SaTC: CORE: Small: Beat Modern Virtualization Obfuscation at Their Own Game: A Bottom-Up Deobfuscation Approach

SaTC：核心：小型：在自己的游戏中击败现代虚拟化混淆：自下而上的反混淆方法

• 批准号: 2211905
• 负责人: Dongpeng Xu
• 金额: $ 60万
• 依托单位: University of New Hampshire
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-01-01 至 2025-12-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2211905&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Beat; Modern

Obfuscation technology has been widely adopted by writers of malicious code (malware) to circumvent defense solutions. The goal of obfuscation is to transform malware into an equivalent, but highly complex form that hides the malware's structure and hinders automatic detection solutions and even manual inspection by security analysts. Rapid analysis of obfuscated malware is vital for a swift response to emerging threats, such as ransomware. This research project advances human knowledge on defeating obfuscated malware. The project's novelties are the new knowledge revealed from the state-of-the-art obfuscation, the new techniques designed for extracting the knowledge, and the new deobfuscation methods for understanding such type of stealthy malware. The project's broader significance and importance are new cybersecurity learning experiences for K-12/undergraduate/graduate students, and new technologies for national cybersecurity against a wide range of emerging malware threats, with high potential for transition to practice. The insight of this project is to leverage the virtualization technique itself to beat modern virtualization obfuscators. Two major features play a crucial role in the success of virtualization obfuscation: sophistication (the obfuscated form is very complex and different from the original program) and diversification (multiple obfuscated forms of the same program strikingly vary). These features heavily impede existing deobfuscation techniques that rely on recognizing special virtual machine patterns or treating the whole virtualization as a black box. This project invents and implements a series of novel methods to: (1) comprehensively probe the sophisticated structures inside virtual machines, such as interpretation architecture, virtual instructions, and handler encryption, (2) reveal the core techniques to combine, mutate, and randomize diverse virtual machines, and (3) build a new, interpretable virtual machine specifically for deobfuscation, which can be stitched into a simple, executable program as the deobfuscation result. The new techniques developed from this project effectively free security professionals from the painful, tedious deobfuscation steps incurred in malware analysis.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

恶意代码（恶意软件）的作者广泛采用了混淆技术，以规避国防解决方案。混淆的目的是将恶意软件转变为一种相当但高度复杂的形式，该形式隐藏了恶意软件的结构，并阻碍了安全分析师的自动检测解决方案，甚至可以手动检查。对混淆的恶意软件的快速分析对于快速对新兴威胁（例如勒索软件）的响应至关重要。该研究项目促进了人类关于击败混淆的恶意软件的知识。该项目的新知识是从最新的混淆，旨在提取知识的新技术以及用于理解这种类型的隐身恶意软件的新技术。该项目的重要性和重要性是针对K-12/本科/研究生的新网络安全学习经验，以及针对各种新兴恶意软件威胁的全国网络安全技术的新技术，具有较高的实践潜力。该项目的见解是利用虚拟化技术本身击败现代虚拟化混淆器。两个主要特征在虚拟化混淆的成功中起着至关重要的作用：复杂性（混淆形式非常复杂，与原始程序不同）和多样化（同一程序的多种混淆形式的多种相同形式的变化）。这些功能极大地阻碍了现有的去量化技术，这些技术依赖于识别特殊的虚拟机模式或将整个虚拟化视为黑匣子。 This project invents and implements a series of novel methods to: (1) comprehensively probe the sophisticated structures inside virtual machines, such as interpretation architecture, virtual instructions, and handler encryption, (2) reveal the core techniques to combine, mutate, and randomize diverse virtual machines, and (3) build a new, interpretable virtual machine specifically for deobfuscation, which can be stitched into a simple, executable program as DEOBFUSCATION结果。该项目开发的新技术有效地从恶意软件分析中产生的痛苦，乏味的去滥用步骤中有效地免费。该奖项反映了NSF的法定任务，并认为值得通过基金会的知识分子的智力优点和更广泛的影响来通过评估来提供支持。

项目成果

No Free Lunch: On the Increased Code Reuse Attack Surface of Obfuscated Programs

• DOI: 10.1109/dsn58367.2023.00039
• 发表时间: 2023-06
• 期刊: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Naiqian Zhang;Daroc Alden;Dongpeng Xu;Shuai Wang;T. Jaeger;Wheeler Ruml