SaTC: CORE: Small: Beat Modern Virtualization Obfuscation at Their Own Game: A Bottom-Up Deobfuscation Approach

SaTC：核心：小型：在自己的游戏中击败现代虚拟化混淆：自下而上的反混淆方法

• 批准号: 2211905
• 负责人: Dongpeng Xu
• 金额: $ 60万
• 依托单位: University of New Hampshire
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-01-01 至 2025-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2211905&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Beat; Modern

Obfuscation technology has been widely adopted by writers of malicious code (malware) to circumvent defense solutions. The goal of obfuscation is to transform malware into an equivalent, but highly complex form that hides the malware's structure and hinders automatic detection solutions and even manual inspection by security analysts. Rapid analysis of obfuscated malware is vital for a swift response to emerging threats, such as ransomware. This research project advances human knowledge on defeating obfuscated malware. The project's novelties are the new knowledge revealed from the state-of-the-art obfuscation, the new techniques designed for extracting the knowledge, and the new deobfuscation methods for understanding such type of stealthy malware. The project's broader significance and importance are new cybersecurity learning experiences for K-12/undergraduate/graduate students, and new technologies for national cybersecurity against a wide range of emerging malware threats, with high potential for transition to practice. The insight of this project is to leverage the virtualization technique itself to beat modern virtualization obfuscators. Two major features play a crucial role in the success of virtualization obfuscation: sophistication (the obfuscated form is very complex and different from the original program) and diversification (multiple obfuscated forms of the same program strikingly vary). These features heavily impede existing deobfuscation techniques that rely on recognizing special virtual machine patterns or treating the whole virtualization as a black box. This project invents and implements a series of novel methods to: (1) comprehensively probe the sophisticated structures inside virtual machines, such as interpretation architecture, virtual instructions, and handler encryption, (2) reveal the core techniques to combine, mutate, and randomize diverse virtual machines, and (3) build a new, interpretable virtual machine specifically for deobfuscation, which can be stitched into a simple, executable program as the deobfuscation result. The new techniques developed from this project effectively free security professionals from the painful, tedious deobfuscation steps incurred in malware analysis.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

混淆技术已被恶意代码(恶意软件)编写者广泛采用，以规避防御解决方案。混淆的目标是将恶意软件转换为同等但高度复杂的形式，隐藏恶意软件的结构，阻碍自动检测解决方案，甚至安全分析师的手动检查。快速分析混淆的恶意软件对于快速响应新出现的威胁(如勒索软件)至关重要。这项研究项目提高了人类在击败混淆恶意软件方面的知识。该项目的新颖性是从最先进的混淆中揭示的新知识，为提取知识而设计的新技术，以及理解此类隐形恶意软件的新的去混淆方法。该项目的更广泛的意义和重要性是为K-12/本科生/研究生提供的新的网络安全学习经验，以及针对广泛出现的恶意软件威胁的国家网络安全的新技术，具有很高的过渡到实践的潜力。这个项目的洞察力是利用虚拟化技术本身来击败现代的虚拟化混淆器。两个主要功能在虚拟化混淆的成功中起着至关重要的作用：复杂性(混淆后的形式非常复杂，与原始程序不同)和多样化(同一程序的多个混淆形式显著不同)。这些功能严重阻碍了现有的去模糊技术，这些技术依赖于识别特殊的虚拟机模式或将整个虚拟化视为黑匣子。该项目发明并实现了一系列新颖的方法来：(1)全面探索虚拟机内部的复杂结构，如解释体系结构、虚拟指令和句柄加密；(2)揭示合并、变异和随机化不同虚拟机的核心技术；(3)构建专门用于去模糊的新的、可解释的虚拟机，可以将其缝合成简单的、可执行的程序作为去模糊的结果。该项目开发的新技术有效地将安全专业人员从恶意软件分析中产生的痛苦、乏味的去模糊步骤中解放出来。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

No Free Lunch: On the Increased Code Reuse Attack Surface of Obfuscated Programs

• DOI: 10.1109/dsn58367.2023.00039
• 发表时间: 2023-06
• 期刊: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Naiqian Zhang;Daroc Alden;Dongpeng Xu;Shuai Wang;T. Jaeger;Wheeler Ruml