drm obfuscation vs auxiliary attacks
play

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell - PowerPoint PPT Presentation

Aug 25, 2023 •400 likes •1.43k views

DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC

  1. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation Architecture“layered”

  2. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation Implementation choices Database MongoDB Scalable Non relational, a good way to prototype A database per trace Avoid inter-trace lock Allow hypothesis on entries

  3. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation Implementation choices Database MongoDB Scalable Non relational, a good way to prototype A database per trace Avoid inter-trace lock Allow hypothesis on entries Getting an execution trace Intel PIN Miasm sandbox IDA, ollydbg, . . .

  4. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation Implementation choices Database MongoDB Scalable Non relational, a good way to prototype A database per trace Avoid inter-trace lock Allow hypothesis on entries Getting an execution trace Intel PIN Miasm sandbox IDA, ollydbg, . . . Disassembly engine DiStorm Then Miasm, to be architecture independant . . . and have an IR

  5. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation Memory model Detailed information available in [SSTIC 2014 - Actes]

  6. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Agenda First layer: Code flattening 1 pTra 2 What is this ? A few words on implementation Miasm in 2 slides Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  7. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Miasm in 2 slides - 1 Context Developed by F. Desclaux Miasm v2 released in June 2014 Available on http://code.google.com/p/miasm

  8. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Miasm in 2 slides - 1 Context Developed by F. Desclaux Miasm v2 released in June 2014 Available on http://code.google.com/p/miasm Lego bricks Python 1 Assembly / Disassembly engine“easy-to-write” 2 Intermediate representation RE oriented (8 words) 3 JIT engine (TinyCC, LLVM, Python based) 4 Regression tests :) 5

  9. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Miasm in 2 slides - 2 Features Supported architectures x86 { 16, 32, 64 } bits ARMv7 / Thumb MSP430 SH4 MIPS32 Customizable simplification engine PE / ELF / shellcode sandboxing Common MSDN APIs simulation (or how to rewrite Windows architecture independant) ELF / PE binary manipulation thanks to Elfesteem Links with STP solver, debuggers, IDA viewer

  10. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Miasm in 2 slides - Demonstration Demo: Shellcode sandboxing (Try & die approach)

  11. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides Miasm in 2 slides - Demonstration Demo: ARMv7 execution trace - MD5

  12. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  13. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  14. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Algorithm reconstruction - Introduction What we want to know Fully understand an algorithm What’s inside (encryption, derivations, . . . ) ⇒ pTra database contains all we need

  15. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Algorithm reconstruction - Introduction What we want to know Fully understand an algorithm What’s inside (encryption, derivations, . . . ) ⇒ pTra database contains all we need How to proceed Identify all parts (functions, crypto) 1 Find inputs and outputs of each part 2 Understand links between them 3

  16. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  17. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection Constants detection - Theory What we know A cryptographic algorithm can be composed of some“magic” constants Hash functions are a good example If an algorithm is present, we must find its constants

  18. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection Constants detection - Theory What we know A cryptographic algorithm can be composed of some“magic” constants Hash functions are a good example If an algorithm is present, we must find its constants Where can we find them? Interesting places: Instructions (static analysis) Processor’s registers Memory accesses ⇒ pTra provides a direct access to these elements

  19. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection Constants detection - Practical Method Add a module to pTra Full research in database for known constants Avoid false positives Low probability We can group results to detect isolated constants Simple, quick and efficient

  20. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection Constants detection - Practical Method Add a module to pTra Full research in database for known constants Avoid false positives Low probability We can group results to detect isolated constants Simple, quick and efficient Results Mersenne Twister identification ( 0x6c078965 ) SHA-1 identification ( 0x67452301 , 0xefcdab89 , 0x98badcfe , 0x10325476 , 0xc3d2e1f0 ) ⇒ Adding SHA-1 primitives knowledge into our call graph ( init , update , final )

  21. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  22. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - Theory Purposes Unidentified functions: Understanding I/Os can help us to identify them Already identified functions: Find where arguments come from Establish the link with other algorithms ⇒ We must find functions input and output

  23. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - Theory Purposes Unidentified functions: Understanding I/Os can help us to identify them Already identified functions: Find where arguments come from Establish the link with other algorithms ⇒ We must find functions input and output What we know By studying memory accesses of a function: If a data is processed, it will be read Results (outputs) will be written ⇒ pTra can help us to find them

