内容分析教案chp07.1-obfuscation

1、Program ObfuscationXU, Hui August 6, 2022COMP130159.011. Overview2The Problem of Software IP ProtectionExamples of MATE attacks:Disable License CheckingSteal AlgorithmsClone Codesif (verifyLicense (key) startProgram();else printf (“invalid key”); exit(-1);Software intellectual property:Server side (

2、secure)Client side (vulnerable)MATE (Man-At-The-End) attack Collberg11: reverse engineerCollberg11 C. Collberg, et al. Toward digital asset protection. IEEE Intelligent Systems, 2011.3Software Obfuscation for IP ProtectionC. Collberg, et al. A taxonomy of obfuscating transformations, 1997Obfuscator:

3、 a program that transforms the application into one that is functionally identical to the original but which is much more difficult to understand.Evaluation CriteriaPotency: to what degree is a human reader confusedResilience: how well are automatic deobfuscation attacks resistedCost: how much overh

4、ead is added to the applicationStealth: how well does obfuscated code blend in with the original code42. Software Obfuscation5Obfuscation TargetComponents6 pile Java Bytecode is EasyAPKjd-guiunzipdex2jarview7Software ObfuscationLexical obfuscationUse meaningless identifiers to replace meaningful one

5、s,Typically with alphabets or short random strings.Control-flow obfuscationIncrease the complexity of the control-flow graph, e.g., by adding bogus control flows.Data obfuscationOriginal programDifferent Versions of obfuscated programYadegari, et. al, A Generic Approach to Automatic Deobfuscation of

6、 Executable Code, S&P 20158Lexical ObfuscationWhat lexical information can be scrambled?Variable nameMethod nameField namePerform a def-use analysis for each identifier to obfuscate.Make sure both def and use are changed Try it yourself via static data-flow analysisWhat cannot be changed?Identifiers

7、 defined by other libraries9Obfuscating Android Apps During CompilationClassic tool: ProGuardLatest tool in Android Studio: R810Effectiveness of Obfuscation11Residual Informationresidual information“We can recover a large portion of lexical information based on the residual information, e.g., names

8、of invoked methods and strings.”B. Bichsel, et al. Statistical deobfuscation of android applications, CCS, 2016.Java Source CodeJava APIThird-party LibrariesAndroid Framework APIinvocation12How to Obfuscate ponent Information?Use call wrappers and dispatchersOriginal VersionObfuscated Version3-rd pa

9、rty libraryfunA()funB()funC()Java ClassfunB()invoke3-rd party libraryfunA()funB()funC()Java Classdispatcher()invokeWrapper Classdispatcher()invoke13Control-flow ObfuscationIncrease the (Cyclomatic) complexity of the program withBogus control flowControl-flow flatteningE = the number of edges of the

10、graph.N = the number of nodes of the graph.P = the number of connected components.ababbogusccdispatcherabc14Obfuscation with Obfuscator-LLVM -mllvm -bcf: activates the bogus control flow pass-mllvm -bcf_loop=3: if the pass is activated, applies it 3 times on a function. Default: 1-mllvm -bcf_prob=40

11、: if the pass is activated, a basic bloc will be obfuscated with a probability of 40%. Default: 30Use LLVM to compile C programs with the following arguments:Other features in Obfuscator-LLVMControl-flow flatteningInstructions substitution15Bogus Control FlowP. Junod, et. al, Obfuscator-LLVM - Softw

12、are Protection for the Masses, 2015If-elseadd junk codes16Opaque Predicate Used in Obf-LLVMx7 = 0;y8 = 0;if(x7(x7 1)%2 = 0|y81) if(x%2=1) x=3*x+1; else x = x/2; if (x = 1) /always reachable OriginalCode();20Relationship with Symbolic Executionint opaque(int x) int *p=&x; int*q=&x; int y=0; if(x*x3)/

13、contextual opaque predicate if(x*x-4x+30) x=x1; if(*p)%2=0)/dynamic opaque predicate y=x+1; else y=x+1; y=y+2; if(*q)%2=0) y=y+2; x=y+3; else x=y+3; return x;Use symbolic execution to analyze these path constraints21Control-Flow Flatteningif-elsewhile+switch-caseFlattening22Control-Flow FlatteningLs

14、zl, Tmea, and kos Kiss. Obfuscating C+ programs via control flow flattening. 200923VM-based ObfuscationCamouflage widely used by malware.Convert x86 machine code into virtual machine bytecode and execute it at runtimeAvailable tools: VMProtectCode VirtualizerRolfRolles x86 Virtualizer 24Virtualizati

15、on Virtualization25VM Section263. Theoretical Limitations27Program ObfuscatorB. Barak et al., On the (im) possibility of obfuscating programs, CRYPTO, 200128Theoretical Limitation of ObfuscationVirtual block-box property (VBBP): The obfuscated program does not help in determine the program result (e

16、ven leaks 1-bit information) than given only oracle access.VBBP is not always possible.B. Barak et al., On the (im) possibility of obfuscating programs, CRYPTO, 200129Proof VBBP with A Counter ExampleProof by contraction. Details can be found in Baraks paper.B. Barak et al., On the (im) possibility

17、of obfuscating programs, CRYPTO, 200130Indistinguishable Property31Idea for Achieving IOS. Garg et al., Candidate indistinguishability obfuscation and functional encryption for all circuits, FOCS 201332Convert to Branching Programs1s2s9s3s4s5s6s7s800011111bit1s1011000001bit2bit3bit4bit5bit6bit7bit8i

18、f(x = 7) return 1;else return 0;Example: convert a point function33Convert to Matrix Branching Programsmatrices for bit1head matrixtail matrix34MBP Randomization35Encrypt RMBP with Graded EncodingCandidate algorithms: GGH, CLTEncrypt each element with a key, like public key encryption.The computatio

19、n is noisy (non-deterministic) by introducing some small integers.The final evaluation function (zero-testing) is deterministic.Far from practical usage Results achieved when encrypting a point function.Lewi, et al. 5gen: A framework for prototyping applications using multilinear maps and matrix branching programs.“CCS 2016.36Comparison of The Two FieldsPROGRAM OBFUSCATOR(THEORETICAL)CODE OBFUSCATORRESEARCH COMMUNITYtheory scientistssoftware scientistsTarget Programcircuit/Turing-Machinec