Visible to the public DoSE: Deobfuscation Based on Semantic Equivalence

TitleDoSE: Deobfuscation Based on Semantic Equivalence
Publication TypeConference Paper
Year of Publication2018
AuthorsTofighi-Shirazi, Ramtine, Christofi, Maria, Elbaz-Vincent, Philippe, Le, Thanh-ha
Conference NameProceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop
Date PublishedDecember 2018
PublisherACM
ISBN Number978-1-4503-6096-8
Keywordscode cloning, Collaboration, control-flow graph, deobfuscation, false trust, malware analysis, obfuscation, opaque predicate, policy-based governance, pubcrawl, resilience, Resiliency, reverse engineering, Scalability, symbolic execution
Abstract

Software deobfuscation is a key challenge in malware analysis to understand the internal logic of the code and establish adequate countermeasures. In order to defeat recent obfuscation techniques, state-of-the-art generic deobfuscation methodologies are based on dynamic symbolic execution (DSE). However, DSE suffers from limitations such as code coverage and scalability. In the race to counter and remove the most advanced obfuscation techniques, there is a need to reduce the amount of code to cover. To that extend, we propose a novel deobfuscation approach based on semantic equivalence, called DoSE. With DoSE, we aim to improve and complement DSE-based deobfuscation techniques by statically eliminating obfuscation transformations (built on code-reuse). This improves the code coverage. Our method's novelty comes from the transposition of existing binary diffing techniques, namely semantic equivalence checking, to the purpose of the deobfuscation of untreated techniques, such as two-way opaque constructs, that we encounter in surreptitious software. In order to challenge DoSE, we used both known malwares such as Cryptowall, WannaCry, Flame and BitCoinMiner and obfuscated code samples. Our experimental results show that DoSE is an efficient strategy of detecting obfuscation transformations based on code-reuse with low rates of false positive and/or false negative results in practice, and up to 63% of code reduction on certain types of malwares.

URLhttps://dl.acm.org/doi/10.1145/3289239.3289243
DOI10.1145/3289239.3289243
Citation Keytofighi-shirazi_dose:_2018