CSE: A Novel Dynamic Obfuscation Based on Control Flow, Signals and Encryption

Document Type : Research Article

Authors

1 Department of Electrical and Computer Engineering, University of Torbat Heydarieh, Iran.

2 Abolmatakher Str. - Bozorgmehr University of Qaenat.

Abstract

Obfuscation, as one invasive strategy, is considered to be a defense strategy in the field of software and vital information protection against security threats. This paper proposes a new dynamic obfuscation method, called CSE, based on combining a triplet of control flow, signals and encryption of the management table (MT). This triplet exchanges and hides the control graph program. Then, it produces the MT that includes addresses to guide communication between instructions. A type of the stream cipher symmetric encryption (Spritz) applies to encrypt the MT. Also, a multi-objective function (the ability and the resiliency) based on six implementation metrics and two classic objective functions (the cost and the Mishra) are considered to evaluate the proposed obfuscation method. Therefore, the proposed triplet obfuscation method and the multi-objective functions are performed on a small program and a benchmark dataset. The results of our evaluations show that CSE has competitive advantages in comparison with other methods.

Keywords


[1] D. Maiorca, D. Ariu, I. Corona, M. Aresu, and G. Giacinto. Stealth attacks: An extended insight into the obfuscation effects on android malware. Computers & Security, 51(1):16--31, 2015. [ bib | DOI ]
[2] S. Schrittwieser and S. Katzenbeisser. Code obfuscation against static and dynamic reverse engineering. In International workshop on information hiding, pages 270--284. Springer, Berlin, Heidelberg, 2011. [ bib | DOI ]
[3] C. Barría, D. Cordero, C. Cubillos, and M. Palma. Proposed classification of malware, based on obfuscation. In 2016 6th International Conference on Computers Communications and Control (ICCCC), pages 37--44. IEEE, 2016. [ bib | DOI ]
[4] B. Hashemzade and A. Maroosi. Hybrid Obfuscation Using Signals and Encryption. Journal of Computer Networks and Communications, 2018, 2018. [ bib | DOI ]
[5] S. Hosseinzadeh, S. Rauti, S. Laurén, J. Mäkelä, J. Holvitie, S. Hyrynsalmi, and V. Leppänen. Diversification and obfuscation techniques for software security: A systematic literature review. Information and Software Technology, 104(8):72--93, 2018. [ bib | DOI ]
[6] M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. Technical report, Wisconsin University-Madison on Departement of Computer Sciences, 2006. [ bib ]
[7] S. Romano, C. Vendome, G. Scanniello, and D. Poshyvanyk. A multi-study investigation into dead code. IEEE Transactions on Software Engineering, 46(1):71 -- 99, 2018. [ bib | DOI ]
[8] A. J. Smith, R. F. Mills, A. R. Bryant, G. L. Peterson, and M. R. Grimaila. REDIR: Automated static detection of obfuscated anti-debugging techniques. In 2014 International Conference on Collaboration Technologies and Systems (CTS), pages 173--180. IEEE, 2014. [ bib | DOI ]
[9] O. Mirzaei, de J. M. Fuentes, J. Tapiador, and L. Gonzalez-Manzano. AndrODet: An adaptive Android obfuscation detector. Future Generation Computer Systems, 90:240--261, 2019. [ bib | DOI ]
[10] S. Alrabaee, L. Wang, and M. Debbabi. BinGold: Towards robust binary analysis by extracting the semantics of binary code as semantic flow graphs (SFGs). Digital Investigation, 18:S11--S22, 2016. [ bib | DOI ]
[11] J. Ge, S. Chaudhuri, and A. Tyagi. Control flow based obfuscation. In Proceedings of the 5th ACM workshop on Digital rights management, pages 83--92. ACM, 2005. [ bib | DOI ]
[12] I. You and K. Yim. Malware Obfuscation Techniques: A Brief Survey. In 2010 International conference on broadband, wireless computing, communication and applications, pages 297--300. IEEE, 2010. [ bib | DOI ]
[13] E. Konstantinou and S. Wolthusen. Metamorphic virus: Analysis and detection. Technical report, Royal Holloway University of London, 2008. [ bib ]
