CoBRA - Simplifying Mixed Boolean-Arithmetic Obfuscation
Basically, CoBRA makes complex math operations easier to understand.
CoBRA simplifies Mixed Boolean-Arithmetic obfuscation, helping security engineers analyze malware and software protection schemes. It boasts a 99.86% success rate, making it a powerful tool in the cybersecurity toolkit. Available as a CLI tool, C++ library, and LLVM pass plugin.
What Happened
Mixed Boolean-Arithmetic (MBA) obfuscation is a technique that disguises simple operations like x + y using complex arithmetic and bitwise operators. This method is popular among malware authors and software protectors because existing simplification techniques often fail to handle both arithmetic and bitwise logic simultaneously. To address this gap, CoBRA has been released as an open-source tool designed to simplify a wide range of MBA expressions.
How CoBRA Works
CoBRA operates by classifying input expressions and selecting the appropriate simplification techniques. It utilizes a worklist-based orchestrator that manages 36 discrete passes across four families of expressions: linear, semilinear, polynomial, and mixed. For instance, when handling linear expressions, CoBRA evaluates the expression on all Boolean inputs to generate a truth table and then applies various recovery techniques to find the simplest equivalent expression.
Example of Linear Simplification
For the expression (x ^ y) + 2 * (x & y), CoBRA identifies it as a linear MBA expression and follows these steps:
- Classification: Identify the expression type.
- Truth Table Generation: Evaluate it on Boolean inputs.
- Pattern Matching: Scan an identity database for known patterns.
- Comparison: Race multiple recovery techniques to find the simplest form.
- Verification: Ensure the result is correct using random inputs or formal proofs.
Who's Affected
CoBRA is particularly beneficial for security engineers involved in malware analysis, software protection, and deobfuscation tasks. By simplifying MBA expressions, it provides clearer insights into obfuscated code, making it easier to understand and analyze.
Validation and Performance
CoBRA has been tested against over 73,000 expressions from various datasets, achieving an impressive 99.86% simplification rate. It successfully simplifies linear, semilinear, polynomial, and mixed expressions, showcasing its versatility and effectiveness in handling complex obfuscations.
What You Can Do with CoBRA
CoBRA is available in three modes:
- CLI Tool: Directly input an expression to receive a simplified result.
- C++ Library: Integrate CoBRA's core library into your own tools for automated analysis.
- LLVM Pass Plugin: Use CoBRA as a pass in LLVM to deobfuscate MBA patterns directly in LLVM IR.
What's Next
Future developments for CoBRA include addressing its limitations with certain complex expressions and exploring broader integration options with tools like IDA Pro and Binary Ninja. The tool is open for contributions and feedback, encouraging users to report any unsupported expressions for further improvement.