TL;DR
SATURN is a deobfuscation framework that leverages LLVM to recover and simplify obfuscated binary code, enabling effective removal of various obfuscation techniques through control flow analysis and compiler optimizations.
Contribution
This paper introduces SATURN, a novel LLVM-based framework for deobfuscating binary code by lifting it to LLVM-IR and applying compiler optimizations to weaken or remove obfuscation.
Findings
Effective removal of obfuscation techniques like dead code and opaque expressions
Successful recovery of control flow graphs from obfuscated binaries
Implementation of a practical deobfuscation tool, SATURN
Abstract
The strength of obfuscated software has increased over the recent years. Compiler based obfuscation has become the de facto standard in the industry and recent papers also show that injection of obfuscation techniques is done at the compiler level. In this paper we discuss a generic approach for deobfuscation and recompilation of obfuscated code based on the compiler framework LLVM. We show how binary code can be lifted back into the compiler intermediate language LLVM-IR and explain how we recover the control flow graph of an obfuscated binary function with an iterative control flow graph construction algorithm based on compiler optimizations and SMT solving. Our approach does not make any assumptions about the obfuscated code, but instead uses strong compiler optimizations available in LLVM and Souper Optimizer to simplify away the obfuscation. Our experimental results show that this…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
