A Tutorial on Software Obfuscation
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Bypassing Web Application Firewalls
Bypassing Web Application Firewalls Pavol Lupták [email protected] CEO, Nethemba s.r.o Abstract The goal of the presentation is to describe typical obfuscation attacks that allow an attacker to bypass standard security measures such as various input filters, output encoding mechanisms used in web-based intrusion detection systems (IDS), intrusion prevention systems (IPS) and web application firewalls (WAFs). These attacks may include different networking tricks, polymorphic shellcode and various code techniques. At the beginning we analyse and compare different HTML parsing and interpretation approaches used by most-common browsers that can lead to unique attack vectors. Javascript, with a full range of features, represents another effective way that can be used to obfuscate or de-obfuscate code – some existing obfuscation tools are mentioned. We describe how it is possible to construct “non-alphanumeric Javascript code” which does not contain alphabetic or numeric characters, but still can contain malicious executable code. Despite the fact that most current applications are immune to SQL injection attacks, it is still possible to find many vulnerable applications. We focus on different fuzzy techniques (and useful open source SQL injection tools that implement them) which can still be used to bypass weak input validation controls. We conclude our presentation with a demonstration of the most basic obfuscation techniques that can be successfully used to bypass traditional web application firewalls (WAFs). Finally, we briefly describe current mitigation techniques that are recommended for efficient malicious Javascript code analysis and sanitizing user input containing untrusted code. Keywords: WAF, IPS, IDS, obfuscation, SQL injection, XSS, CSS, CSRF. -
C++11 Metaprogramming Applied to Software Obfuscation
C++11 METAPROGRAMMING APPLIED TO SOFTWARE OBFUSCATION SEBASTIEN ANDRIVET About me ! Senior Security Engineer at SCRT (Swiss) ! CTO at ADVTOOLS (Swiss) Sebastien ANDRIVET Cyberfeminist & hacktivist Reverse engineer Intel & ARM C++, C, Obj-C, C# developer Trainer (iOS & Android appsec) PROBLEM Reverse engineering • Reverse engineering of an application if often like following the “white rabbit” • i.e. following string literals • Live demo • Reverse engineering of an application using IDA • Well-known MDM (Mobile Device Management) for iOS A SOLUTION OBFUSCATION What is Obfuscation? Obfuscator O O ( ) = YES! It is also Katy Perry! • (almost) same semantics • obfuscated Obfuscation “Deliberate act of creating source or machine code difficult for humans to understand” – WIKIPEDIA, APRIL 2014 C++ templates OBJECT2 • Example: Stack of objects OBJECT1 • Push • Pop Without templates Stack singers; class Stack { singers.push(britney); void push(void* object); void* pop(); }; Stack apples; apples.push(macintosh); • Reuse the same code (binary) singers apples • Only 1 instance of Stack class With C++ templates template<typename T > Stack<Singer> singers; class Stack singers.push(britney); { void push(T object); T pop(); Stack<Apple> apples; }; apples.push(macintosh); With C++ templates Stack<Singer> singers; singers.push(britney); Stack<Singers> Stack<Apples*> Stack<Apple> apples; apples.push(macintosh); singers apples C++ templates • Two instances of Stack class • One per type • Does not reuse code • By default • Permit optimisations based on types • For ex. reuse code for all pointers to objects • Type safety, verified at compile time Type safety • singers.push(apple); // compilation error Optimisation based on types • Generate different code based on types (template parameters) template<typename T> class MyClass • Example: enable_if { .. -
BPGC at Semeval-2020 Task 11: Propaganda Detection in News Articles with Multi-Granularity Knowledge Sharing and Linguistic Features Based Ensemble Learning