  24. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - Practical Methods To identify outputs: Memory diff (state after) - (state before) We can remove data written and read before the end (temporary data) To identify inputs: Data read for the first time by the function We can add several heuristics (pointers detection, blocks grouping, entropy computing, . . . )

  25. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - Results Facts Very efficient method to link algorithms parts between them We found another protection by looking for I/Os: transformed memory Data in memory never appear in clear format No pattern identified in the code There is a derivation function per memory area

  26. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - Results Facts Very efficient method to link algorithms parts between them We found another protection by looking for I/Os: transformed memory Data in memory never appear in clear format No pattern identified in the code There is a derivation function per memory area Identified algorithms Identified SHA-1 inputs/output verified SHA-1 inputs : Certificates ⇒ Cert-chain validation RSA-SHA1 signature algorithm is used ⇒ We have to identify RSA function

  27. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - RSA identification Main idea Destroy modular exponentiation effect of RSA Compare execution traces

  28. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation I/O identification - RSA identification Main idea Destroy modular exponentiation effect of RSA Compare execution traces Steps We know RSA algorithm is used (at least) in cert-chain validation 1 Patch all certificates pub exponents to 1 2 Patch all certificates pub modulus to max value (0xFF..FF) 3 Produce a new execution trace 4 Locate some functions differences (in number of instructions) 5 RSA located ( ± 50 million instructions) 6 ⇒ Add RSA knowledge to the call-graph 7

  29. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  30. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding Data slicing and functions rebuilding Definitions Data tainting : find all elements that depend on a given one Data slicing : find all elements influencing a given one Data tainting is forward, and slicing is backward

  31. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding Data slicing and functions rebuilding Definitions Data tainting : find all elements that depend on a given one Data slicing : find all elements influencing a given one Data tainting is forward, and slicing is backward Data slicing implementation Using Miasm IR: Symbolic execution of basic block containing target element 1 We get dependencies of its equation 2 Search for latest writes of each ones 3 And so on. 4 For data tainting, we proceed almost the same way. We just target elements whose contain the target in their dependencies.

  32. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding Dependencies graph Demo: pTra - Slicing as a commercial (with colors)

  33. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding RSA-OAEP R2, R4, R5 : Random values

  34. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Some clues Dynamic AES-CBC WhiteBox identification Results Ecofriendly step: Instruction substitution 5 Bonus 6

  35. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Some clues Dynamic AES-CBC WhiteBox identification Results Ecofriendly step: Instruction substitution 5 Bonus 6

  36. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Dependencies graph

  37. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Equivalence class Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address.

  38. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Equivalence class Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address. Example Class: 01 02 03 04 01 02 03 04 01 02 03 04 05 Data: 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E

  39. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Equivalence class Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address. Example Class: 01 02 03 04 01 02 03 04 01 02 03 04 05 Data: 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E Grouping 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E

  40. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Equivalence class Applied to dataset 1 16 bytes +-------------------+ | Block 1 | +-------------------+ | Block 2 | +-------------------+ | | | Block 3: | | Group of 16 | | bytes block | | | +-------------------+

  41. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Equivalence class Applied to dataset Applied to output block (reversed way, last write) 1 16 bytes +-------------------+ 1 2 16 bytes | Block 1 | +--+ +-------------------+ | | /* 2 bytes blocks */ | Block 2 | +--+ +-------------------+ +----------------+ | | __| | | Block 3: | | | | Group of 16 | | Bytes group | | bytes block | | | | | | | +-------------------+ | ________| | | +----------+ +--------+ /* Bytes | | on the +--------+ output, but never read */

  42. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Function rebuilding 1 def make_C3(inp): 2 3 C3 = [inp] 4 for i in xrange (10): 5 tmp = [] 6 tmp.append(inp [0] ^ table1 [(0 x100*i)+inp [13]]) 7 tmp.append(inp [1] ^ table2[inp [14]]) 8 tmp.append(inp [2] ^ table2[inp [15]]) 9 tmp.append(inp [3] ^ table2[inp [12]]) 10 tmp.append(inp [4] ^ tmp [0]) 11 tmp.append(inp [5] ^ tmp [1]) 12 tmp.append(inp [6] ^ tmp [2]) 13 tmp.append(inp [7] ^ tmp [3]) 14 tmp.append(inp [8] ^ tmp [4]) 15 tmp.append(inp [9] ^ tmp [5]) 16 tmp.append(inp [10] ^ tmp [6]) 17 tmp.append(inp [11] ^ tmp [7]) 18 tmp.append(inp [12] ^ tmp [8]) 19 tmp.append(inp [13] ^ tmp [9]) 20 tmp.append(inp [14] ^ tmp [10]) 21 tmp.append(inp [15] ^ tmp [11]) 22 C3.append(tmp) 23 inp = tmp 24 25 return C3

