摘要
二进制混淆技术在规避恶意软件分析、防止利用逆向工程篡改中扮演着重要的角色.一些广泛使用的混淆技术关注于基于语法的检测,基于语义的分析技术在很多年前也已经被提出以防止逃避检测.近年来,一些考虑到统计特征和基于语义的二进制混淆技术开始被提出,这些方法开始关注混淆的隐蔽性,但总体来说效率较低或无法同时考虑到安全性的要求.提出一种针对Android移动应用的、基于Huffman编码和LZW编码的二进制混淆技术,同时将强度、开销和隐蔽性等考虑在内,具备规避基于统计特性和语义特征检测的能力.该技术构造混淆所需的指令编码表,一方面利用编码表对原始指令序列进行置乱,提高混淆技术的隐蔽性;另一方面,将核心编码表从代码执行数据段分离,通过白盒AES加密的方式在提高混淆技术本身安全性的同时隐藏密钥及密钥查找算法.研发出该技术工具原型Obfus Droid.最后,从安全强度、开销、平台适应性和隐蔽性这几个方面,对该技术进行评估和阐述.
Binary obfuscation plays an essential role in evading malware analysis and tampering with reverse engineering. Some widely used code obfuscation techniques focus on evading syntax based detection, however semantic analysis techniques have been developed to thwart their evasion attempts. Recently some binary obfuscation techniques with potential of evading both statistical and semantic detections have been proposed, taking concealment into account but lacking efficiency or security strength. This study proposes a binary obfuscation technique for mobile apps based on LZW and Huffman encoding to offer the potential of evading both statistical and semantic detections while taking intensity and concealment into account. This technique constructs the required instruction encoding tables. On one hand, it scrambles the sequence of original instructions with encoding tables to improve the intensity and conceatment. On the other hand, it reinforces intensity by separating the encoding tables encrypted by white-box AES from code segment, concealing the key and lookup algorithm, in order to evading attacks on keys. A prototype tool for this technique, called ObfusDroid, is put forward, and an evaluation on ObfusDroid is given from aspects of intensity, cost, compatibility and concealment to demonstrate its capability of evading statistical analysis.
出处
《软件学报》
EI
CSCD
北大核心
2017年第9期2264-2280,共17页
Journal of Software
基金
国家高技术研究发展计划(863)(2015AA017202)~~