[14] A. Cimitile, F. Martinelli, F. Mercaldo, V. Nardone, and A. Santone. Formal methods meet mobile code obfuscation identification of code reordering technique. In 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pages 263--268. IEEE, 2017. [ bib | DOI ]
[15] C. Chen, M. Hasan, A. Ghassami, S. Mohan, and N. Kiyavash. REORDER: Securing Dynamic-Priority Real-Time Systems Using Schedule Obfuscation. arXiv preprint arXiv:1806.01393, 2018. [ bib ]
[16] Z. Guo, X. Xu, M. M. Tehranipoor, and D. Forte. EOP: An Encryption-Obfuscation Solution for Protecting PCBs Against Tampering and Reverse Engineering. arXiv preprint arXiv:1904.09516, 2019. [ bib ]
[17] N. Bitansky and V. Vaikuntanathan. Indistinguishability obfuscation from functional encryption. Journal of the ACM (JACM), 65(6):240--261, 2018. [ bib | DOI ]
[18] I. V. Popov, S. K. Debray, and G. R. Andrews. Binary Obfuscation Using Signals. In USENIX Security Symposium, pages 275--290, 2007. [ bib ]
[19] C. K. Behera and D. L. Bhaskari. Code obfuscation by using floating points and conditional statements. In Proceedings of the 4th International Conference on Frontiers in Intelligent Computing: Theory and Applications (FICTA) 2015, pages 569--578. Springer, New Delhi, 2015. [ bib | DOI ]
[20] S. Alam, I. Sogukpinar, I. Traore, and R. N. Horspool. Sliding window and control flow weight for metamorphic malware detection. Journal of Computer Virology and Hacking Techniques, 11(2):75--88, 2015. [ bib | DOI ]
[21] G. Shanmugam, R. M. Low, and M. Stamp. Simple substitution distance and metamorphic detection. Journal of Computer Virology and Hacking Techniques, 9(3):159–170, 2013. [ bib | DOI ]
[22] A. H. Toderici and M. Stamp. Chi-squared distance and metamorphic virus detection. Journal of Computer Virology and Hacking Techniques, 9(1):1–14, 2013. [ bib | DOI ]
[23] N. Runwal, R. M. Low, and M. Stamp. Opcode graph similarity and metamorphic detection. Journal in computer virology, 8(1-2):37--52, 2012. [ bib | DOI ]
[24] B. B. Rad, M. Masrom, and S. Ibrahim. Opcodes histogram for classifying metamorphic portable executables malware. In 2012 International Conference on e-Learning and e-Technologies in Education (ICEEE), pages 209--213. IEEE, 2012. [ bib | DOI ]
[25] T. H. Austin, E. Filiol, S. Josse, and M. Stamp. Exploring hidden markov models for virus analysis: a semantic approach. In 2013 46th Hawaii International Conference on System Sciences, pages 209--213. IEEE, 2013. [ bib | DOI ]
[26] C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, University of Auckland, 1997. [ bib ]
[27] S. Martinez. Source code obfuscation by mean of evolutionary algorithms. Internship Report, University of Luxemborg August, 2012, 2011. [ bib ]
[28] P. OKane, S. Sezer, and K. McLaughlin. Obfuscation: The hidden malware. Journal in computer virology, 9(5):41 -- 47, 2011. [ bib | DOI ]
[29] R. L. Rivest and J. C. Schuldt. Spritz-a spongy RC4-like stream cipher and hash function. IACR Cryptology ePrint Archive, 2016. [ bib ]
[30] S. Alam, R. N. Horspool, I. Traore, and I. Sogukpinar. A framework for metamorphic malware analysis and real-time detection. computers & security, 48:212--233, 2015. [ bib | DOI ]
[31] I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas. Opcode sequences as representation of executables for data-mining-based unknown malware detection. Information Sciences, 231:64--82, 2013. [ bib | DOI ]
[32] A. Shabtai, R. Moskovitch, C. Feher, S. Dolev, and Y. Elovici. Detecting unknown malicious code by applying classification techniques on opcode patterns. Security Informatics, 1(1), 2012. [ bib | DOI ]
[33] P. OKane, S. Sezer, and K. McLaughlin. Methods for obfuscating Java programs. Journal of Mobile, Embedded and Distributed Systems, 4(1):25--30, 2012. [ bib ]
[34] W. Wong and M. Stamp. Hunting for metamorphic engines. Journal in Computer Virology, 2(3):211–229, 2006. [ bib | DOI ]