Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools

Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools. Ninon Eyrolles Ph.D. Thesis, Université Paris Saclay, June, 2017. https://github.com/quarkslab/sspam/

Paper abstract bibtex

Software obfuscation is a software protection technique that transforms code in order to make its analysis more difficult by reverse-engineering. Mixed Boolean-Arithmetic (MBA) expressions are an obfuscation technique introduced in 2007 and used in real life products. They are presented as a strong data flow obfuscation technique, even though there is little literature on the design and analysis of such obfuscated expressions. In our study, we structured the subject of MBA obfuscation and linked it to other topics, mainly cryptography, rewriting and bit-vector logic. We also reconstructed an MBA obfuscation implementation from public samples. We studied the meaning of simplifying an obfuscated expression, and defined our own simplicity metrics for MBA expressions. Our study of MBA simplification yielded the implementation of two deobfuscation tools that successfully simplified several public examples of obfuscated expressions. Finally, we assessed the resilience of the MBA obfuscation with respect to our simplification algorithms (as well as other deobfuscation techniques), concluding that the MBA obfuscation technique offers little resilience as it is, and we proposed new ideas to improve it.

@phdthesis{ninon_eyrolles_obfuscation_2017,
	type = {{PhD}},
	title = {Obfuscation with {Mixed} {Boolean}-{Arithmetic} {Expressions}:  {Reconstruction}, {Analysis} and {Simplification} {Tools}},
	url = {https://blog.quarkslab.com/resources/2017-06-09-nouthese-soutenance/thesis.pdf},
	abstract = {Software obfuscation is a software protection technique that transforms code in order to make its analysis more difficult by reverse-engineering. Mixed Boolean-Arithmetic (MBA) expressions are an obfuscation technique introduced in 2007 and used in real life products. They are presented as a strong data flow obfuscation technique, even though there is little literature on the design and analysis of such obfuscated expressions. In our study, we structured the subject of MBA obfuscation and linked it to other topics, mainly cryptography, rewriting and bit-vector logic. We also reconstructed an MBA obfuscation implementation from public samples. We studied the meaning of simplifying an obfuscated expression, and defined our own simplicity metrics for MBA expressions. Our study of MBA simplification yielded the implementation of two deobfuscation tools that successfully simplified several public examples of obfuscated expressions. Finally, we assessed the resilience of the MBA obfuscation with respect to our simplification algorithms (as well as other deobfuscation techniques), concluding that the MBA obfuscation technique offers little resilience as it is, and we proposed new ideas to improve it.},
	school = {Université Paris Saclay},
	author = {{Ninon Eyrolles}},
	month = jun,
	year = {2017},
	note = {https://github.com/quarkslab/sspam/},
	keywords = {Mixed Boolean-Arithmetic, Obfuscation, Software protection, uses sympy},
}

