Table of contents

  • This session has been presented March 21, 2025 (11:00 - 12:00).

Description

  • Speaker

    Roxane Cohen and Robin David - Quarkslab

Existing deobfuscation techniques usually target specific obfuscation passes and assume a prior knowledge of obfuscated location within a program. Also, some approaches tend to be computationally costly. Conversely, few research consider bypassing obfuscation through correlation of various variants of the same obfuscated program or a clear program and a later obfuscated variant. Both scenarios are common both in IP protection but also malware analysis. We formalize an attacker model targeting obfuscation by exploiting knowledge transfer between binaries through a dedicated binary diffing algorithm leveraging both intra-procedural structure (CFG) and inter-procedural structure (call-graph) combined through message passing. The associated tool QBinDiff exhibits better results than state-of-the-art differs. In a case where an adversary cannot find multiple variants of the same program, applying deobfuscation may be necessary and consequently locating it. The latter, requires characterizing an obfuscation from genuine code. We analyze both the binary classification problem namely determining if a function is obfuscated but also the multi-class problem namely determining the pass that is applied. Our baseline results reaches 0.95 of f1-score at the function level for binary. We show early results for the multi-class problem using various base representation and various algorithms including RandomForest, GradientBoosting and various GNNs.

Practical infos

Next sessions

  • CHERIoT RTOS: An OS for Fine-Grained Memory-Safe Compartments on Low-Cost Embedded Devices

    • November 21, 2025 (11:00 - 12:00)

    • Inria Center of the University of Rennes - Room Markov

    Speaker : Hugo Lefeuvre - The University of British Columbia

    Embedded systems do not benefit from strong memory protection, because they are designed to minimize cost. At the same time, there is increasing pressure to connect embedded devices to the internet, where their vulnerable nature makes them routinely subject to compromise. This fundamental tension leads to the current status-quo where exploitable devices put individuals and critical infrastructure[…]

    • SoSysec

    • Compartmentalization

    • Operating system and virtualization

    • Hardware/software co-design

    • Hardware architecture

Show previous sessions
Page top