BPGC at SemEval-2020 Task 11: Propaganda Detection in News Articles with Multi-Granularity Knowledge Sharing and Linguistic Features based Ensemble Learning Rajaswa Patil1 and Somesh Singh2 and Swati Agarwal2 1Department of Electrical & Electronics Engineering 2Department of Computer Science & Information Systems BITS Pilani K. K. Birla Goa Campus, India ff20170334, f20180175, [email protected] Abstract Propaganda spreads the ideology and beliefs of like-minded people, brainwashing their audiences, and sometimes leading to violence. SemEval 2020 Task-11 aims to design automated systems for news propaganda detection. Task-11 consists of two sub-tasks, namely, Span Identification - given any news article, the system tags those specific fragments which contain at least one propaganda technique and Technique Classification - correctly classify a given propagandist statement amongst 14 propaganda techniques. For sub-task 1, we use contextual embeddings extracted from pre-trained transformer models to represent the text data at various granularities and propose a multi-granularity knowledge sharing approach. For sub-task 2, we use an ensemble of BERT and logistic regression classifiers with linguistic features. Our results reveal that the linguistic features are the reliable indicators for covering minority classes in a highly imbalanced dataset. 1 Introduction Propaganda is biased information that deliberately propagates a particular ideology or political orientation (Aggarwal and Sadana, 2019). Propaganda aims to influence the public’s mentality and emotions, targeting their reciprocation due to their personal beliefs (Jowett and O’donnell, 2018). News propaganda is a sub-type of propaganda that manipulates lies, semi-truths, and rumors in the disguise of credible news (Bakir et al., 2019). -
Software Protection Through Obfuscation
This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. Software protection through obfuscation Balachandran, Vivek 2014 Balachandran, V. (2015). Software protection through obfuscation. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/62930 https://doi.org/10.32657/10356/62930 Downloaded on 02 Oct 2021 00:34:50 SGT Software Protection through Obfuscation School of Computer Engineering A Thesis Submitted to the Nanyang Technological University in partial fulfillment of the requirement of the degree of Doctor of Philosophy by Vivek Balachandran under the supervision of Prof. Ng Wee Keong and Prof. Sabu Emmanuel 2015 2 Acknowledgments Foremost, I would like to express my sincere gratitude to my advisors Prof. Sabu Em- manuel and Prof. Ng Wee Keong for the continuous support of my Ph.D study and research, for their patience, motivation, enthusiasm, and immense knowledge. I thank my fellow labmates in Nanyang Technological University, Singapore: Shaheen Ansari, Deepak Subrmanyam, Chia Tee Kiah for their kind support. Many friends have helped me stay sane through these difficult years. Their support and care helped me overcome setbacks and stay focused on my graduate study. I would like to thank Aditya Venkataraman, Chitra Panchapakesan, Ganesh Bharadwaj, Girid- haran Karunagaran, Karthik Raveendran, Manaswini Ramkumar, Manisha Mujumdar, Nirnaya Sarangan, Ponnu Jacob, Roshan Wahab, Shubha Nageswaran,Vidhi Patel and Vipin Pillai for making my life wonderful as a grad student. Last but not the least, I would like to thank my family: my parents G. Balachandran and V. Santhakumari, and my brother Vishakh Balachandran who were always there for me. -
6.858 Final Project
6.858 Final Project Predrag Gruevski Paul Hemberger Andres Romero Albert Wu Introduction Since remote desktop applications are such powerful tools for controlling computers from across the Internet, it stands to reason that adversaries would be motivated to discover and exploit vulnerabilities in such software. In our final project, we explored many of the most popular remote desktop applications for Android clients. Most of them provide little to no security, and we were able to easily create exploits to compromise the keyboard and mouse of the remote machine. Methods We looked at the following popular Android clients (each has at least 100,000 installs on the Google Play app market): 1. TeamViewer for Remote Control 2. Air HID 3. Remote Mouse 4. WiFi Mouse 5. Android Mouse and Keyboard 6. Mobile Mouse Lite 7. Remote Control Collection We installed each of the above clients on an Android phone and the corresponding server on a remote machine running Windows, OS X, or Linux. We used two types of tools for reverse engineering the messaging protocols: 1. Wireshark Wireshark is a network protocol analyzer. Using Wireshark, we were able to analyze incoming and outgoing packets from the remote machine. This was extremely useful for applications using plaintext protocols. 2. Decompilers Tools like Java Decompiler Project, JetBrains dotPeek, Decompile Android, and dex2jar allowed us to decompile many of the client APK files and server executables into very readable Java code. After reverse engineering the protocols, we set up virtual machines running the above applications and send arbitrary keyboard and mouse commands from the host machine via UDP and TCP. -
