Towards Static Analysis of Virtualization-Obfuscated Binaries. / Kinder, Johannes.

Proc. 19th Working Conf. Reverse Engineering (WCRE 2012). IEEE, 2012. p. 61-70.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Towards Static Analysis of Virtualization-Obfuscated Binaries. / Kinder, Johannes.

Proc. 19th Working Conf. Reverse Engineering (WCRE 2012). IEEE, 2012. p. 61-70.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Kinder, J 2012, Towards Static Analysis of Virtualization-Obfuscated Binaries. in Proc. 19th Working Conf. Reverse Engineering (WCRE 2012). IEEE, pp. 61-70. https://doi.org/10.1109/WCRE.2012.16

APA

Kinder, J. (2012). Towards Static Analysis of Virtualization-Obfuscated Binaries. In Proc. 19th Working Conf. Reverse Engineering (WCRE 2012) (pp. 61-70). IEEE. https://doi.org/10.1109/WCRE.2012.16

Vancouver

Kinder J. Towards Static Analysis of Virtualization-Obfuscated Binaries. In Proc. 19th Working Conf. Reverse Engineering (WCRE 2012). IEEE. 2012. p. 61-70 https://doi.org/10.1109/WCRE.2012.16

Author

Kinder, Johannes. / Towards Static Analysis of Virtualization-Obfuscated Binaries. Proc. 19th Working Conf. Reverse Engineering (WCRE 2012). IEEE, 2012. pp. 61-70

BibTeX

@inproceedings{b6b3936250364ef59f4fe36b1d327254,
title = "Towards Static Analysis of Virtualization-Obfuscated Binaries",
abstract = "Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into bytecode for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible. In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and bytecode. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the bytecode program. To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal bytecode locations only. We lift an existing analysis implemented in the \jakstab static analyzer and present preliminary results for processing a virtualization-obfuscated binary.",
author = "Johannes Kinder",
year = "2012",
month = oct,
doi = "10.1109/WCRE.2012.16",
language = "English",
pages = "61--70",
booktitle = "Proc. 19th Working Conf. Reverse Engineering (WCRE 2012)",
publisher = "IEEE",

}

RIS

TY - GEN

T1 - Towards Static Analysis of Virtualization-Obfuscated Binaries

AU - Kinder, Johannes

PY - 2012/10

Y1 - 2012/10

N2 - Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into bytecode for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible. In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and bytecode. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the bytecode program. To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal bytecode locations only. We lift an existing analysis implemented in the \jakstab static analyzer and present preliminary results for processing a virtualization-obfuscated binary.

AB - Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into bytecode for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible. In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and bytecode. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the bytecode program. To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal bytecode locations only. We lift an existing analysis implemented in the \jakstab static analyzer and present preliminary results for processing a virtualization-obfuscated binary.

U2 - 10.1109/WCRE.2012.16

DO - 10.1109/WCRE.2012.16

M3 - Conference contribution

SP - 61

EP - 70

BT - Proc. 19th Working Conf. Reverse Engineering (WCRE 2012)

PB - IEEE

ER -