Downloads: 0

{"_id":"gwpH5h5uWQfF9dFKw","bibbaseid":"ninoneyrolles-obfuscationwithmixedbooleanarithmeticexpressionsreconstructionanalysisandsimplificationtools-2017","authorIDs":[],"author_short":["Ninon Eyrolles"],"bibdata":{"bibtype":"phdthesis","type":"PhD","title":"Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools","url":"https://blog.quarkslab.com/resources/2017-06-09-nouthese-soutenance/thesis.pdf","abstract":"Software obfuscation is a software protection technique that transforms code in order to make its analysis more difficult by reverse-engineering. Mixed Boolean-Arithmetic (MBA) expressions are an obfuscation technique introduced in 2007 and used in real life products. They are presented as a strong data flow obfuscation technique, even though there is little literature on the design and analysis of such obfuscated expressions. In our study, we structured the subject of MBA obfuscation and linked it to other topics, mainly cryptography, rewriting and bit-vector logic. We also reconstructed an MBA obfuscation implementation from public samples. We studied the meaning of simplifying an obfuscated expression, and defined our own simplicity metrics for MBA expressions. Our study of MBA simplification yielded the implementation of two deobfuscation tools that successfully simplified several public examples of obfuscated expressions. Finally, we assessed the resilience of the MBA obfuscation with respect to our simplification algorithms (as well as other deobfuscation techniques), concluding that the MBA obfuscation technique offers little resilience as it is, and we proposed new ideas to improve it.","school":"Université Paris Saclay","author":[{"firstnames":[],"propositions":[],"lastnames":["Ninon Eyrolles"],"suffixes":[]}],"month":"June","year":"2017","note":"https://github.com/quarkslab/sspam/","keywords":"Mixed Boolean-Arithmetic, Obfuscation, Software protection, uses sympy","bibtex":"@phdthesis{ninon_eyrolles_obfuscation_2017,\n\ttype = {{PhD}},\n\ttitle = {Obfuscation with {Mixed} {Boolean}-{Arithmetic} {Expressions}: {Reconstruction}, {Analysis} and {Simplification} {Tools}},\n\turl = {https://blog.quarkslab.com/resources/2017-06-09-nouthese-soutenance/thesis.pdf},\n\tabstract = {Software obfuscation is a software protection technique that transforms code in order to make its analysis more difficult by reverse-engineering. Mixed Boolean-Arithmetic (MBA) expressions are an obfuscation technique introduced in 2007 and used in real life products. They are presented as a strong data flow obfuscation technique, even though there is little literature on the design and analysis of such obfuscated expressions. In our study, we structured the subject of MBA obfuscation and linked it to other topics, mainly cryptography, rewriting and bit-vector logic. We also reconstructed an MBA obfuscation implementation from public samples. We studied the meaning of simplifying an obfuscated expression, and defined our own simplicity metrics for MBA expressions. Our study of MBA simplification yielded the implementation of two deobfuscation tools that successfully simplified several public examples of obfuscated expressions. Finally, we assessed the resilience of the MBA obfuscation with respect to our simplification algorithms (as well as other deobfuscation techniques), concluding that the MBA obfuscation technique offers little resilience as it is, and we proposed new ideas to improve it.},\n\tschool = {Université Paris Saclay},\n\tauthor = {{Ninon Eyrolles}},\n\tmonth = jun,\n\tyear = {2017},\n\tnote = {https://github.com/quarkslab/sspam/},\n\tkeywords = {Mixed Boolean-Arithmetic, Obfuscation, Software protection, uses sympy},\n}\n\n\n\n","author_short":["Ninon Eyrolles"],"key":"ninon_eyrolles_obfuscation_2017","id":"ninon_eyrolles_obfuscation_2017","bibbaseid":"ninoneyrolles-obfuscationwithmixedbooleanarithmeticexpressionsreconstructionanalysisandsimplificationtools-2017","role":"author","urls":{"Paper":"https://blog.quarkslab.com/resources/2017-06-09-nouthese-soutenance/thesis.pdf"},"keyword":["Mixed Boolean-Arithmetic","Obfuscation","Software protection","uses sympy"],"metadata":{"authorlinks":{}},"downloads":0},"bibtype":"phdthesis","biburl":"https://bibbase.org/zotero-group/nicoguaro/525293","creationDate":"2020-07-15T19:11:20.637Z","downloads":0,"keywords":["mixed boolean-arithmetic","obfuscation","software protection","uses sympy"],"search_terms":["obfuscation","mixed","boolean","arithmetic","expressions","reconstruction","analysis","simplification","tools","ninon eyrolles"],"title":"Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools","year":2017,"dataSources":["YtBDXPDiQEyhyEDZC","fhHfrQgj3AaGp7e9E","qzbMjEJf5d9Lk78vE","45tA9RFoXA9XeH4MM","MeSgs2KDKZo3bEbxH","nSXCrcahhCNfzvXEY","ecatNAsyr4f2iQyGq","tpWeaaCgFjPTYCjg3"]}