Achieving Obfuscation Through Self-Modifying Code: a Theoretical Model
Running head: OBFUSCATION THROUGH SELF-MODIFYING CODE 1 Achieving Obfuscation Through Self-Modifying Code: A Theoretical Model Heidi Angelina Waddell A Senior Thesis submitted in partial fulfillment of the requirements for graduation in the Honors Program Liberty University Spring 2020 OBFUSCATION THROUGH SELF-MODIFYING CODE 2 Acceptance of Senior Honors Thesis This Senior Honors Thesis is accepted in partial fulfillment of the requirements for graduation from the Honors Program of Liberty University. _____________________________ Melesa Poole, Ph.D. Thesis Chair ______________________________ Robert Tucker, Ph.D. Committee Member ______________________________ James H. Nutter, D.A. Honors Director ______________________________ Date OBFUSCATION THROUGH SELF-MODIFYING CODE 3 Abstract With the extreme amount of data and software available on networks, the protection of online information is one of the most important tasks of this technological age. There is no such thing as safe computing, and it is inevitable that security breaches will occur. Thus, security professionals and practices focus on two areas: security, preventing a breach from occurring, and resiliency, minimizing the damages once a breach has occurred. One of the most important practices for adding resiliency to source code is through obfuscation, a method of re-writing the code to a form that is virtually unreadable. This makes the code incredibly hard to decipher by attackers, protecting intellectual property and reducing the amount of information gained by the malicious actor. Achieving obfuscation through the use of self-modifying code, code that mutates during runtime, is a complicated but impressive undertaking that creates an incredibly robust obfuscating system. While there is a great amount of research that is still ongoing, the preliminary results of this subject suggest that the application of self-modifying code to obfuscation may yield self-maintaining software capable of healing itself following an attack. -
Dataset of Propaganda Techniques of the State-Sponsored Information Operation of the People’S Republic of China
Dataset of Propaganda Techniques of the State-Sponsored Information Operation of the People’s Republic of China Rong-Ching Chang Chun-Ming Lai [email protected] [email protected] Tunghai University Tunghai University Taiwan Taiwan Kai-Lai Chang Chu-Hsing Lin [email protected] [email protected] Tunghai University Tunghai University Taiwan Taiwan ABSTRACT ACM Reference Format: The digital media, identified as computational propaganda provides Rong-Ching Chang, Chun-Ming Lai, Kai-Lai Chang, and Chu-Hsing Lin. a pathway for propaganda to expand its reach without limit. State- 2021. Dataset of Propaganda Techniques of the State-Sponsored Informa- tion Operation of the People’s Republic of China. In KDD ’21: The Sec- backed propaganda aims to shape the audiences’ cognition toward ond International MIS2 Workshop: Misinformation and Misbehavior Min- entities in favor of a certain political party or authority. Further- ing on the Web, Aug 15, 2021, Virtual. ACM, New York, NY, USA, 5 pages. more, it has become part of modern information warfare used in https://doi.org/10.1145/nnnnnnn.nnnnnnn order to gain an advantage over opponents. Most of the current studies focus on using machine learning, quantitative, and qualitative methods to distinguish if a certain piece 1 INTRODUCTION of information on social media is propaganda. Mainly conducted Propaganda has the purpose of framing and influencing opinions. on English content, but very little research addresses Chinese Man- With the rise of the internet and social media, propaganda has darin content. From propaganda detection, we want to go one step adopted a powerful tool for its unlimited reach, as well as multiple further to providing more fine-grained information on propaganda forms of content that can further drive engagement online and techniques that are applied. -
Optimizing Away Javascript Obfuscation
