Title :
Towards Static Analysis of Virtualization-Obfuscated Binaries
Author :
Kinder, Johannes
Author_Institution :
Sch. of Comput. & Commun. Sci, Ecole Polytech. Fed. de Lausanne (EPFL), Lausanne, Switzerland
Abstract :
Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into byte code for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible. In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and byte code. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the byte code program. To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal byte code locations only. We lift an existing analysis implemented in the Jakstab static analyzer and present preliminary results for processing a virtualization-obfuscated binary.
Keywords :
data flow analysis; merging; program compilers; program interpreters; virtualisation; JAKSTAB static analyzer; bytecode program; data flow information; data merging; program code; program compiler; program interpreter; program protection; randomized virtual architecture; virtual program counter; virtualization obfuscated binary; Abstracts; Arrays; Malware; Radiation detectors; Semantics; Switches; Transfer functions; obfuscation; reasoning about programs; reverse engineering; static analysis;
Conference_Titel :
Reverse Engineering (WCRE), 2012 19th Working Conference on
Conference_Location :
Kingston, ON
Print_ISBN :
978-1-4673-4536-1
DOI :
10.1109/WCRE.2012.16
