Probfuscation: An Obfuscation Approach using Probabilistic Control Flows
Andre Pawlowski, Moritz Contag, Thorsten Holz
Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Donostia-San Sebastián, Spain, July 2016
Sensitive parts of a program, such as proprietary algorithms or licensing information, are often protected with the help of code obfuscation techniques. Many obfuscation schemes transform the control flow of the protected program. Typically, the control flow of obfuscated programs is deterministic, i.e., recorded execution traces do not differ for multiple executions using the same input values. An adversary can take advantage of this behavior and create multiple traces to perform analyses on the target program in order to deobfuscate it.
In this paper, we introduce an obfuscation approach which yields "probabilistic control flow" within a given method. That is, for the same input values, multiple execution traces differ, whilst preserving semantics. This effectively renders analyses relying on multiple traces impractical. We have implemented a prototype and applied it to several different programs. Our experimental results show that our approach can be used to ensure divergent traces for the same input values and that it can significantly improve the resilience against dynamic analysis.[GitHub] [PDF]