The Experts below are selected from a list of 57 Experts worldwide ranked by ideXlab platform
Antonella Santone - One of the best experts on this subject based on the ideXlab platform.
-
Code reordering Obfuscation technique detection by means of weak bisimulation
Advanced Information Networking and Applications, 2020Co-Authors: Giuseppe Crincoli, Tiziano Marinaro, Fabio Martinelli, Francesco Mercaldo, Antonella SantoneAbstract:As evidenced from current literature in software security, the current signature detection mechanisms can be easily evaded by attackers simply applying trivial Obfuscation techniques, usually with software engines able to automatically inject junk Code into malicious applications. In fact, the employment of Obfuscation Code techniques is adopted by attackers to generate several (undetected) variants of one malicious sample, making its signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting weak bisimulation, to detect whether an Android application is modified by means of the Code reordering Obfuscation technique. We present an experimental analysis performed on a real-world data-set of Android applications (obfuscated and not obfuscated), reaching interesting results in the Code reordering Obfuscation technique detection.
-
AINA - Code Reordering Obfuscation Technique Detection by Means of Weak Bisimulation.
Advanced Information Networking and Applications, 2020Co-Authors: Giuseppe Crincoli, Tiziano Marinaro, Fabio Martinelli, Francesco Mercaldo, Antonella SantoneAbstract:As evidenced from current literature in software security, the current signature detection mechanisms can be easily evaded by attackers simply applying trivial Obfuscation techniques, usually with software engines able to automatically inject junk Code into malicious applications. In fact, the employment of Obfuscation Code techniques is adopted by attackers to generate several (undetected) variants of one malicious sample, making its signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting weak bisimulation, to detect whether an Android application is modified by means of the Code reordering Obfuscation technique. We present an experimental analysis performed on a real-world data-set of Android applications (obfuscated and not obfuscated), reaching interesting results in the Code reordering Obfuscation technique detection.
Guy Gogniat - One of the best experts on this subject based on the ideXlab platform.
-
Transient Key-based Obfuscation for HLS in an Untrusted Cloud Environment
2019Co-Authors: Hannah Badier, Jean-christophe Le Lann, Philippe Coussy, Guy GogniatAbstract:Recent advances in cloud computing have led to the advent of Business-to-Business Software as a Service (SaaS) solutions, opening new opportunities for EDA. High-Level Synthesis (HLS) in the cloud is likely to offer great opportunities to hardware design companies. However, these companies are still reluctant to make such a transition, due to the new risks of Behavioral Intellectual Property (BIP) theft that a cloud-based solution presents. In this paper, we introduce a key-based Obfuscation approach to protect BIPs during cloud-based HLS. The source-to-source transformations we propose hide functionality and make normal behavior dependent on a series of input keys. In our process, the Obfuscation is transient: once an obfuscated BIP is synthesized through HLS by a service provider in the cloud, the Obfuscation Code can only be removed at Register Transfer Level (RTL) by the design company that owns the correct Obfuscation keys. Original functionality is thus restored and design overhead is kept at a minimum. Our method significantly increases the level of security of cloud-based HLS at low performance overhead. The average area overhead after Obfuscation and subsequent de-Obfuscation with tests performed on ASIC and FPGA is 0.39%, and over 95% of our tests had an area overhead under 5%.
-
DATE - Transient Key-based Obfuscation for HLS in an Untrusted Cloud Environment
2019 Design Automation & Test in Europe Conference & Exhibition (DATE), 2019Co-Authors: Hannah Badier, Jean-christophe Le Lann, Philippe Coussy, Guy GogniatAbstract:Recent advances in cloud computing have led to the advent of Business-to-Business Software as a Service (SaaS) solutions, opening new opportunities for EDA. High-Level Synthesis (HLS) in the cloud is likely to offer great opportunities to hardware design companies. However, these companies are still reluctant to make such a transition, due to the new risks of Behavioral Intellectual Property (BIP) theft that a cloud-based solution presents. In this paper, we introduce a key-based Obfuscation approach to protect BIPs during cloud-based HLS. The source-to-source transformations we propose hide functionality and make normal behavior dependent on a series of input keys. In our process, the Obfuscation is transient: once an obfuscated BIP is synthesized through HLS by a service provider in the cloud, the Obfuscation Code can only be removed at Register Transfer Level (RTL) by the design company that owns the correct Obfuscation keys. Original functionality is thus restored and design overhead is kept at a minimum. Our method significantly increases the level of security of cloud-based HLS at low performance overhead. The average area overhead after Obfuscation and subsequent de-Obfuscation with tests performed on ASIC and FPGA is 0.39%, and over 95% of our tests had an area overhead under 5%.
Tho Quan - One of the best experts on this subject based on the ideXlab platform.
-
a memory based abstraction approach to handle Obfuscation in polymorphic virus
Asia-Pacific Software Engineering Conference, 2012Co-Authors: Binh Nguyen, Binh T Ngo, Tho QuanAbstract:This paper describes a PhD proposal aiming at dealing with Obfuscation in polymorphic virus. The major characteristic of polymorphic virus is the capability of infinitely self-modifying when infecting victim programs. It makes the traditional signature-based virus detection technique ineffective since this approach needs to collect all of signature instances. A recent emerging approach to counter this problem is abstracting the program from binary level, then extracting an abstracted model for further analysis. The most common model to be extracted is perhaps the control flow graph (CFG) of the binary program. However, this control-based abstraction approach is currently suffering from some advanced Obfuscation techniques which change not only the signatures but also modify significantly the control flow of the programs. Thus, the control analysis will become quickly too complicated. Hence, we propose a novel approach of abstracting the binary Code based on memory states. This approach allows us to detect useless instructions which are part of Obfuscation Code. Moreover, for the next step, our approach can be extended as new efficient technique for virus detection based on common abstracted pattern.
