C ODE O BFUSCATION D EFENSE STRATEGIES Roberto Giacobazzi Dipartimento di Informatica Universit` a degli Studi di Verona Italy ASP 2009 Ingegneria e Scienze Informatiche – Verona – p.1/74
T HE SOURCE Most of the slides are taken from: Ch. 4, 5 and 6 of Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection Christian Collberg Jasvir Nagra ISBN-10: 0321549252 ISBN-13: 9780321549259 Addison-Wesley Professional 2010, 792 pp. and Roberto Giacobazzi. Hiding Information in Completeness Holes . The 6th IEEE International Conferences on Software Engineering and Formal Methods, SEFM’08, pages 7-20, IEEE Press. Ingegneria e Scienze Informatiche – Verona – p.2/74
D EFENSE S TRATEGIES Actions in Frames: ... let us see the Bofo marinus ! One or more slots: name = value ! Slots may contain other slots ! Conditional actions ⇒ can take !!!!!!!!!!!! "#$%&'(& place )*$(*#*+(,-,./&(. 677 &01&#,-2,30+(&,40'5 Ingegneria e Scienze Informatiche – Verona – p.3/74
D EFENSE S TRATEGIES : T HE PRIMITIVES We define 10 primitives which can be composed to design a generic defense strategy: ! ! Cover Indirect ! ! Duplicate Mimic ! ! Advertise Split and Merge ! ! Detect/Respond Reorder ! ! Dynamic Map Ingegneria e Scienze Informatiche – Verona – p.4/74
D EFENSE S TRATEGIES : Cover Given two frames x and y make x an element of y : *'+ ,%&'#)"' ,%&'#)"' !"#$%&'% !"#$%&'% ()#& ()#& *'+ ! Cover can be applied multiple times to hide information in an inner level ! Hiding = covering = obscuring ! Typical examples: ! hiding keys or SW in hardened boxes (Military) ! hiding watermarks in standard data-structures ! hiding watermarks in images of media Ingegneria e Scienze Informatiche – Verona – p.5/74
D EFENSE S TRATEGIES : Duplicate Given a frame x , create a deep copy of x (keeping names unique): ( ) !"#$%&'% !"#$%&'% ( ) (* )* ! Idea 1: Copy as decoy : make the universe larger and harder to scan ! Idea 2: Copy as reduplication : make the universe larger, full of your copies (signatures) ! Typical examples: ! reduplication for protecting its own DNA ! dummy targets for confusing adversaries int THE WATERMARK IS HERE = 666 obfuscate f by f ′ := Duplicate ( f ) , f ′′ := Obf ( f ′ ) and call f and f ′′ ! Ingegneria e Scienze Informatiche – Verona – p.6/74
D EFENSE S TRATEGIES : Split & Merge Given a predicate π and a frame z create a new frame z ′ such that z ′ has all the properties of z and ∀ x ∈ z ′ . π ( x ) . Merge is set union of frames (and related properties): ()*)$+, ()*)$+, - !"#$%&'% !"#$%&'% 1(,#2 0 . - 3%&4% ()*)$+, 0 -/ . ! Typically used in combination: take two functions f and g : Split ( f ) = ( f 1 , f 2 ) and Split ( g ) = ( g 1 , g 2 ) , then: 2 fg = Merge ( f 1 , g 2 ) = x = 1 6 λ x , y . if x = 1 then f 1 ( y ) else g 2 ( y ) fg ( x , y ) 6 call f ( y ) − ⇒ → 6 6 gf = Merge ( f 2 , g 1 ) = x ++ 6 4 λ x , y . if x = 2 then f 2 ( y ) else g 1 ( y ) gf ( x , y ) Ingegneria e Scienze Informatiche – Verona – p.7/74
D EFENSE S TRATEGIES : Reorder Given a frame z and a permutation function f , reorder the elments of z according to f : !"#"$%& !"#"$%& )*+$,-., )*+$,-., ( / ' ' / ( ! Used in early SW watermarking e.g., by reordering basic blocks in CFG ! Used in code obfuscation and metamorphism by reordering basic blocks in CFG Ingegneria e Scienze Informatiche – Verona – p.8/74
D EFENSE S TRATEGIES : Map Given a frame x and a function f , replace every element e in x with f ( e ) : !"#"$%& !"#"$%& )*+$,-., )*+$,-., 01/2 ( ' ' 01(2 / ! Implements Security-through-obscurity: translation, crypto, etc. ! Protect confidentiality by name obfuscation (translation): variables, functions, data Ingegneria e Scienze Informatiche – Verona – p.9/74
� � ✁ ✂✄ ☎ ☎ ✄ ✂ ✁ D EFENSE S TRATEGIES : Indirect Given a frame x add an indirect reference r to x : , , . . ( ( - - ✆ ✆ , , $ $ + + * * ) ) / -" / The cost of following pointers makes the analysis harder!! !"#$%&'()*+,- !"#$%&'()*+,- !"#$%*123&)+*+45&'()0 !"#$%&'(.*+, !"#$%*123&.+*+4523&)0% /// !"#$%&'(.*+, %%%&'()*+0 %*1123&.+*+0 - - Combined with map you can hide references. Ingegneria e Scienze Informatiche – Verona – p.10/74
