Using Code Mobility to Obfuscate Control Flow in Binary Codes

Code obfuscation is usually used in software protection and malware combating reverse engineering. There are some security issues in traditional code obfuscation methods, because reverse engineers can acquire all binary codes. To mitigate this problem, this paper presents a novel control flow obfuscation approach to protect the control flow of binary codes based on code mobility. Transforming the significant control logic codes to a remote trusted entity beyond adversary’s control makes some control flow information invisible at local untrusted execution environment, so that the binary code’s key behaviors cannot be predicted statically or dynamically. Non-conditional jump instructions without control information are used to replace some critical conditional jumps to hide branch conditions and jump target memory addresses, which increases the difficulty of collecting and reasoning about the program path information. We estimate this obfuscation approach in three aspects: potency, resilience and cost. And using this approach, we obfuscate the trigger conditions in six malware samples belonging to different families, and then use the state-of-the-art reverse engineering tools to reason about their internal control logic. Experimental result shows that our obfuscation approach is able to protect various branch conditions and reduce the leakage of branch information at run-time that impedes reverse engineering based on symbolic execution to analyze program’s internal logic.