Paper 2022/1699
SoK: Use of Cryptography in Malware Obfuscation
Abstract
We look at the use of cryptography to obfuscate malware. Most surveys on malware obfuscation only discuss simple encryption techniques (e.g., XOR encryption), which are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. This SoK proposes a principled definition of malware obfuscation, and categorises instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. The SoK first examines easily detectable schemes such as string encryption, class encryption and XOR encoding, found in most obfuscated malware. It then details schemes that can be shown to be hard to break, such as the use of environmental keying. We also analyse formal cryptographic obfuscation, i.e., the notions of indistinguishability and virtual black box obfuscation, from the lens of our proposed model on malware obfuscation.
Metadata
- Available format(s)
-
PDF
- Category
- Foundations
- Publication info
- Preprint.
- Keywords
- malware obfuscation environmental keying
- Contact author(s)
-
hassan asghar @ mq edu au
ben_zi zhao @ mq edu au
muhammad ikram @ mq edu au
duclinhgiang nguyen @ hdr mq edu au
dali kaafar @ mq edu au
sean lamont2 @ dst defence gov au
daniel coscia1 @ dst defence gov au - History
- 2022-12-10: approved
- 2022-12-07: received
- See all versions
- Short URL
- https://ia.cr/2022/1699
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1699,
author = {Hassan Asghar and Benjamin Zi Hao Zhao and Muhammad Ikram and Giang Nguyen and Dali Kaafar and Sean Lamont and Daniel Coscia},
title = {SoK: Use of Cryptography in Malware Obfuscation},
howpublished = {Cryptology ePrint Archive, Paper 2022/1699},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/1699}},
url = {https://eprint.iacr.org/2022/1699}
}
