[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3510003.3510139acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article
Open access

Hiding critical program components via ambiguous translation

Published: 05 July 2022 Publication History

Abstract

Software systems may contain critical program components such as patented program logic or sensitive data. When those components are reverse-engineered by adversaries, it can cause significantly damage (e.g., financial loss or operational failures). While protecting critical program components (e.g., code or data) in software systems is of utmost importance, existing approaches, unfortunately, have two major weaknesses: (1) they can be reverse-engineered via various program analysis techniques and (2) when an adversary obtains a legitimate-looking critical program component, he or she can be sure that it is genuine.
In this paper, we propose Ambitr, a novel technique that hides critical program components. The core of Ambitr is Ambiguous Translator that can generate the critical program components when the input is a correct secret key. The translator is ambiguous as it can accept any inputs and produces a number of legitimate-looking outputs, making it difficult to know whether an input is correct secret key or not. The executions of the translator when it processes the correct secret key and other inputs are also indistinguishable, making the analysis inconclusive. Our evaluation results show that static, dynamic and symbolic analysis techniques fail to identify the hidden information in Ambitr. We also demonstrate that manual analysis of Ambitr is extremely challenging.

References

[1]
Hiralal Agrawal and Joseph R. Horgan. 1990. Dynamic Program Slicing. SIGPLAN Not. 25, 6 (June 1990), 246--256.
[2]
Christian Ammann. 2012. Hyperion: Implementation of a PE-Crypter.
[3]
David E Bakken, R Rarameswaran, Douglas M Blough, Andy A Franz, and Ty J Palmer. 2004. Data obfuscation: Anonymity and desensitization of usable data sets. IEEE Security & Privacy 2, 6 (2004), 34--41.
[4]
Gogul Balakrishnan and Thomas Reps. 2004. Analyzing Memory Accesses in x86 Executables. In Compiler Construction, Evelyn Duesterwald (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 5--23.
[5]
Sebastian Banescu, Christian Collberg, Vijay Ganesh, Zack Newsham, and Alexander Pretschner. 2016. Code Obfuscation against Symbolic Execution Attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications (Los Angeles, California, USA) (ACSAC '16). Association for Computing Machinery, New York, NY, USA, 189--200.
[6]
Cristian Barría, David Cordero, Claudio Cubillos, and Robinson Osses. 2016. Obfuscation procedure based in dead code insertion into crypter. In 2016 6th International Conference on Computers Communications and Control (ICCCC). IEEE, 23--29.
[7]
BDLeet. 2016. GitHub - BDLeet/public-shell: Some Public Shell. https://github.com/BDLeet/public-shell.
[8]
Bart Blaze. 2019. GitHub - bartblaze/PHP-backdoors: A collection of PHP backdoors. https://github.com/bartblaze/PHP-backdoors.
[9]
David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically identifying trigger-based behavior in malware. In Botnet Detection. Springer, 65--88.
[10]
Jerry R Burch, Edmund M Clarke, Kenneth L McMillan, David L Dill, and Lain-Jinn Hwang. 1992. Symbolic model checking: 1020 states and beyond. Information and computation 98, 2 (1992), 142--170.
[11]
Juan Manuel Martinez Caamaño and Serge Guelton. 2018. Easy::Jit: Compiler Assisted Library to Enable Just-in-Time Compilation in C+ + Codes. In Conference Companion of the 2nd International Conference on Art, Science, and Engineering of Programming (Nice, France) (Programming'18 Companion). Association for Computing Machinery, New York, NY, USA, 49--50.
[12]
Haibo Chen, Liwei Yuan, Xi Wu, Binyu Zang, Bo Huang, and Pen-chung Yew. 2009. Control flow obfuscation with information flow tracking. In Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture. ACM, 391--400.
[13]
Binlin Cheng, Jiang Ming, Jianmin Fu, Guojun Peng, Ting Chen, Xiaosong Zhang, and Jean-Yves Marion. 2018. Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 395--411.
[14]
Binlin Cheng, Jiang Ming, Erika A Leal, Haotian Zhang, Jianming Fu, Guojun Peng, and Jean-Yves Marion. 2021. Obfuscation-Resilient Executable Payload Extraction From Packed Malware. In 30th USENIX Security Symposium (USENIX Security 21).