Optimizing Away JavaScript Obfuscation Adrian Herrera Defence Science and Technology Group [email protected] Abstract—JavaScript is a popular attack vector for releasing • Applying techniques rooted in compiler theory to the task malicious payloads on unsuspecting Internet users. Authors of of deobfuscating JavaScript malware; this malicious JavaScript often employ numerous obfuscation • The design and implementation of SAFE-DEOBS, an techniques in order to prevent the automatic detection by antivirus and hinder manual analysis by professional malware open-source tool to assist malware analysts to better analysts. Consequently, this paper presents SAFE-DEOBS, a understand JavaScript malware; and JavaScript deobfuscation tool that we have built. The aim • An evaluation of SAFE-DEOBS on a large corpus of real- of SAFE-DEOBS is to automatically deobfuscate JavaScript world JavaScript malware. malware such that an analyst can more rapidly determine the malicious script’s intent. This is achieved through a number of Unless otherwise stated, all malicious code used in this static analyses, inspired by techniques from compiler theory. We paper is taken from real-world malware. demonstrate the utility of SAFE-DEOBS through a case study on real-world JavaScript malware, and show that it is a useful II. BACKGROUND AND RELATED WORK addition to a malware analyst’s toolset. Software obfuscation has many legitimate uses: digital Index Terms—javascript, malware, obfuscation, static analysis rights management, software diversity (for software protec- tion), and tamper protection, to name a few. However, software obfuscation is being increasingly co-opted by malware authors I. INTRODUCTION to thwart program analysis (both automated and manual). -
Large-Scale and Language-Oblivious Code Authorship Identification
Large-Scale and Language-Oblivious Code Authorship Identification Mohammed Abuhamad Inha University, Incheon, South Korea Tamer AbuHmed Inha University, Incheon, South Korea Aziz Mohaisen University of Central Florida, Orlando, USA DaeHun Nyang Inha University, Incheon, South Korea CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security Pages 101-114. Toronto, Canada — October 15 - 19, 2018 ISBN: 978-1-4503-5693-0 doi>10.1145/3243734.3243738 link: https://dl.acm.org/citation.cfm?id=3243738 Abstract: Efficient extraction of code authorship attributes is key for successful identification. However, the extraction of such attributes is very challenging, due to various programming language specifics, the limited number of available code samples per author, and the average code lines per file, among others. To this end, this work proposes a Deep Learning-based Code Authorship Identification System (DL-CAIS) for code authorship attribution that facilitates large-scale, language-oblivious, and obfuscation-resilient code authorship identification. The deep learning architecture adopted in this work includes TF-IDF-based deep representation using multiple Recurrent Neural Network (RNN) layers and fully-connected layers dedicated to authorship attribution learning. The deep representation then feeds into a random forest classifier for scalability to de-anonymize the author. Comprehensive experiments are conducted to evaluate DL-CAIS over the entire Google Code Jam (GCJ) dataset across all years (from 2008 to 2016) and over real-world code samples from 1987 public repositories on GitHub. The results of our work show the high accuracy despite requiring a smaller number of files per author. Namely, we achieve an accuracy of 96% when experimenting with 1,600 authors for GCJ, and 94.38% for the real-world dataset for 745 C programmers. -
Skypemorph: Protocol Obfuscation for Tor Bridges
SkypeMorph: Protocol Obfuscation for Tor Bridges Hooman Mohajeri Moghaddam Baiyu Li Mohammad Derakhshani Ian Goldberg Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {hmohajer,b5li,mderakhs,iang}@cs.uwaterloo.ca ABSTRACT The Tor network is designed to provide users with low- latency anonymous communications. Tor clients build cir- cuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Con- sequently, the Tor project envisioned the possibility of un- listed entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the communications be- tween them and nodes in their network. We propose a model in which the client obfuscates its mes- sages to the bridge in a widely used protocol over the Inter- net. We investigate using Skype video calls as our target protocol and our goal is to make it difficult for the censor- Figure 1: This graph from metrics.torproject.org shows the ing adversary to distinguish between the obfuscated bridge number of users directly connecting to the Tor network from connections and actual Skype calls using statistical compar- China, from mid-2009 to the present. It shows that, after isons. 