)
| 5Sébastien Bardin – Journée Protection du code et des données 2018
MATE is not MITM
MITM: Man-In-The-Middle
Attacker is on the network
• Observe messages
• Forge messages
Known crypto solutions
• Steal pwd, keys, etc.
![Page 6: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/6.jpg)
| 6Sébastien Bardin – Journée Protection du code et des données 2018
MATE is not MITM
MITM: Man-In-The-Middle
Attacker is on the network
• Observe messages
• Forge messages
Known crypto solutions
MATE: Man-At-The-End
Attacker is on the computer
• R/W the code
• Execute step by step
• Patch on-the-fly
crypto or code analysis?
• Steal pwd, keys
• Tamper code
• Steal code
![Page 7: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/7.jpg)
| 7Sébastien Bardin – Journée Protection du code et des données 2018
<aparté> NOT SO HARD FOR EXPERTS
![Page 8: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/8.jpg)
| 8Sébastien Bardin – Journée Protection du code et des données 2018
A SOLUTION: OBFUSCATION
Transform P into P’ such that
• P’ behaves like P
• P’ roughly as efficient as P
• P’ is very hard to understand
State of the art
• No usable math-proven solution
• Useful ad hoc solutions (strength?)
![Page 9: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/9.jpg)
| 9Sébastien Bardin – Journée Protection du code et des données 2018
OBFUSCATION IN PRACTICE
• self-modification
• encryption
• virtualization
• code overlapping
• opaque predicates
• callstack tampering
• …
![Page 10: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/10.jpg)
| 10Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: OPAQUE PREDICATE
Constant-value predicates
(always true, always false)
• dead branch points to spurious code
• goal = waste reverser time & efforts
![Page 11: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/11.jpg)
| 11Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: STACK TAMPERING
Alter the standard compilation scheme:
ret do not go back to call
• hide the real target
• return site is spurious code
![Page 12: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/12.jpg)
| 12Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: VIRTUALIZATION
Turns code P into
• a proprietary bytecode program
+ a homemade VM (runtime)
• Easy to recover the VM structure
• But does not say anything about P
long secret(long x) {
……
return x;
}
Bytecodes - Custom ISA
Fetching
Decoding
Dispatcher
Operator 2
Terminator
Operator 3Operator 1
![Page 13: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/13.jpg)
| 13Sébastien Bardin – Journée Protection du code et des données 2018
DEOBFUSCATION
• Ideally, get P back from P’
• Or, get close enough
• Or, help understand P
![Page 14: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/14.jpg)
| 14
WHY WORKING ON DEOBFUSCATION?
Malware comprehension Protection evaluation
Sébastien Bardin – Journée Protection du code et des données 2018
![Page 15: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/15.jpg)
| 15Sébastien Bardin – Journée Protection du code et des données 2018
BUT … THIS IS HARD!!!
Obfuscation is automatic
Deobfuscation requires
proper tooling
![Page 16: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/16.jpg)
| 16Sébastien Bardin – Journée Protection du code et des données 2018
STATE-OF-THE-ART TOOLS ARE NOT ENOUGH
Just add
mov %eax,%ecx
mov %ecx,%eax
and break results
Dynamic
• too incomplete (rare events)Static (syntactic)
• too fragile (code variations)
![Page 17: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/17.jpg)
| 17Sébastien Bardin – Journée Protection du code et des données 2018
THE MATE ARM RACE
standard static disassemblers
Unprotected binary
« mild protections »
• junk, duplicate, etc.
ad hoc static disassemblers
Packing & self-modification
Dynamic analysis
Trigger-based behaviours
??????????????
![Page 18: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/18.jpg)
| 18Sébastien Bardin – Journée Protection du code et des données 2018
SOLUTION? SEMANTIC PROGRAM ANALYSIS
• From formal methods for safety-critical systems
• Semantic = meaning of the program
• Possibly well adapted
• Symbolic deobfuscation
• Explore, Prove & Simplify
Semantic preserved
by obfuscation
Can reason about
sets of executions
• find rare events
• prove, simplify
![Page 19: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/19.jpg)
| 19Sébastien Bardin – Journée Protection du code et des données 2018
MAYBE A GOOD IDEA!