  43. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues Comparison between make_c3 and AES key scheduling

  44. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Some clues Dynamic AES-CBC WhiteBox identification Results Ecofriendly step: Instruction substitution 5 Bonus 6

  45. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification Dynamic AES-CBC WhiteBox identification Identification Try to reproduce intputs/outputs ⇒ Results don’t match ⇒ Encryption steps are completely done on modified states, key in input list ⇒ “ Dynamic ”whitebox

  46. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification Dynamic AES-CBC WhiteBox identification Identification Try to reproduce intputs/outputs ⇒ Results don’t match ⇒ Encryption steps are completely done on modified states, key in input list ⇒ “ Dynamic ”whitebox Interest in a DRM Wasting analysts time Hiding inputs and outputs Difficulty to reproduce the algorithm on another system (apart ripping it) Reverse algorithm is hard to find

  47. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Results Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Some clues Dynamic AES-CBC WhiteBox identification Results Ecofriendly step: Instruction substitution 5 Bonus 6

  48. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Results Results Attack Homomorphic algorithm (to XOR) 1 Mathematic properties needed 2 A limited set of candidates 3 ⇒ Derivation functions computation We are finally able to read/alter values encrypted by the algorithm, which is a 128 bits AES-CBC.

  49. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Introduction Industrial version Bonus 6

  50. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Introduction Industrial version Bonus 6

  51. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Instruction substitution - Basics Trivial method For x ∈ [0 , 2 32 − 1] : f ( x ) = (16 ∗ x + 16) mod 2 32 could be rewritten as: f ( x ) = 129441535 − 1793574399 ∗ (1584987567 ∗ (3781768432 ∗ x + 2881946191) − 4282621936)

  52. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Instruction substitution - Basics Trivial method For x ∈ [0 , 2 32 − 1] : f ( x ) = (16 ∗ x + 16) mod 2 32 could be rewritten as: f ( x ) = 129441535 − 1793574399 ∗ (1584987567 ∗ (3781768432 ∗ x + 2881946191) − 4282621936) Simplification Function simplified by modern compilation passes (particularly constant folding)

  53. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Instruction substitution - Advanced MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: ( x + y ) ≡ (( x ∧ y ) + ( x ∨ y )) ( x + y ) ≡ (( x ⊕ y ) + 2 × ( x ∧ y )) ( x ⊕ y ) − y ≡ ( x ∧ ¬ y ) − ( x ∧ y )

  54. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Instruction substitution - Advanced MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: ( x + y ) ≡ (( x ∧ y ) + ( x ∨ y )) ( x + y ) ≡ (( x ⊕ y ) + 2 × ( x ∧ y )) ( x ⊕ y ) − y ≡ ( x ∧ ¬ y ) − ( x ∧ y ) Simplification Nothing from compiler passes Nothing more from MatLab, Maple, Mathematica or Z3

  55. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction Instruction substitution - Advanced MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: ( x + y ) ≡ (( x ∧ y ) + ( x ∨ y )) ( x + y ) ≡ (( x ⊕ y ) + 2 × ( x ∧ y )) ( x ⊕ y ) − y ≡ ( x ∧ ¬ y ) − ( x ∧ y ) Simplification Nothing from compiler passes Nothing more from MatLab, Maple, Mathematica or Z3 Effective simplification Once equations are identified, capitalize them thanks to Miasm simplification engine By using the generation algorithm of these expressions

  56. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA generation Construction A matrix A in { x , y , x ⊕ y , . . . } base (expressions are represented by their truth table) An associated vector v composed of { 1, -1 } standing for operation between elements Equation is valid / generalizable to 2 n iff a linear combination of A ’s columns is equal to null element

  57. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA generation Construction A matrix A in { x , y , x ⊕ y , . . . } base (expressions are represented by their truth table) An associated vector v composed of { 1, -1 } standing for operation between elements Equation is valid / generalizable to 2 n iff a linear combination of A ’s columns is equal to null element Example x + y − ( x ⊕ y ) � A = ( f 1 , f 2 , f 3 ) (1) v = (+1 , +1 , − 1)  f 1 = x = (0 , 0 , 1 , 1)   f 2 = y = (0 , 1 , 0 , 1) (2)  f 3 = x ⊕ y = (0 , 1 , 1 , 0) 

