CaDeCFF: Compiler-Agnostic Deobfuscator of Control Flow Flattening

With the increasing influence of malware and various attacks, malware detection methods have been continuously proposed. However, in order to evade malware detection, code obfuscation which makes programs harder to understand, is widely used by malware writers. Control Flow Flattening (CFF) is a common control-flow obfuscation method. However, Control Flow Flattening deobfuscation tools have a low success rate for compilation-optimized binaries because the structural features on which the tools depend have changed. In order to analyze malwares efficiently, in this paper, we first systematically summarize the significant structural changes of compilation optimization and analyze the limitations of all state-of-the-art CFF deobfuscation tools. Based on the observations, we further propose and implement a compiler-agnostic deobfuscator of CFF named CaDeCFF to effectively deobfuscate compilation-optimized binaries. Specifically, CaDeCFF identifies useful blocks by data flow analysis of state variable, and recovers useful block Control Flow Graph (CFG) by selective symbolic execution. Finally, it patches binary by binary tree-based code generation. To demonstrate the effectiveness of CaDeCFF, we conduct an extensive evaluation with obfuscation benchmarks. The results demonstrate that the proposed system outperforms state-of-the-art CFF deobfuscation tools, and the success rate is increased from 39.77% to 99.62%.