Table of contents

  • This session has been presented March 21, 2025 (11:00 - 12:00).

Description

  • Speaker

    Roxane Cohen and Robin David - Quarkslab

Existing deobfuscation techniques usually target specific obfuscation passes and assume a prior knowledge of obfuscated location within a program. Also, some approaches tend to be computationally costly. Conversely, few research consider bypassing obfuscation through correlation of various variants of the same obfuscated program or a clear program and a later obfuscated variant. Both scenarios are common both in IP protection but also malware analysis. We formalize an attacker model targeting obfuscation by exploiting knowledge transfer between binaries through a dedicated binary diffing algorithm leveraging both intra-procedural structure (CFG) and inter-procedural structure (call-graph) combined through message passing. The associated tool QBinDiff exhibits better results than state-of-the-art differs. In a case where an adversary cannot find multiple variants of the same program, applying deobfuscation may be necessary and consequently locating it. The latter, requires characterizing an obfuscation from genuine code. We analyze both the binary classification problem namely determining if a function is obfuscated but also the multi-class problem namely determining the pass that is applied. Our baseline results reaches 0.95 of f1-score at the function level for binary. We show early results for the multi-class problem using various base representation and various algorithms including RandomForest, GradientBoosting and various GNNs.

Practical infos

Next sessions

  • Black-Box Collision Attacks on Widely Deployed Perceptual Hash Functions and Their Consequences

    • June 13, 2025 (11:00 - 12:00)

    • Inria Center of the University of Rennes - Aurigny room

    Speaker : Diane Leblanc-Albarel - KU Leuven

    Perceptual hash functions identify multimedia content by mapping similar inputs to similar outputs. They are widely used for detecting copyright violations and illegal content but lack transparency, as their design details are typically kept secret. Governments are considering extending the application of these functions to Client-Side Scanning (CSS) for end-to-end encrypted services: multimedia[…]

    • Cryptography

    • SoSysec

    • Protocols

  • A non-comparison oblivious sort and its application to private k-NN

    • June 20, 2025 (11:00 - 12:00)

    • Inria Center of the University of Rennes - - Petri/Turing room

    Speaker : Sofiane Azogagh - UQÀM

    Sorting is a fundamental subroutine of many algorithms and as such has been studied for decades. A well-known result is the Lower Bound Theorem, which states that no comparison-based sorting algorithm can do better than O(nlog(n)) in the worst case. However, in the fifties, new sorting algorithms that do not rely on comparisons were introduced such as counting sort, which can run in linear time[…]

    • Cryptography

    • SoSysec

    • Privacy

    • Databases

    • Secure storage

Show previous sessions
Page top