  58. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA simplification Example x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y

  59. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA simplification Example x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y  0 1 0 0 1   0 1 0 1 0   = A  1 0 0 1 1 1 0 1 0 0     = (+1, +1, -1, -1, +1) v 

  60. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA simplification Example x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y  0 1 0 0 1   0 1 0 1 0   = A  1 0 0 1 1 1 0 1 0 0     = (+1, +1, -1, -1, +1) v  Linear combination +2 +0 +1 +0

  61. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA simplification Smallest addition to nullify  1 1   0 0   A =  1 0 0 0     v = (-1, -1)  Final equation x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y − ¬ y − ¬ ( x ∨ y ) = 0

  62. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction MBA simplification Smallest addition to nullify  1 1   0 0   A =  1 0 0 0     v = (-1, -1)  Final equation x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y − ¬ y − ¬ ( x ∨ y ) = 0 x + ¬ x − ( x ∧ y ) − ( x ⊕ y ) + ¬ y = ¬ y + ¬ ( x ∨ y )

  63. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Introduction Industrial version Bonus 6

  64. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version Transfer equation of the targeted function

  65. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version Variable identification, then function resolution: XOR 0x5C

  66. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Agenda First layer: Code flattening 1 pTra 2 Algorithm reconstruction : RSA-OAEP 3 Rebuilding a cipher function“whiteboxed” : AES-CBC 4 Ecofriendly step: Instruction substitution 5 Bonus 6

  67. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Graphing memory accesses over the time

  68. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Zoom on stack, loop detection

  69. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco O-LLVM Why O-LLVM? Open-source Recent project Implemented protections Instruction substitution Opaque predicates ( Bogus control flow ) Code flattening

  70. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Initial function: addition

  71. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco After code flattening

  72. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco CFG rebuilding (using symbolic execution)

  73. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco So . . .

  74. Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Conclusion Approach interests Allowed us to analyse state of the art obfuscation mechanisms One more method in analyst’s toolbox Can be used in other cases such as malware analysis, vulnerability research, . . .

Recommend

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . . . . C x C x C x C C c obfuscation [ BGIRSVY01, H00, GR07, GGHRSW13 ] . . . . . . . . C x C x C x C C c obfuscation [

1.03k views • 92 slides
Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Fakultt fr Informatik T echnische Universitt Mnchen Dagstuhl Seminar 17281 Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu, BMW Group Outline 1 Introduction 2 Obfuscation in Theory 3

815 views • 69 slides
VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By VFW Auxiliary

VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By VFW Auxiliary

VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By VFW Auxiliary National Headquarters Staff George Martin, Director of Accounting VFW Auxiliary Headquarters Phone (816) 561 8655 406 West 34 th Street Toll Free

1.12k views • 85 slides
Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt receiver x 1 Virtual f O(f) F B f(x 1) Black-Box x 2 (VBB) f(x 2) Obfuscation : A Secure (and f Family f Family b b single

466 views • 18 slides
) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation Techniques)%00 Techniques)%00 Roberto Salgado Co-founder of Websec Provide information security solutions Pen-testing, training

1.11k views • 93 slides
VFW Auxiliary INVESTMENTS HELD AT VFW AUXILIARY NATIONAL HEADQUARTERS Presented By George

VFW Auxiliary INVESTMENTS HELD AT VFW AUXILIARY NATIONAL HEADQUARTERS Presented By George

VFW Auxiliary INVESTMENTS HELD AT VFW AUXILIARY NATIONAL HEADQUARTERS Presented By George Martin Director of Accounting VFW Auxiliary Headquarters Phone (816) 561 8655 406 West 34 th Street Toll Free (866) 299 1286 10 th Floor Fax

392 views • 8 slides
VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By George Martin

VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By George Martin

VFW Auxiliary LOCAL AUXILIARY TREASURERS AND TRUSTEES TRAINING Presented By George Martin Director of Accounting VFW Auxiliary Headquarters Phone (816) 561 8655 406 West 34 th Street Toll Free (866) 299 1286 10 th Floor Fax (816) 931

461 views • 30 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON sguelton@quarkslab.com Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Prelude Introduction Control flow obfuscation Data

1.23k views • 76 slides
OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee (* denotes equal contribution) Program Obfuscation Program Obfuscation Trusted Untrusted (except

