TC: Small: Simplification of Obfuscated Executables

TC：小：模糊可执行文件的简化

• 批准号: 1115829
• 负责人: Saumya Debray
• 金额: $ 36.93万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2015-11-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1115829&HistoricalAwards=false
• 关键词: TC; Small; Simplification; Obfuscated; Executables

Programs with potentially malicious content are becoming increasingly common. Such programs are usually highly obfuscated, using a variety of techniques that make it difficult to analyze the code, figure out its internal logic, and develop countermeasures. Existing tools for reverse engineering such programs are primitive and require a great deal of tedious and time-consuming manual intervention, which hampers the timely development of defenses against newly discovered malware. This project aims to devise automatic techniques to simplify away these obfuscations and thereby make it significantly faster and easier to understand the internal logic of obfuscated code with potentially malicious content. The project uses dynamic program analysis techniques to identify instructions that affect the program's observable behavior; these instructions are then extracted and, where appropriate, simplified using equational techniques. Key research questions investigated include simplification in the face of arbitrary obfuscations and combinations of obfuscations, including (possibly multiple layers of) self-modification and emulation. The main impact of this project will be to make it easier and quicker for security researchers to figure out the internal logic of malware programs. This, in turn, will make it possible to respond more quickly to new malware and develop countermeasures to them faster and with less manual intervention. The effect will be to reduce the damage done by malware before they can be neutralized.

具有潜在恶意内容的程序正变得越来越普遍。这类程序通常是高度模糊的，使用各种技术，使其难以分析代码，找出其内部逻辑，并制定对策。 现有的逆向工程工具，这样的程序是原始的，需要大量的繁琐和耗时的手动干预，这阻碍了及时开发的防御新发现的恶意软件。 该项目旨在设计自动化技术来简化这些混淆，从而使其更快，更容易理解具有潜在恶意内容的混淆代码的内部逻辑。 该项目使用动态程序分析技术来识别影响程序可观察行为的指令;然后提取这些指令，并在适当的情况下使用等式技术进行简化。 研究的关键问题包括面对任意混淆和混淆组合的简化，包括（可能是多层）自我修改和仿真。该项目的主要影响将是使安全研究人员更容易和更快地找出恶意软件程序的内部逻辑。 反过来，这将使我们能够更快地响应新的恶意软件，并更快地开发对策，减少人工干预。 其效果将是在恶意软件被中和之前减少它们所造成的损害。