[15]
Edmund M Clarke, William Klieber, Miloš Nováček, and Paolo Zuliani. 2011. Model checking and the state explosion problem. In LASER Summer School on Software Engineering. Springer, 1--30.
[16]
Christian Collberg, Clark Thomborson, and Douglas Low. 1998. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 184--196.
[17]
Johannes Dahse and Jörg Schwenk. 2010. RIPS-A static source code analyser for vulnerabilities in PHP scripts. Retrieved: February 28 (2010), 2012.
[18]
Biniam Fisseha Demissie, Mariano Ceccato, and Roberto Tiella. 2015. Assessment of Data Obfuscation with Residue Number Coding. In Proceedings of the 1st International Workshop on Software Protection (Florence, Italy) (SPRO '15). IEEE Press, 38--44.
[19]
Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2015. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 44--56.
[20]
Derick Rethans. 2009. Variable tracing with Xdebug --- Derick Rethans. https://derickrethans.nl/variable-tracing-with-xdebug.html.
[21]
Derick Rethans. 2020. Xdebug - Debugger and Profiler Tool for PHP. https://xdebug.org/.
[22]
dwyl. 2019. A text file containing 479k English words. https://github.com/dwyl/english-words.
[23]
Evi1cg. 2019. GitHub - Ridter/Pentest. https://github.com/Ridter/Pentest.
[24]
Aurore Fass, Michael Backes, and Ben Stock. 2019. Hidenoseek: Camouflaging malicious javascript in benign asts. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1899--1913.
[25]
Daniele Filaretti and Sergio Maffeis. 2014. An executable formal semantics of PHP. In European Conference on Object-Oriented Programming. Springer.
[26]
Maurice Fonk. 2019. GitHub - naneau/php-obfuscator: an "obfuscator" for PSR/OOp PHP code. https://github.com/naneau/php-obfuscator.
[27]
Heilan Yvette Grimes. 2015. Eir - Static Vulnerability Detection in PHP Applications. (2015).
[28]
David Hauzar and Jan Kofroň. 2014. WeVerca: Web Applications Verification for PHP. In International Conference on Software Engineering and Formal Methods. Springer, 296--301.
[29]
Cristian Barría Huidobro, David Cordero, Claudio Cubillos, Héctor Allende Cid, and Claudio Casado Barragán. 2018. Obfuscation procedure based on the insertion of the dead code in the crypter by binary search. In 2018 7th International Conference on Computers Communications and Control (ICCCC). IEEE, 183--192.
[30]
Imperva. 2021. Data Obfuscation. https://www.imperva.com/learn/data-security/data-obfuscation/.
[31]
Torben Jensen, Heine Pedersen, Mads Chr Olesen, and René Rydhof Hansen. 2012. Thaps: automated vulnerability scanning of php applications. In Nordic conference on secure IT systems. Springer, 31--46.
[32]
Ryan Johnson and Angelos Stavrou. 2013. Forced-path execution for android applications on x86 platforms. In 2013 IEEE Seventh International Conference on Software Security and Reliability Companion. IEEE, 188--197.
[33]
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P). IEEE, 6--pp.
[34]
Min Gyung Kang, Pongsin Poosankam, and Heng Yin. 2007. Renovo: A Hidden Code Extractor for Packed Executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (Alexandria, Virginia, USA) (WORM '07). Association for Computing Machinery, New York, NY, USA, 46--53.
[35]
Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu. 2017. J-force: Forced execution on javascript. In Proceedings of the 26th international conference on World Wide Web. International World Wide Web Conferences Steering Committee, 897--906.
[36]
Pascal Kissian. 2019. YAK Pro: Php Obfuscator. https://www.php-obfuscator.com/.
[37]
Byoungyoung Lee, Yuna Kim, and Jong Kim. 2010. binOb+: a framework for potent and stealthy binary obfuscation. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM, 271--281.
[38]
Young Bi Lee, Jae Hyuk Suk, and Dong Hoon Lee. 2021. Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools. IEEE Access 9 (2021), 7655--7673.
[39]
Robert Lie. 2019. Simple online PHP obfuscator: encodes PHP code into random letters, numbers and/or characters. https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php.
[40]
Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, and Davide Balzarotti. 2020. Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem. In Network and Distributed System Security (NDSS) Symposium, NDSS, Vol. 20.
[41]
Jian Mao, Jingdong Bian, Guangdong Bai, Ruilong Wang, Yue Chen, Yinhao Xiao, and Zhenkai Liang. 2018. Detecting malicious behaviors in javascript applications. IEEE Access 6 (2018), 12284--12294.
