Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Control Flow Graph Based Attacks: In the Context of Flattened Programs
KTH, School of Computer Science and Communication (CSC).
2014 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

This report addresses de-obfuscation on programs. The targeted obfuscation scheme is the control flow flattening, which is an obfuscation method focusing on hiding the control flow of a program. This scheme introduces a special block named dispatcher into the program. The control flow of the program is reconstructed to be directed back to the dispatcher whenever the execution of a basic block ends. By doing this, in the flattened program, each basic block could be recognized as a precursor or a successor of any other basic blocks. While the realcontrol flow of the program is merely disclosed during the execution of the program.This report aims to remove the dispatcher added in the flattenedprogram and rebuild the control flow of its original program. To achieve the targets, this report presents a de-obfuscation model based on theControl Flow Graph of an obfuscated program. The de-flattening model makes use of both static analysis and dynamic analysis.The de-flattening model primarily relies on execution paths which are obtained by executing a program dynamically. The idea is that in the execution paths, after eliminating the dispatcher block, the real control flow of the original program is disclosed. Then based on these real execution paths, the control flow of the program without obfuscation could be constructed.In order to obtain the full program structure, we need to gather the execution paths that result in a full coverage of the program. Merely with dynamic analysis, this could hardly be achieved. Therefore, static analysis are introduced. In the de-flattening model, the execution paths within a program are computed with the assistance of dynamic execution path analysis, which is a study to statically compute the feasible paths in a program by solving logical formulas obtained during the exploration of the program code. With this static analysis method, the model is adequate to reverse the flattened program to its original structure.The obfuscated programs are distributed in binaries, our research provides insights to de-obfuscation on binaries directly. Besides, the deflattening result obtained in the report is valuable for improvements to existing code obfuscation techniques.

Place, publisher, year, edition, pages
2014.
National Category
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-155770OAI: oai:DiVA.org:kth-155770DiVA: diva2:762870
Examiners
Available from: 2014-11-19 Created: 2014-11-13 Last updated: 2014-11-19Bibliographically approved

Open Access in DiVA

fulltext(1477 kB)1685 downloads
File information
File name FULLTEXT01.pdfFile size 1477 kBChecksum SHA-512
03cb377c9bf665a52d949a8659a9e3fc64ab1ba06f911b344f72004aaac306d43de10db5e4e995a8c556f7ffe617aaf840b810254c3763f324059dca614b3c63
Type fulltextMimetype application/pdf

By organisation
School of Computer Science and Communication (CSC)
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1685 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 247 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf