Title: Linear Obfuscation to Combat Symbolic Execution

Speaker: Jiang Ming

Trigger-based code (malicious in many cases, but not nec-
essarily) only executes when specific inputs are received. Symbolic ex-
ecution has been one of the most powerful techniques in discovering
such malicious code and analyzing the trigger condition. We propose a
novel automatic malware obfuscation technique to make analysis based
on symbolic execution difficult. Unlike previously proposed techniques,
the obfuscated code from our tool does not use any cryptographic oper-
ations and makes use of only linear operations which symbolic execution
is believed to be good in analyzing. The obfuscated code incorporates
unsolved conjectures and adds a simple loop to the original code, mak-
ing it less than one hundred bytes longer and hard to be differentiated
from normal programs. Evaluation shows that applying symbolic execu-
tion to the obfuscated code is inefficient in finding the trigger condition.
We discuss strengths and weaknesses of the proposed technique.