[42]
Ibéria Medeiros, Nuno F Neves, and Miguel Correia. 2014. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In Proceedings of the 23rd international conference on World wide web. ACM, 63--74.
[43]
Microsoft. 2020. Z3Prover/z3: The Z3 Theorem Prover. https://github.com/Z3Prover/z3.
[44]
Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu. 2015. Loop: Logic-oriented opaque predicate detection in obfuscated binary code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 757--768.
[45]
Ondřej Mirtes. 2019. GitHub - phpstan/phpstan: PHP Static Analysis Tool. https://github.com/phpstan/phpstan.
[46]
Shoya Morishige, Shuichiro Haruta, Hiromu Asahina, and Iwao Sasase. 2017. Obfuscated malicious javascript detection scheme using the feature based on divided url. In 2017 23rd Asia-Pacific Conference on Communications (APCC). IEEE, 1--6.
[47]
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Limits of static analysis for malware detection. In Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007). IEEE, 421--430.
[48]
Abbas Naderi-Afooshteh, Yonghwi Kwon, Anh Nguyen-Tuong, Ali Razmjoo-Qalaei, Mohammad-Reza Zamiri-Gourabi, and Jack W Davidson. 2019. MalMax: Multi-Aspect Execution for Automated Dynamic Web Server Malware Analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1849--1866.
[49]
James Newsome and Dawn Xiaodong Song. 2005. Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software. In NDSS, Vol. 5. Citeseer, 3--4.
[50]
Hung Viet Nguyen, Hoan Anh Nguyen, Tung Thanh Nguyen, and Tien N Nguyen. 2011. Auto-locating and fix-propagating for HTML validation errors to PHP server-side code. In Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering. IEEE Computer Society, 13--22.
[51]
nixawk. 2018. GitHub - nixawk/fuzzdb: Web Fuzzing Discovery and Attack Pattern Database. https://github.com/nixawk/fuzzdb.
[52]
Paulo Jorge Costa Nunes, José Fonseca, and Marco Vieira. 2015. phpSAFE: A security analysis tool for OOP web application plugins. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.
[53]
Oswaldo Olivo. 2016. GitHub - olivo/TaintPHP: Static Taint Analysis for PHP web applications. https://github.com/olivo/TaintPHP.
[54]
Mathilde Ollivier, Sébastien Bardin, Richard Bonichon, and Jean-Yves Marion. 2019. How to Kill Symbolic Deobfuscation for Free (or: Unleashing the Potential of Path-Oriented Protections). In Proceedings of the 35th Annual Computer Security Applications Conference (San Juan, Puerto Rico, USA) (ACSAC '19). Association for Computing Machinery, New York, NY, USA, 177--189.
[55]
OneSourceCat. 2015. GitHub - OneSourceCat/phpvulhunter: A tool that can scan php vulnerabilities automatically using static analysis methods. https://github.com/OneSourceCat/phpvulhunter.
[56]
Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP Aspis: using partial taint tracking to protect against injection attacks. In 2nd USENIX Conference on Web Application Development, Vol. 13.
[57]
Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-force: force-executing binary programs for security applications. In 23rd USENIX Security Symposium. 829--844.
[58]
PHP. 2019. PHP: Pspell Functions. https://www.php.net/manual/en/ref.pspell.php.
[59]
phpencoder 2021. PHP Encoder, protect PHP scripts with SourceGuardian and bytecode. https://www.sourceguardian.com/.
[60]
Pipsomania. 2018. Best PHP Obfuscator. http://www.pipsomania.com/best_php_obfuscator.do
[61]
Igor V Popov, Saumya K Debray, and Gregory R Andrews. 2007. Binary Obfuscation Using Signals. In USENIX Security Symposium. 275--290.
[62]
Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee. 2006. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 289--300.
[63]
Dewhurst Ryan. 2011. Implementing basic static code analysis into integrated development environments (ides) to reduce software vulnerablitilies. A Report submitted in partial fulfillment of the regulations governing the award of the Degree of BSc (Honours) Ethical Hacking for Computer Security at the University of Northumbria at Newcastle 2012 (2011).
[64]
Sebastian Schrittwieser, Stefan Katzenbeisser, Peter Kieseberg, Markus Huber, Manuel Leithner, Martin Mulazzani, and Edgar Weippl. 2013. Covert computation: Hiding code in code for obfuscation purposes. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 529--534.
[65]
