中文摘要：

代码混淆技术常被用于软件保护领域和恶意代码对抗分析.传统的代码混淆技术会使逆向分析者获得程序的全部二进制代码,因此存在一定的安全性问题.为缓解这一问题,提出了一种基于代码移动的二进制程序控制流混淆方法,将程序的重要控制逻辑代码移动至逆向分析者不可控的可信实体,以使本地代码控制流信息部分缺失,从而使得程序的关键行为无法通过推理获知;利用包含无初始意义操作数的非条件跳转指令替代条件跳转指令隐藏路径分支的分支条件和目标地址,以增大收集程序路径信息的难度.对该控制流混淆方法从强度、弹性和开销3个指标进行了技术评价.将所提混淆方法用于6个恶意软件触发条件的混淆并对混淆之后的恶意代码进行逆向分析实验,结果表明该混淆方法能够较好地抵抗基于静态分析和符号执行的逆向分析方法.

英文摘要：

Code obfuscation is usually used in software protection and malware combating reverse engineering. There are some security issues in traditional code obfuscation methods, because reverse engineers can acquire all binary codes. To mitigate this problem, this paper presents a novel control flow obfuscation approach to protect the control flow of binary codes based on code mobility. Transforming the significant control logic codes to a remote trusted entity beyond adversary＇s control makes some control flow information invisible at local untrusted execution environment, so that the binary code＇s key behaviors cannot be predicted statically or dynamically. Non-conditional jump instructions without control information are used to replace some critical conditional jumps to hide branch conditions and jump target memory addresses, which increases the difficulty of collecting and reasoning about the program path information. We estimate this obfuscation approach in three aspects： potency, resilience and cost. And using this approach, we obfuscate the trigger conditions in six malware samples belonging to different families, and then use the state-of-the-art reverse engineering tools to reason about their internal control logic. Experimental result shows that our obfuscation approach is able to protect various branch conditions and reduce the leakage of branch information at run-time that impedes reverse engineering based on symbolic execution to analyze program＇s internal logic.