No Free Lunch: On the Increased Code Reuse Attack Surface of Obfuscated Programs

Naiqian Zhang, Daroc Alden, Dongpeng Xu, Shuai Wang, Trent Jaeger, Wheeler Ruml

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Obfuscation has been widely employed to protect software from the malicious reverse analysis. However, its security risks have not previously been studied in detail. For example, most obfuscation methods introduce large blocks of opaque code that are black boxes to normal users. In this paper, we show that, indeed, obfuscation can increase the attack risk. Existing gadget search tools, while able to find more gadgets in obfuscated code, do not succeed in assembling them into more exploits. However, these tools use strict pattern matching, greedy searching strategies, and only very simple gadgets. We develop Gadget-Planner, a more flexible approach to building code-reuse attacks that overcomes previous limitations via symbolic execution and automated planning. In a study across both benchmark and real-world programs, this approach finds many more exploit payloads on obfuscated programs, both in terms of number and diversity.

Original languageEnglish (US)
Title of host publicationProceedings - 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages313-326
Number of pages14
ISBN (Electronic)9798350347937
DOIs
StatePublished - 2023
Event53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023 - Porto, Portugal
Duration: Jun 27 2023Jun 30 2023

Publication series

NameProceedings - 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023

Conference

Conference53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2023
Country/TerritoryPortugal
CityPorto
Period6/27/236/30/23

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Cite this