2010, the Tor network has been almost completely blocked We have implemented our model as a proof-of-concept from clients in China who do not use bridges. [41] pluggable transport for Tor, which is available under an open-source licence. Using this implementation we observed the obfuscated bridge communications and compared it with attempts to block access to Tor by regional and state-level those of Skype calls and presented the results. -
Automated Malware Analysis Report for Jetbrains-Toolbox
ID: 85 Sample Name: jetbrains-toolbox Cookbook: defaultmacfilecookbook.jbs Time: 19:01:50 Date: 18/12/2020 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report jetbrains-toolbox 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Yara Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 4 Initial Sample 5 Dropped Files 5 Domains 5 URLs 5 Domains and IPs 5 Contacted Domains 5 Contacted IPs 5 Public 6 General Information 6 Joe Sandbox View / Context 6 IPs 6 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Runtime Messages 7 Created / dropped Files 7 Static File Info 7 General 8 Network Behavior 8 Network Port Distribution 8 TCP Packets 8 UDP Packets 8 System Behavior 8 Analysis Process: mono-sgen32 PID: 570 Parent PID: 493 8 General 8 Analysis Process: jetbrains-toolbox PID: 570 Parent PID: 493 9 General 9 File Activities 9 File Created 9 File Read 9 File Written 9 Directory Enumerated 9 Directory Created 9 Copyright null 2020 Page 2 of 9 Analysis Report jetbrains-toolbox Overview General Information Detection Signatures Classification Sample jetbrains-toolbox Name: RReeaaddss lllaauunncchhsseerrrvviiicceess ppllliiissttt fffiiillleess Analysis ID: 85 Reads launchservices plist files MD5: 4650b54b3ec808… Ransomware SHA1: 2b9318975b9e56… Miner Spreading SHA256: f1a93cf94ae4e62… mmaallliiiccciiioouusss malicious Evader Phishing Most interesting Screenshot: sssuusssppiiiccciiioouusss -
Global Manipulation by Local Obfuscation ∗
Global Manipulation by Local Obfuscation ∗ Fei Liy Yangbo Songz Mofei Zhao§ August 26, 2020 Abstract We study information design in a regime change context. A continuum of agents simultaneously choose whether to attack the current regime and will suc- ceed if and only if the mass of attackers outweighs the regime’s strength. A de- signer manipulates information about the regime’s strength to maintain the status quo. The optimal information structure exhibits local obfuscation, some agents receive a signal matching the true strength of the status quo, and others receive an elevated signal professing slightly higher strength. Public signals are strictly sub- optimal, and in some cases where public signals become futile, local obfuscation guarantees the collapse of agents’ coordination. Keywords: Bayesian persuasion, coordination, information design, obfuscation, regime change JEL Classification: C7, D7, D8. ∗We thank Yu Awaya, Arjada Bardhi, Gary Biglaiser, Daniel Bernhardt, James Best, Jimmy Chan, Yi-Chun Chen, Liang Dai, Toomas Hinnosaar, Tetsuya Hoshino, Ju Hu, Yunzhi Hu, Chong Huang, Nicolas Inostroza, Kyungmin (Teddy) Kim, Qingmin Liu, George Mailath, Laurent Mathevet, Stephen Morris, Xiaosheng Mu, Peter Norman, Mallesh Pai, Alessandro Pavan, Jacopo Perego, Xianwen Shi, Joel Sobel, Satoru Takahashi, Ina Taneva, Can Tian, Kyle Woodward, Xi Weng, Ming Yang, Jidong Zhou, and Zhen Zhou for comments. yDepartment of Economics, University of North Carolina, Chapel Hill. Email: [email protected]. zSchool of Management and Economics, The Chinese University of Hong Kong, Shenzhen. Email: [email protected]. §School of Economics and Management, Beihang University. Email: [email protected]. 1 1 Introduction The revolution of information and communication technology raises growing con- cerns about digital authoritarianism.1 Despite their tremendous effort to establish in- formation censorship and to spread disinformation, full manipulation of information remains outside autocrats’ grasp in the modern age.