Change search
ReferencesLink to record
Permanent link

Direct link
Control Flow Graph Based Attacks: In the Context of Flattened Programs
KTH, School of Computer Science and Communication (CSC).
2014 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

This report addresses de-obfuscation on programs. The targeted obfuscation scheme is the control flow flattening, which is an obfuscation method focusing on hiding the control flow of a program. This scheme introduces a special block named dispatcher into the program. The control flow of the program is reconstructed to be directed back to the dispatcher whenever the execution of a basic block ends. By doing this, in the flattened program, each basic block could be recognized as a precursor or a successor of any other basic blocks. While the realcontrol flow of the program is merely disclosed during the execution of the program.This report aims to remove the dispatcher added in the flattenedprogram and rebuild the control flow of its original program. To achieve the targets, this report presents a de-obfuscation model based on theControl Flow Graph of an obfuscated program. The de-flattening model makes use of both static analysis and dynamic analysis.The de-flattening model primarily relies on execution paths which are obtained by executing a program dynamically. The idea is that in the execution paths, after eliminating the dispatcher block, the real control flow of the original program is disclosed. Then based on these real execution paths, the control flow of the program without obfuscation could be constructed.In order to obtain the full program structure, we need to gather the execution paths that result in a full coverage of the program. Merely with dynamic analysis, this could hardly be achieved. Therefore, static analysis are introduced. In the de-flattening model, the execution paths within a program are computed with the assistance of dynamic execution path analysis, which is a study to statically compute the feasible paths in a program by solving logical formulas obtained during the exploration of the program code. With this static analysis method, the model is adequate to reverse the flattened program to its original structure.The obfuscated programs are distributed in binaries, our research provides insights to de-obfuscation on binaries directly. Besides, the deflattening result obtained in the report is valuable for improvements to existing code obfuscation techniques.

Place, publisher, year, edition, pages
National Category
Computer Science
URN: urn:nbn:se:kth:diva-155770OAI: diva2:762870
Available from: 2014-11-19 Created: 2014-11-13 Last updated: 2014-11-19Bibliographically approved

Open Access in DiVA

fulltext(1477 kB)1307 downloads
File information
File name FULLTEXT01.pdfFile size 1477 kBChecksum SHA-512
Type fulltextMimetype application/pdf

By organisation
School of Computer Science and Communication (CSC)
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1307 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 88 hits
ReferencesLink to record
Permanent link

Direct link