Publications

Zero Footprint Opaque Predicates: Synthesizing Opaque Predicates From Naturally Occurring Invariants

Abstract. A popular control-flow obfuscation approach used to protect software is inserting opaque predicates. However, recent research has questioned the usefulness of opaque predicates with the realization that simple heuristic attacks can effectively detect them. In this paper, we introduce a novel approach to construct opaque predicates that prevents both heuristic attacks and automated attacks by having opaque predicates syntactically and semantically resemble real predicates.

Our approach uses abstract interpretation to infer variables’ value sets. From each value set, we synthesize an opaque predicate that 1) evaluates all items in its value set to the same truth value and 2) shares real predicates’ common syntactic features.

Our opaque predicates syntactically resemble real predicates because they share real predicates’ common syntactic features and their invariants are naturally occurring as they are inferred from the program’s semantics. Previous approaches to constructing opaque predicates are susceptible to heuristic attacks because they use synthetic invariants that can inadvertently introduce unnatural code.

Our opaque predicates semantically resemble real predicates because the naturally occurring invariants they use are based on value sets. Like real predicates’ variables, our opaque predicates’ variables can also take on different values during runtime. From our evaluation, we show promising results that our opaque predicates can withstand automated attacks. Current state-of-the-art deobfuscation, dynamic symbolic execution, can only detect 41% of our opaque predicates.

Yu-Jye Tung, Ian G. Harris. DIMVA’21.
Paper | Paper (Springer's SharedIt) | Code | Slides

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly

Abstract. Opaque predicates are used to perform code obfuscation by injecting superfluous branches into the program. Superfluous branches are the gateways for junk bytes or unreachable code to inconspicuously mingle with authentic code instructions. In this paper, we focus on the case where opaque predicates introduce junk bytes, thus causing damage to the static disassembly process when junk bytes are also treated as code. Although introduced two decades ago, detecting opaque predicates is still an unsolved problem due to the flexibility in their constructions. Past works on detecting opaque predicates only detect opaque predicates with specific constructions. We propose a novel approach to opaque predicates detection that allows us to generically detect opaque predicates when the damage is the inserted junk bytes. Our proposed approach is the first to detect opaque predicates by identifying their corresponding superfluous branches through the damage caused by the obfuscation. Preliminary experiments show the potential of this novel approach by detecting opaque predicates of varied constructions.

Yu-Jye Tung, Ian G. Harris. BAR’20.
Paper | Code | Slides

Talks

An Effective Approach To Software Obfuscation

Abstract. Understanding the essential aspects that make up obfuscation allows us to see the fundamental flaw with modern obfuscation implementations and the right way to approach it. We use examples of modern obfuscation techniques to illustrate our points and demonstrate an example of the correct approach.

**Spoiler TLDR:** Modern obfuscation techniques such as CFG flattening and VM obfuscation, although significantly hinder reverse engineering, lack stealth. This is fine initially, but over time their effectiveness dwindle as academia and industry professionals alike develop methods to partially or fully deobfuscate their transformations. For example, if one were to Google "deobfuscating CFG flattening" or "deobfuscating VM obfuscation", one will find many resources or even tools to go along with to perform the task. For effective obfuscation, stealth must be taken into account.

The example I gave at the last part of the talk to show an obfuscation technique that takes into account of stealth, imo, is not great. I have since released an obfuscation tool that DO take stealth into account by constructing opaque predicates that syntactically and semantically resemble real predicates! Check it out here: Zero Footprint Opaque Predicates.

Yu-Jye Tung. BSidesSF’20.
Video | Slides

Others

Spyware on IOT

Abstract. Can we trust secondhand IOT devices? No. In this presentation, we talk about the various attack vectors available to attackers on typical IOT devices. As an example, we have chosen a Wyze webcam and shown how a spyware can be installed on the device to steal images by taking advantage of one of the attack vectors.

Yu-Jye Tung, Kush Dave, and Ian G. Harris. UCI ICS Day'19.
Video | Slides