ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (8): 1902-1909.doi: 10.7544/issn1000-1239.2015.20140607

• 信息安全 • 上一篇    下一篇

基于代码移动的二进制程序控制流混淆方法

陈喆,王志,王晓初,贾春福   

  1. (南开大学计算机与控制工程学院 天津 300071)(chenzhe501@foxmail.com)
  • 出版日期: 2015-08-01
  • 基金资助: 
    基金项目:国家“九七三”重点基础研究发展计划基金项目(2013CB834204);国家自然科学基金项目(61300242, 61272423);天津市自然科学基金项目(14JCYBJC15300); 中央高校基本科研业务费专项资金项目(65121012)

Using Code Mobility to Obfuscate Control Flow in Binary Codes

Chen Zhe,Wang Zhi,Wang Xiaochu,Jia Chunfu   

  1. (College of Computer & Control Engineering, Nankai University, Tianjin 300071)
  • Online: 2015-08-01

摘要: 代码混淆技术常被用于软件保护领域和恶意代码对抗分析.传统的代码混淆技术会使逆向分析者获得程序的全部二进制代码,因此存在一定的安全性问题.为缓解这一问题,提出了一种基于代码移动的二进制程序控制流混淆方法,将程序的重要控制逻辑代码移动至逆向分析者不可控的可信实体,以使本地代码控制流信息部分缺失,从而使得程序的关键行为无法通过推理获知;利用包含无初始意义操作数的非条件跳转指令替代条件跳转指令隐藏路径分支的分支条件和目标地址,以增大收集程序路径信息的难度.对该控制流混淆方法从强度、弹性和开销3个指标进行了技术评价.将所提混淆方法用于6个恶意软件触发条件的混淆并对混淆之后的恶意代码进行逆向分析实验,结果表明该混淆方法能够较好地抵抗基于静态分析和符号执行的逆向分析方法.

关键词: 代码混淆, 控制流混淆, 代码移动, 逆向工程, 符号执行

Abstract: Code obfuscation is usually used in software protection and malware combating reverse engineering. There are some security issues in traditional code obfuscation methods, because reverse engineers can acquire all binary codes. To mitigate this problem, this paper presents a novel control flow obfuscation approach to protect the control flow of binary codes based on code mobility. Transforming the significant control logic codes to a remote trusted entity beyond adversary’s control makes some control flow information invisible at local untrusted execution environment, so that the binary code’s key behaviors cannot be predicted statically or dynamically. Non-conditional jump instructions without control information are used to replace some critical conditional jumps to hide branch conditions and jump target memory addresses, which increases the difficulty of collecting and reasoning about the program path information. We estimate this obfuscation approach in three aspects: potency, resilience and cost. And using this approach, we obfuscate the trigger conditions in six malware samples belonging to different families, and then use the state-of-the-art reverse engineering tools to reason about their internal control logic. Experimental result shows that our obfuscation approach is able to protect various branch conditions and reduce the leakage of branch information at run-time that impedes reverse engineering based on symbolic execution to analyze program’s internal logic.

Key words: code obfuscation, control-flow obfuscation, code mobility, reverse engineering, symbolic execution

中图分类号: