Experimental Study of Binary Diffing Resilience on Obfuscated Programs

Experimental Study of Binary Diffing Resilience on Obfuscated Programs

연구 분야: Analysis

학회: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Obfuscation is commonly employed to protect sensitive program assets in legitimate use cases or to conceal malicious behavior in the context of malware. By altering the binary code of a compiled program, obfuscation disrupts binary analysis techniques, such as binary diffing or similarity. However, there is little comprehensive academic research addressing the effects of obfuscation on binary analysis tools and quantifying its impact. In this study, we examine how different types of obfuscation influence binary diffing algorithms. Specifically, we demonstrate a clear relationship between the type of obfuscation and the performance of the diffing algorithms used. Our benchmarks emphasize that, contrary to common assumptions, intra-procedural and data obfuscations have a limited impact on binary diffing when applied alone. In contrast, inter-procedural obfuscations significantly affect the diffing process, degrading performances by up to 40 f1-score points when comparing low and high obfuscation levels. These results highlight the need for modular diffing approaches, where parameters and features can be fine-tuned to handle adversarial scenarios, such as obfuscation. To support this research, we have released a comprehensive dataset comprising pairs of clear and obfuscated compiled programs, along with metadata specifying the type and exact location of each obfuscation. This dataset is intended to facilitate further research in this area.