[THESIS DEFENSE] Ramtine TOFIGHI SHIRAZI - "Evaluation of binary obfuscation methods"

on the December 16, 2019

13:30 - IMAG auditorium
The PhD student Ramtine TOFIGHI SHIRAZI will support his thesis, entitled "Evaluation of binary obfuscation methods", Monday, November 16 at 13:30 in the auditorium of IMAG

Thesis summary

"Code obfuscation is seen as an information management strategy designed to obscure the meaning that can be derived from software, while preserving its original functionality. Currently, obfuscation is used as a mechanism of protection of intellectual property, but also to conceal malicious behavior of some binary code. Therefore, the evaluation of obfuscation methods is an open question to which it is often answered by methodologies of de-obfuscation. The process of de-obfuscation consists of reverse engineering methods that evaluate the strength of applied obfuscation protections. However, these methods often focus on specific protections.
This thesis deals with the evaluation of obfuscation transformations applied to binary codes. The goal is to provide different studies and methodologies to assist evaluators and reverse engineers in the analysis of obfuscated software. The process of de-obfuscation can be seen under different approaches, such as the removal of one or more transformations, the simplification of the program or the collection of information called "metadata" about the obfuscated code. In this thesis, we contribute to each de-obfuscation approach as described in the following paragraphs.
The first contribution is a program simplification approach. It is a de-obfuscation methodology based on semantic code equivalence, called DoSE. DoSE mainly makes it possible to simplify the binary code by checking the syntactic and semantic equivalence of portions of a binary code. This check eliminates the new obfuscation transformations that hinder advanced de-obfuscation analysis based on dynamic and symbolic code analysis.
The second contribution consists of an obfuscation transformation suppression approach. Based on an automated and supervised learning methodology, our approach aims to detect and then remove specific but widely used obfuscation schemes, named opaque predicate. To our knowledge, this is the first obfuscation transformation elimination methodology using machine learning techniques.
The third contribution of this thesis is based on a method of collecting protected code metadata. Using advanced machine learning and semantic reasoning techniques, the proposed methodology allows analysts to identify multiple layers of obfuscation transformations applied to the binary code, which is an important step prior to removing these protections.
In this thesis, we studied different de-obfuscation approaches for static evaluation of obfuscation transformations. We mainly focused on static semantic reasoning, combining it with well-known techniques from other areas of research, such as binary differentiation and machine learning. We also studied and developed several de-ofuscation frameworks, one for each of the following approaches: simplifying the obfuscated code, suppressing darkening transformations, or collecting information on applied protections. Our methodologies and tools were evaluated on well-known malware and obfuscation tools that implement complex and widely used obfuscation transformations."

Defense jury

  • Irina Mariuca ASAVOAE, Trusted Labs/Thales (Examinatrice)
  • Philippe ELBAZ-VINCENT, UGA/Institut Fourier (Directeur de thèse)
  • Aurélien FRANCILLON, Eurecom/S3 (Rapporteur)
  • Louis GOUBIN, UVSQ/Laboratoire de Mathématiques de Versailles (Rapporteur)
  • Sébastien JOSSE, DGA MI (Examinateur)
  • Igor MUTTIK, Royal Holloway, University of London (Examinateur)
  • Marie-Laure POTET, Grenoble INP/Verimag (Examinatrice)
  • Guenael RENAULT, Ecole Polytechnique/LIX (Examinateur)

Published on August 5, 2020

Practical informations