Advanced Search
    Chen Zhe, Wang Zhi, Wang Xiaochu, Jia Chunfu. Using Code Mobility to Obfuscate Control Flow in Binary Codes[J]. Journal of Computer Research and Development, 2015, 52(8): 1902-1909. DOI: 10.7544/issn1000-1239.2015.20140607
    Citation: Chen Zhe, Wang Zhi, Wang Xiaochu, Jia Chunfu. Using Code Mobility to Obfuscate Control Flow in Binary Codes[J]. Journal of Computer Research and Development, 2015, 52(8): 1902-1909. DOI: 10.7544/issn1000-1239.2015.20140607

    Using Code Mobility to Obfuscate Control Flow in Binary Codes

    • Code obfuscation is usually used in software protection and malware combating reverse engineering. There are some security issues in traditional code obfuscation methods, because reverse engineers can acquire all binary codes. To mitigate this problem, this paper presents a novel control flow obfuscation approach to protect the control flow of binary codes based on code mobility. Transforming the significant control logic codes to a remote trusted entity beyond adversary’s control makes some control flow information invisible at local untrusted execution environment, so that the binary code’s key behaviors cannot be predicted statically or dynamically. Non-conditional jump instructions without control information are used to replace some critical conditional jumps to hide branch conditions and jump target memory addresses, which increases the difficulty of collecting and reasoning about the program path information. We estimate this obfuscation approach in three aspects: potency, resilience and cost. And using this approach, we obfuscate the trigger conditions in six malware samples belonging to different families, and then use the state-of-the-art reverse engineering tools to reason about their internal control logic. Experimental result shows that our obfuscation approach is able to protect various branch conditions and reduce the leakage of branch information at run-time that impedes reverse engineering based on symbolic execution to analyze program’s internal logic.
    • loading

    Catalog

      Turn off MathJax
      Article Contents

      /

      DownLoad:  Full-Size Img  PowerPoint
      Return
      Return