![Page 20: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/20.jpg)
| 20Sébastien Bardin – Journée Protection du code et des données 2018
REALLY LOOKS LIKE A GREAT IDEA
![Page 21: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/21.jpg)
| 21Sébastien Bardin – Journée Protection du code et des données 2018
REALLY LOOKS LIKE A GREAT IDEA
QUESTIONS
• How does it work?
• What does it achieve?
• How to counter it?
![Page 22: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/22.jpg)
| 22Sébastien Bardin – Journée Protection du code et des données 2018
OUTLINE
• Context: MATE and deobfuscation
• Back to the basic: binary-level semantic analysis
• Symbolic deobfuscation & achievements
• State of the defense
• Conclusion
![Page 23: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/23.jpg)
| 23Sébastien Bardin – Journée Protection du code et des données 2018
<apparté> STATIC SEMANTIC ANALYSIS IS VERY VERY
HARD ON BINARY CODE
Problems
• Jump eax
• memory
• Bit resoning
![Page 24: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/24.jpg)
| 24Sébastien Bardin – Journée Protection du code et des données 2018
WANTED
Robustness
• able to survive dynamic jumps, self-modification, unpacking, etc
• outside the scope of standard methods
Precision
• Machine arithmetic (overflow) and bit-level operations
• Byte-level memory, possible overlaps
• hard for state-of-art formal methods
Scale
![Page 25: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/25.jpg)
| 25Sébastien Bardin – Journée Protection du code et des données 2018
THE GOOD CANDIDATE: SYMBOLIC EXECUTION
(Godefroid, 2005)
Given a path of a program
• Compute its « path predicate » f
• Solution of f input following the path
• Solve it with powerful existing solvers
![Page 26: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/26.jpg)
| 26Sébastien Bardin – Journée Protection du code et des données 2018
PATH PREDICATE COMPUTATION & RESOLUTION
Y0 = 0 /\ Z0=3SMT Solver
![Page 27: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/27.jpg)
| 27Sébastien Bardin – Journée Protection du code et des données 2018
THE GOOD CANDIDATE: SYMBOLIC EXECUTION
(Godefroid, 2005)
Given a path of a program
• Compute its « path predicate » f
• Solution of f input following the path
• Solve it with powerful existing solvers
Good points:
• Precise (theory bitvectors + arrays)
• No false positive
• Robust (symb. + dynamic)
• Extend rather well to binary code
![Page 28: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/28.jpg)
| 28Sébastien Bardin – Journée Protection du code et des données 2018
THE GOOD CANDIDATE: SYMBOLIC EXECUTION
(Godefroid, 2005)
Given a path of a program
• Compute its « path predicate » f
• Solution of f input following the path
• Solve it with powerful existing solvers
Good points:
• No false positive = find real paths
• Robust (symb. + dynamic)
• Precise (theory bitvectors + arrays)
• Extend rather well to binary code
« concretization »• Replace symbolic values by runtime values
• Keep going when symbolic reasoning fails
• Tune the tradeoff genericity - cost
![Page 29: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/29.jpg)
| 29Sébastien Bardin – Journée Protection du code et des données 2018
OUTLINE
• Context: MATE and deobfuscation
• Back to the basic: binary-level semantic analysis
• Symbolic deobfuscation & achievements
• State of the defense
• Conclusion
![Page 30: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/30.jpg)
| 30Sébastien Bardin – Journée Protection du code et des données 2018
BINSEC: SYMBOLIC ANALYSIS for BINARY
• Explore
• Prove
• Simplify
Rely on variants of
Symbolic Execution
![Page 31: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/31.jpg)
| 31Sébastien Bardin – Journée Protection du code et des données 2018
PART I: EXPLORE (standard SE) [SANER’16] [Yadegari et al, SP’15]
(with Robin David)
Advantages• Find new real paths
• Even rare paths
« dynamic analysis on steroids »
Forward reasoning• Follows path
• Find new branch / jumps
• Standard DSE setting
![Page 32: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/32.jpg)
| 32Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: FIND THE GOOD PATH
![Page 33: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/33.jpg)
| 33Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: FIND THE GOOD PATH
Beware: scale?
![Page 34: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/34.jpg)
| 34Sébastien Bardin – Journée Protection du code et des données 2018
PART II: PROVE
Backward bounded SE
• Compute k-predecessors
• If the set is empty, no pred.
• Allows to prove things
![Page 35: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/35.jpg)
| 35Sébastien Bardin – Journée Protection du code et des données 2018
PART II: PROVE
Backward bounded SE
• Compute k-predecessors
• If the set is empty, no pred.
• Allows to prove things
• False Negative: k too small• Missed proofs
• False Positive: CFG incomplete• Wrong proofs
(low rate, controlled XPs)
![Page 36: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/36.jpg)
| 36Sébastien Bardin – Journée Protection du code et des données 2018
BACKWARD SYMBOLIC EXECUTION
Explore & discover • Prove infeasible
![Page 37: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/37.jpg)
| 37Sébastien Bardin – Journée Protection du code et des données 2018
IN PRACTICE• Scalable switch target recovery
• Opaque predicate detection
• Call stack tampering
• High-level condition recovery
![Page 38: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/38.jpg)
| 38Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: PACKERS [BH EU’16] (with Robin David)
Packers: legitimate software protection tools
(basic malware: the sole protection)
![Page 39: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/39.jpg)
| 39Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: PACKERS (fun facts)
![Page 40: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/40.jpg)
| 40Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: THE XTUNNEL MALWARE [S&P’17]
-- part of DNC hack (with Robin David)
Two heavily obfuscated samples• Many opaque predicates
Goal: detect & remove protections• Identify 45% of code as spurious
• Fully automatic, < 3h
![Page 41: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/41.jpg)
| 41Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: THE XTUNNEL MALWARE (fun facts)
• Protection seems to rely only on opaque predicates
• Only two families of opaque predicates
• Yet, quite sophisticated
• original OPs
• interleaving between payload and OP computation
• sharing among OP computations
• possibly long dependencies chains (avg 8.7, upto 230)
![Page 42: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/42.jpg)
| 42Sébastien Bardin – Journée Protection du code et des données 2018
PART III: SIMPLIFY
Why? recover hidden simple expressions
• Junk code, junk computations
• Opaque values
• Duplicate code
• Complex patterns (MBAs)
Symbolic reasoning a priori well adapted
• Normalization / rewrite rules: (a+b-a) b
• Solver-based proof: check-valid(a+b-a = b)
Basic
• Tainting
• Slicing
![Page 43: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/43.jpg)
| 43Sébastien Bardin – Journée Protection du code et des données 2018
EXAMPLE: HIGH-LEVEL CONDITION RECOVERY [FM’16]
(with Adel Djoudi)
+ simplification inference
+ SMT solver
![Page 44: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/44.jpg)
| 44Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: DEVIRTUALIZATION [DIMVA’18] )
(with Jonathan Salwan)
Solve challenges 0 - 4 (25 samples)
• very close to the original codes
• sometimes even smaller!
• very efficient (<1min on 20/25)
TIGRESS Challenge
• Original codes: hash-like functions
• Focus on challenges 0-4
• Only challenge 1 was solved
Arybo
IR
Triton AST
(+ simplif.)
Binary
codeLLVM-
IR
Binary
code
OptimizationsDiscard VM partSimplify
& merge
![Page 45: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/45.jpg)
| 45Sébastien Bardin – Journée Protection du code et des données 2018
CASE-STUDY: DEVIRTUALIZATION (fun facts)
• Duplicate opcodes: merged!
