Program Synthesis-based Simplification of MBA Obfuscated Malware with Restart Strategies

Program Synthesis-based Simplification of MBA Obfuscated Malware with Restart Strategies

연구 분야: Analysis

학회: Checkmate '22: Proceedings of the 2022 ACM Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks

Program obfuscation is one of the frequently used methods to make malware hard to analyze. Among the various obfuscation techniques, Mixed Boolean-Arithmetic (MBA) obfuscation, which mixes arithmetic and Boolean operations in an expression, is often considered hard to solve. Recently, synthesis-based methods have emerged to simplify MBA-obfuscated expressions. However, despite promising results, they still have limitations. Fortunately, recent work in super optimization shows that stochastic synthesis is generally sped up by a proper restart strategy. We adopt this principle to enhance the performance of existing works. Experimental results show that we would achieve improvement in the rate of correct answers and better length reduction.