Saved in:
Bibliographic Details
Main Authors: Mohseni, Seyedreza, Mohammadi, Seyedali, Tilwani, Deepa, Saxena, Yash, Ndawula, Gerald Ketu, Vema, Sriram, Raff, Edward, Gaur, Manas
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.16135
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910804275625984
author Mohseni, Seyedreza
Mohammadi, Seyedali
Tilwani, Deepa
Saxena, Yash
Ndawula, Gerald Ketu
Vema, Sriram
Raff, Edward
Gaur, Manas
author_facet Mohseni, Seyedreza
Mohammadi, Seyedali
Tilwani, Deepa
Saxena, Yash
Ndawula, Gerald Ketu
Vema, Sriram
Raff, Edward
Gaur, Manas
contents Malware authors often employ code obfuscations to make their malware harder to detect. Existing tools for generating obfuscated code often require access to the original source code (e.g., C++ or Java), and adding new obfuscations is a non-trivial, labor-intensive process. In this study, we ask the following question: Can Large Language Models (LLMs) potentially generate a new obfuscated assembly code? If so, this poses a risk to anti-virus engines and potentially increases the flexibility of attackers to create new obfuscation patterns. We answer this in the affirmative by developing the MetamorphASM benchmark comprising MetamorphASM Dataset (MAD) along with three code obfuscation techniques: dead code, register substitution, and control flow change. The MetamorphASM systematically evaluates the ability of LLMs to generate and analyze obfuscated code using MAD, which contains 328,200 obfuscated assembly code samples. We release this dataset and analyze the success rate of various LLMs (e.g., GPT-3.5/4, GPT-4o-mini, Starcoder, CodeGemma, CodeLlama, CodeT5, and LLaMA 3.1) in generating obfuscated assembly code. The evaluation was performed using established information-theoretic metrics and manual human review to ensure correctness and provide the foundation for researchers to study and develop remediations to this risk.
format Preprint
id arxiv_https___arxiv_org_abs_2412_16135
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Can LLMs Obfuscate Code? A Systematic Analysis of Large Language Models into Assembly Code Obfuscation
Mohseni, Seyedreza
Mohammadi, Seyedali
Tilwani, Deepa
Saxena, Yash
Ndawula, Gerald Ketu
Vema, Sriram
Raff, Edward
Gaur, Manas
Cryptography and Security
Artificial Intelligence
Computation and Language
Malware authors often employ code obfuscations to make their malware harder to detect. Existing tools for generating obfuscated code often require access to the original source code (e.g., C++ or Java), and adding new obfuscations is a non-trivial, labor-intensive process. In this study, we ask the following question: Can Large Language Models (LLMs) potentially generate a new obfuscated assembly code? If so, this poses a risk to anti-virus engines and potentially increases the flexibility of attackers to create new obfuscation patterns. We answer this in the affirmative by developing the MetamorphASM benchmark comprising MetamorphASM Dataset (MAD) along with three code obfuscation techniques: dead code, register substitution, and control flow change. The MetamorphASM systematically evaluates the ability of LLMs to generate and analyze obfuscated code using MAD, which contains 328,200 obfuscated assembly code samples. We release this dataset and analyze the success rate of various LLMs (e.g., GPT-3.5/4, GPT-4o-mini, Starcoder, CodeGemma, CodeLlama, CodeT5, and LLaMA 3.1) in generating obfuscated assembly code. The evaluation was performed using established information-theoretic metrics and manual human review to ensure correctness and provide the foundation for researchers to study and develop remediations to this risk.
title Can LLMs Obfuscate Code? A Systematic Analysis of Large Language Models into Assembly Code Obfuscation
topic Cryptography and Security
Artificial Intelligence
Computation and Language
url https://arxiv.org/abs/2412.16135