• Nested VMs
• k=2: ok (laptop)
• k=3: ok (cloud)
• Also tested vs each VM-option
![Page 46: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/46.jpg)
| 46Sébastien Bardin – Journée Protection du code et des données 2018
REMINDER: SYMBOLIC DEOBFUSCATION
• EXPLORE
• PROVE
• SIMPLIFY
![Page 47: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/47.jpg)
| 47Sébastien Bardin – Journée Protection du code et des données 2018
ARE WE ALL DEAD?
![Page 48: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/48.jpg)
| 48Sébastien Bardin – Journée Protection du code et des données 2018
OUTLINE
• Context: MATE and deobfuscation
• Back to the basic: binary-level semantic analysis
• Symbolic deobfuscation & achievements
• State of the defense
• Conclusion
![Page 49: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/49.jpg)
| 49Sébastien Bardin – Journée Protection du code et des données 2018
ANTI-DSE PROPOSALS ARE BLOOMING
• Hard-to-solve predicates
• floats or array intensive formulas
• mixed boolean arithmetic
• crypto hash functions x = 42 hash(x) = 10580
• Modelling defaults• anti-dynamic, anti-taint, etc.
• side-channels
• Beware
• protections must be input-dependent, otherwise removed by standard optimizations
• Hot topic, battle in progress
• Tradeoff between performance penalty vs protection?
• Exact goal of the attacker?
![Page 50: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/50.jpg)
| 50Sébastien Bardin – Journée Protection du code et des données 2018
SIDE CHANNELS vs DSE (Collberg et al., Euro S&P 2018)
• Idea = use side channels for
communicating information
• Rational: DSE does not take the
physical world into account, get
confused
• Example: concurrent threads
writing x, one slow and one fast
• Blinds DSE, but « probabilistic
correctness» only
![Page 51: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/51.jpg)
| 51Sébastien Bardin – Journée Protection du code et des données 2018
HARD-TO-SOLVE PREDICATES
• Beware: the solver guys are incredible!
• Floats solutions start to emerge (SMTCOMP, Colibri@CEA)
• Arrays progress, see next slide
• Mixed Boolean Arithmetic
• some partial solutions [N. Eyrolles]
• effects of MBA hard to predict in advance
• depend on setting: solve vs simplify
• Crypto hash functions highly powerful (but take care of Marine M.)
• cost? stealth?
• becomes a WB issue finds the key
![Page 52: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/52.jpg)
| 52
• Makes the difference!
Sébastien Bardin – Journée Protection du code et des données 2018
Tuning the solver: array formula simplification [LPAR 2018]
with Benjamin Farinier
![Page 53: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/53.jpg)
| 53Sébastien Bardin – Journée Protection du code et des données 2018
OUTLINE
• Context: MATE and deobfuscation
• Back to the basic: binary-level semantic analysis
• Symbolic deobfuscation & achievements
• State of the defense
• Conclusion
![Page 54: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/54.jpg)
| 54Sébastien Bardin – Journée Protection du code et des données 2018
CONCLUSION & TAKE AWAY
• A tour on the advantages and limits of symbolic deobfuscation
• Symbolic deobfuscation complements existing approaches!
• Well-adapted – semantics is invariant by obfuscation
• Explore, prove, simplify
• defenders have to take it into account!
• The arm race is still on
• Anti-symbolic and anti-anti-symbolic methods
• Open the way to fruitful combinations (attack & defense)
• Still many rooms to explore
• Deobfuscation for malware detection
• Tradeoffs power – detection – ressources
![Page 55: Promises and Challenges of Symbolic Deobfuscationsebastien.bardin.free.fr/05-sebastien-bardin-slides-obfuscation-day-2018.pdfPromises and Challenges of Symbolic Deobfuscation Sébastien](https://reader031.fdocuments.in/reader031/viewer/2022041100/5ed6ec7eff4a11075f770dc1/html5/thumbnails/55.jpg)
Commissariat à l’énergie atomique et aux énergies alternatives
Institut List | CEA SACLAY NANO-INNOV | BAT. 861 – PC142
91191 Gif-sur-Yvette Cedex - FRANCE
www-list.cea.fr
Établissement public à caractère industriel et commercial | RCS Paris B 775 685 019