University of Twente Student Theses


Combining program synthesis and symbolic execution to deobfuscate binary code

Coniglio, Luigi (2019) Combining program synthesis and symbolic execution to deobfuscate binary code.

[img] PDF
Abstract:Program synthesis consists in automatically derive a program from a high-level specification. In the field of reverse engineering, program synthesis is gaining popularity as a way to deobfuscate obfuscated programs, given their input/output behaviour. However, most state-of-the-art deobfuscation approaches based on program synthesis assume only black-box oracle access to the obfuscated program, thus trying to solve a harder problem than practical code deobfuscation. We present a novel program deobfuscation method combining program synthesis and symbolic execution. Our approach works by using symbolic execution to extract the semantic of the obfuscated program and construct an Abstract Syntax Tree (AST) representation of the operations executed. This information is then used to reduce synthesis search space to independent sub-portions of the program. In particular our approach involves the use program synthesis to iteratively simplify the program AST. Our simplification method is independent from the synthesis technique in use. In the context of our work we also illustrate and apply a program synthesis technique based on pre-computed lookup-tables. We validate our approach on three datasets of different levels of difficulty, consisting each of 500 randomly generated expressions obfuscated using the popular obfuscation tool Tigress. The results on our datasets show that our approach outperforms current state-of-the-art deobfuscation techniques based on program synthesis.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page