Design Security. 2016. GitHub - designsecurity/progpilot: A static analysis tool for security. https://github.com/designsecurity/progpilot.
[66]
Monirul I Sharif, Andrea Lanzi, Jonathon T Giffin, and Wenke Lee. 2008. Impeding Malware Analysis Using Conditional Code Obfuscation. In NDSS.
[67]
Brendan Sheridan and Micah Sherr. 2016. On Manufacturing Resilient Opaque Constructs Against Static Analysis. In European Symposium on Research in Computer Security. Springer, 39--58.
[68]
Guillermo Suarez-Tangil, Juan E Tapiador, Flavio Lombardi, and Roberto Di Pietro. 2014. Thwarting obfuscated malware via differential fault analysis. Computer 47, 6 (2014), 24--31.
[69]
themida 2021. Oreans Technologies. https://www.oreans.com/Themida.php.
[70]
Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, and Pablo Bringas. 2016. RAMBO: Run-Time Packer Analysis with Multiple Branch Observation. 186--206.
[71]
Antti Valmari. 1998. The State Explosion Problem. In Lectures on Petri Nets I: Basic Models, Advances in Petri Nets, the Volumes Are Based on the Advanced Course on Petri Nets. Springer-Verlag, London, UK, UK, 429--528. http://dl.acm.org/citation.cfm?id=647444.727054
[72]
Bart van Arnhem. 2017. GitHub - bartvanarnhem/phpscan: Symbolic execution inspired PHP application scanner for code-path discovery. https://github.com/bartvanarnhem/phpscan.
[73]
Vimeo. 2019. GitHub - vimeo/psalm: A static analysis tool for finding errors in PHP applications. https://github.com/vimeo/psalm.
[74]
VirusShare. 2019. VirusShare.com. https://virusshare.com/.
[75]
Zhi Wang, Jiang Ming, Chunfu Jia, and Debin Gao. 2011. Linear obfuscation to combat symbolic execution. In European Symposium on Research in Computer Security. Springer, 210--226.
[76]
Zhi Wang, Jiang Ming, Chunfu Jia, and Debin Gao. 2011. Linear Obfuscation to Combat Symbolic Execution. In Proceedings of the 16th European Conference on Research in Computer Security (Leuven, Belgium) (ESORICS'11). Springer-Verlag, Berlin, Heidelberg, 210--226.
[77]
Mark Weiser. 1981. Program Slicing. In Proceedings of the 5th International Conference on Software Engineering (San Diego, California, USA) (ICSE '81). IEEE Press, 439--449.
[78]
Jeffrey Wilhelm and Tzi-cker Chiueh. 2007. A forced sampled execution approach to kernel rootkit identification. In International Workshop on Recent Advances in Intrusion Detection. Springer, 219--235.
[79]
Dongpeng Xu, Jiang Ming, and Dinghao Wu. 2017. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 921--937.
[80]
Babak Yadegari and Saumya Debray. 2015. Symbolic Execution of Obfuscated Code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 732--744.
[81]
Quan Yang. 2019. GitHub - quanyang/Taint-em-All: A taint analysis tool for the PHP language. https://github.com/quanyang/Taint-em-All.
[82]
yodap 2021. Yoda's Protector. https://sourceforge.net/projects/yodap/.
[83]
zendguard 2021. Protect PHP Code With Zend Guard. https://www.zend.com/products/zend-guard.

Cited By

View all
  • (2022)Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State MachineInformation Security Applications10.1007/978-3-031-25659-2_15(204-221)Online publication date: 24-Aug-2022

Index Terms

  1. Hiding critical program components via ambiguous translation

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ICSE '22: Proceedings of the 44th International Conference on Software Engineering
      May 2022
      2508 pages
      ISBN:9781450392211
      DOI:10.1145/3510003
      This work is licensed under a Creative Commons Attribution International 4.0 License.

      Sponsors

      In-Cooperation

      • IEEE CS

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 05 July 2022

      Check for updates

      Author Tags

      1. program translation
      2. reverse engineering
      3. software protection

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ICSE '22
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 276 of 1,856 submissions, 15%

      Upcoming Conference

      ICSE 2025

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)162
      • Downloads (Last 6 weeks)22
      Reflects downloads up to 19 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)Dazzle-attack: Anti-Forensic Server-side Attack via Fail-Free Dynamic State MachineInformation Security Applications10.1007/978-3-031-25659-2_15(204-221)Online publication date: 24-Aug-2022

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media