1.34k views • 116 slides
Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20 June 2018 Supervisors: Prof. Dr. Benno Stein, PD Dr. Andreas Jakoby Unmasking for short texts Obfuscation against unmasking Obfuscation

1.38k views • 95 slides
Office of Auxiliary Services Presented by Dr. Gregory A. McCord Chief Auxiliary Services Officer

Office of Auxiliary Services Presented by Dr. Gregory A. McCord Chief Auxiliary Services Officer

Beaufort County School District Office of Auxiliary Services Presented by Dr. Gregory A. McCord Chief Auxiliary Services Officer November 28, 2017 Auxiliary Services..its a team effort!!! Dr. Gregory A. McCord, Chief Auxiliary Services

190 views • 15 slides
Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of

Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of

Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of Computer Science University of Arizona http://collberg.cs.arizona.edu collberg@gmail.com Supported by NSF grants 1525820 and 1318955 and by the

924 views • 69 slides
Dependency Parse Dependency Tags aux auxiliary auxpass passive auxiliary cop

Dependency Parse Dependency Tags aux auxiliary auxpass passive auxiliary cop

Dependency Parse Dependency Tags aux auxiliary auxpass passive auxiliary cop -- copula conj conjunct cc coordination ref -- referent subj subject nsubj nominal subject nsubjpass

1.18k views • 69 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Term Rep placement Deep rep lacement Auxiliary constructor i Auxiliary constructor i module

Term Rep placement Deep rep lacement Auxiliary constructor i Auxiliary constructor i module

Term Rep placement Deep rep lacement Auxiliary constructor i Auxiliary constructor i module Tree-drepl d l T d l imports Tree-syntax Deep replacement: repla ace only occurrences close exports A bottom-up transformer that to the

183 views • 14 slides
Y TP YUKAWA INSTITUTE FOR THEORETICAL PHYSICS 1/21 Motivation Introduction Auxiliary Field

Y TP YUKAWA INSTITUTE FOR THEORETICAL PHYSICS 1/21 Motivation Introduction Auxiliary Field

Motivation Introduction Auxiliary Field Quantum Monte Carlo Methods Results Summary Acknowledgments Auxiliary-Field Monte Carlo method for strongly paired fermions Faisal Etminan M. M. Firoozabadi University of Birjand String and Fields

535 views • 21 slides
On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018 Indistinguishability Obfuscation (iO) An obfuscator is a compiler which preserves

1.01k views • 86 slides
HOP: Hardware makes Obfuscation Practical Kartik Nayak With Chris Fletcher, Ling Ren, Nishanth

HOP: Hardware makes Obfuscation Practical Kartik Nayak With Chris Fletcher, Ling Ren, Nishanth

HOP: Hardware makes Obfuscation Practical Kartik Nayak With Chris Fletcher, Ling Ren, Nishanth Chandran, Satya Lokam, Elaine Shi and Vipul Goyal 1 Compression 1 KB 1 MB Used by everyone, perhaps license it - VBB Obfuscation No one should

942 views • 34 slides
INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh Program Obfuscation Intuition: Mangle a program Same functionality as original Hides all implementation details Potential uses: IP

295 views • 28 slides
Obfuscation and Diversity: Probabilistic System Security Kyle Croman CS6410: Advanced Systems

Obfuscation and Diversity: Probabilistic System Security Kyle Croman CS6410: Advanced Systems

Obfuscation and Diversity: Probabilistic System Security Kyle Croman CS6410: Advanced Systems Definitions Obfuscation: T o be evasive, unclear, or confusing* In context, this means making a system difficult to understand and

665 views • 38 slides
Using Auxiliary Information Under a Pier Francesco Perri Generic Sampling Design Theoretical

Using Auxiliary Information Under a Pier Francesco Perri Generic Sampling Design Theoretical

19th International Conference on Computational Statistics Giancarlo Diana, Using Auxiliary Information Under a Pier Francesco Perri Generic Sampling Design Theoretical results Auxiliary information A class of estimators The best

842 views • 52 slides
Multimodal Biometrics with Auxiliary Information Quality, Userspecific, Cohort information

Multimodal Biometrics with Auxiliary Information Quality, Userspecific, Cohort information

Multimodal Biometrics with Auxiliary Information Quality, Userspecific, Cohort information and beyond Norman Poh Talk Outline Part I: Bayesian classifiers and decision theory Part II: Sources of auxiliary information Biometric

916 views • 53 slides

More recommend