D EFENSE S TRATEGIES : Mimic Given two frames x and y , where x holds a property prop , copy prop into y : "#$%&'(& "#$%&'(& ✝ ! )'*)+,+-%./- 0 )'*)+,+-%./- 0 )'*)+,+-%./- ! Common in wild-life (animals) ! Fundamental for stealthy: the new (watermarked) code must resemble the same a standard code. Here is a static watermarking: !"##! !"##! ( %' ( %' !"#$%&'% !"#$%&'% !"#$%&'% !$%&! !$%&! !"##! ( %' !$%&! ( %'( ( %'( !"##! !)%*! !$%&! !$%&! Ingegneria e Scienze Informatiche – Verona – p.11/74
D EFENSE S TRATEGIES : Advertise Given a frame x with a property prop add a property advertise to x with value prop : !"#$%&'% !"#$%&'% (&)(*+*,$-., / (&)(*+*,$-., / -0$%&1#'%*+*,(&)(, ! Opposite to security-through-obscurity ! Openly display a situation in order to discourage attacks ! Example by false advertising: Say that P is watermarked when it is not! Ingegneria e Scienze Informatiche – Verona – p.12/74
D EFENSE S TRATEGIES : Detect/Respond Given two frames x and y add a demon to x that exectutes action A if event E happens to y : !"#$%"&'()*+,*( ( % % ( ' ' -.!"#$%"&'(/),*0 & & % % $ $ # # " " ) ! ! ) Typical in tamper-proofing: Duplictate → Map → Detect/Respond +," +,"-.)(/ !"#$%&'% !"#$%&'% (&)* (&)* !"# $%#&'%()!"#*+*,-*** 00 !"# ..+/01203$%#&'%()!"#4*+-* !"#5+!"#)6%78 Ingegneria e Scienze Informatiche – Verona – p.13/74
D EFENSE S TRATEGIES : Dynamic Iterate a primitive f over a frame x generating a sequence (finite or infinite) of frames: → .... f ( x ) − → f ( f ( x )) − → f ( f ( f ( x ))) − where f ∈ { Cover , Duplicate , Split , Merge , Reoder , Map , Indirect , Mimic , Advertise , Detect / Respond } ! Dynamic change for confusing the attacker: Polymorphism and Metamorphism ! Useful in polymorphic malware: dynamically decrypt (map) chunks of code, execute, rencrypt (map) Ingegneria e Scienze Informatiche – Verona – p.14/74
T HE PROBLEM : OBFUSCATION VS DIVERSITY F . Cohen, Operating systems protection through program evolution, 1993 ! Generate syntactically different semantic equivalent programs ! P and Q are syntactically different if P � = Q ! P and Q are semantic equivalent if P ≡ Q i.e., ! If � P � ( x ) ↓ and � Q � ( x ) ↓ then � P � ( x ) = � Q � ( x ) ! If � P � ( x ) ↑ or � Q � ( x ) ↑ then � P � ( x ) ↑ and � Q � ( x ) ↑ ! Given a program P : � � D( P ) def ˛ = Q is a non recursive set! ˛ P ≡ Q ∧ P � = Q ˛ Ingegneria e Scienze Informatiche – Verona – p.15/74
L AYOUT OBFUSCATION Standard and easy methods for making your code diverse: ! Change your code by substituting equivalent expressions: y = x << 5; y = x * 42 y+= x <<3; = ⇒ y+= x<<1; ! Reordering code: break locality which is a typical principle used in reverse engineering! ! Identifier renaming: ... that is really too easy!!! Ingegneria e Scienze Informatiche – Verona – p.16/74
O BFUSCATION BY INTERPRETATION see Y. Futamura, Partial Evaluation of Computation Process, 1971 Consider two programming languages (abstract machines): S and T with common data ! Interpreter: ∀ ℓ ∈ { S , T } → data ∪ { ↑ } , int S ∈ S . prog int S : S . prog × data − ! int T : T . prog × data − → data ∪ { ↑ } , int T ∈ S . prog ! ! ∀ P ∈ ℓ. prog , ∀ d ∈ data : � P � ℓ ( d ) = � int ℓ � S ( p , d ) ! Code specializer: ∀ ℓ ∈ { S , T } → S . prog , spec S ∈ S . prog spec S : S . prog × data − ! spec T : S . prog × data − → T . prog , spec T ∈ S . prog ! ! ∀ P ∈ S . prog , ∀ d , s ∈ data : � P � S ( s , d ) = �� spec ℓ � S ( P , s ) � ℓ ( d ) ! Idea: S is the source language (open) T is the secrete architecture (hidden) Ingegneria e Scienze Informatiche – Verona – p.17/74
O BFUSCATION BY INTERPRETATION see Y. Futamura, Partial Evaluation of Computation Process, 1971 Obfuscated code for P is a compiled code from S to T and back to S : � int S � S ( P , d ) � P � S ( d ) = �� spec T � S ( int S , P ) � T ( d ) = � int T � S ( � spec T � S ( int S , P ) , d ) = �� spec S � S ( int T , � spec T � S ( int S , P )) � S ( d ) = obf ( P ) = � spec S � S ( int T , � spec T � S ( int S , P )) ∈ S . prog ! In order to attack obf ( P ) you need to understand the relation between S and T ! obf ( P ) may run 10-100 time slower!! Ingegneria e Scienze Informatiche – Verona – p.18/74
Recommend
More recommend