-
APSEC Workshops - A Memory-Based Abstraction Approach to Handle Obfuscation in Polymorphic Virus
2012 19th Asia-Pacific Software Engineering Conference, 2012Co-Authors: Binh Nguyen, Binh T Ngo, Tho QuanAbstract:This paper describes a PhD proposal aiming at dealing with Obfuscation in polymorphic virus. The major characteristic of polymorphic virus is the capability of infinitely self-modifying when infecting victim programs. It makes the traditional signature-based virus detection technique ineffective since this approach needs to collect all of signature instances. A recent emerging approach to counter this problem is abstracting the program from binary level, then extracting an abstracted model for further analysis. The most common model to be extracted is perhaps the control flow graph (CFG) of the binary program. However, this control-based abstraction approach is currently suffering from some advanced Obfuscation techniques which change not only the signatures but also modify significantly the control flow of the programs. Thus, the control analysis will become quickly too complicated. Hence, we propose a novel approach of abstracting the binary Code based on memory states. This approach allows us to detect useless instructions which are part of Obfuscation Code. Moreover, for the next step, our approach can be extended as new efficient technique for virus detection based on common abstracted pattern.
Giuseppe Crincoli - One of the best experts on this subject based on the ideXlab platform.
-
Code reordering Obfuscation technique detection by means of weak bisimulation
Advanced Information Networking and Applications, 2020Co-Authors: Giuseppe Crincoli, Tiziano Marinaro, Fabio Martinelli, Francesco Mercaldo, Antonella SantoneAbstract:As evidenced from current literature in software security, the current signature detection mechanisms can be easily evaded by attackers simply applying trivial Obfuscation techniques, usually with software engines able to automatically inject junk Code into malicious applications. In fact, the employment of Obfuscation Code techniques is adopted by attackers to generate several (undetected) variants of one malicious sample, making its signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting weak bisimulation, to detect whether an Android application is modified by means of the Code reordering Obfuscation technique. We present an experimental analysis performed on a real-world data-set of Android applications (obfuscated and not obfuscated), reaching interesting results in the Code reordering Obfuscation technique detection.
-
AINA - Code Reordering Obfuscation Technique Detection by Means of Weak Bisimulation.
Advanced Information Networking and Applications, 2020Co-Authors: Giuseppe Crincoli, Tiziano Marinaro, Fabio Martinelli, Francesco Mercaldo, Antonella SantoneAbstract:As evidenced from current literature in software security, the current signature detection mechanisms can be easily evaded by attackers simply applying trivial Obfuscation techniques, usually with software engines able to automatically inject junk Code into malicious applications. In fact, the employment of Obfuscation Code techniques is adopted by attackers to generate several (undetected) variants of one malicious sample, making its signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting weak bisimulation, to detect whether an Android application is modified by means of the Code reordering Obfuscation technique. We present an experimental analysis performed on a real-world data-set of Android applications (obfuscated and not obfuscated), reaching interesting results in the Code reordering Obfuscation technique detection.
Quan Thanh Tho - One of the best experts on this subject based on the ideXlab platform.
-
FPS - Obfuscation Code Localization Based on CFG Generation of Malware
Foundations and Practice of Security, 2016Co-Authors: Nguyen Minh Hai, Mizuhito Ogawa, Quan Thanh ThoAbstract:This paper presents a tool BE-PUM (Binary Emulator for PUshdown Model generation), which generates a precise control flow graph (CFG), under presence of typical Obfuscation techniques of malware, e.g., indirect jump, self-modification, overlapping instructions, and structured exception handler (SEH), which cover packers. Experiments are performed on 2000 real-world malware examples taken from VX Heaven and compare the results of a popular commercial disassembler IDA Pro, a state-of-the-art tool JakStab, and BE-PUM. It shows that BE-PUM correctly traces CFGs, whereas IDA Pro and JakStab fail. By manual inspection on 300 malware examples, we also observe that the starts of these failures exactly locate the entries of Obfuscation Code.
-
Obfuscation Code localization based on cfg generation of malware
Foundations and Practice of Security, 2015Co-Authors: Nguyen Minh Hai, Mizuhito Ogawa, Quan Thanh ThoAbstract:This paper presents a tool BE-PUM (Binary Emulator for PUshdown Model generation), which generates a precise control flow graph (CFG), under presence of typical Obfuscation techniques of malware, e.g., indirect jump, self-modification, overlapping instructions, and structured exception handler (SEH), which cover packers. Experiments are performed on 2000 real-world malware examples taken from VX Heaven and compare the results of a popular commercial disassembler IDA Pro, a state-of-the-art tool JakStab, and BE-PUM. It shows that BE-PUM correctly traces CFGs, whereas IDA Pro and JakStab fail. By manual inspection on 300 malware examples, we also observe that the starts of these failures exactly locate the entries of Obfuscation Code.