obfuscation know your enemy
play

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com - PowerPoint PPT Presentation

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON sguelton@quarkslab.com Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Prelude Introduction Control flow obfuscation Data


  1. Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON sguelton@quarkslab.com

  2. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Prelude

  3. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Prelude ⇒

  4. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Plan Introduction 1 What is obfuscation ? Control flow obfuscation 2 Data flow obfuscation 3 Python obfuscation 4

  5. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation What is obfuscation ? Code obfuscation Definition Obfuscation is used to make code analysis as complex and expensive as possible, while keeping the original behaviour of the program (input/output equivalence). Malwares (try to avoid signature detection) Protection of sensitive algorithm (DRM, intellectual property...) Theoretically: transformation of symetric-key encryption in asymetric-key encryption, homomorphic encryption algorithm...

  6. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation What is obfuscation ? Don’t shoot the messenger Why this talk ? → Obfuscation exists and is widely used. → You might be interested in breaking it (to rewrite some code as free software for example). ⇒ If you want to break it, you need to know how it works!

  7. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation What is obfuscation ? Several obfuscation types Control flow obfuscation Data-flow obfuscation Symbols rewriting: variable names, function names... Code encryption, packing...

  8. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation What is obfuscation ? Several obfuscation types Control flow obfuscation Data-flow obfuscation Symbols rewriting: variable names, function names... Code encryption, packing...

  9. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Plan Introduction 1 Control flow obfuscation 2 Definitions Control-flow obfuscation Control flow flattening Data flow obfuscation 3 Python obfuscation 4

  10. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Definitions Control flow Illustrates the execution flow of a program: the different paths that are possible during the execution Cycles ( for, while... ), conditions ( if ), calls to other functions... It’s represented with a Control Flow Graph (CFG): it’s formed of basic blocks and links between them

  11. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Definitions Control flow x = 10 y = 0 while( x ≥ 0) true false y = y + 2 return y x = x − 1 Figure : CFG of pseudo-code Figure : CFG of assembly code

  12. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG:

  13. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling;

  14. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns

  15. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function;

  16. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code

  17. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code junk code insertion;

  18. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code junk code insertion; → liveness analysis

  19. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code junk code insertion; → liveness analysis opaque predicates;

  20. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code junk code insertion; → liveness analysis opaque predicates; → SMT solver

  21. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control-flow obfuscation Various techniques The goal is to transform the structure of the CFG: loop unrolling; → search for patterns inlining of function; → comparison of code junk code insertion; → liveness analysis opaque predicates; → SMT solver control flow flattening.

  22. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Definition Control flow flattening Transforms the structure of the program to make CFG reconstruction difficult Encodes the control flow information and hide the result in the data flow

  23. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Principle INIT val = 1 Implementation Basic blocks are numbered DISPATCHER A dispatcher handles the switch(val) execution A variable contains the value of block 1 block 2 block 3 the next block to be executed some code some code some code val = 2 val = 3 return At the end of every block, this variable is updated, and the execution flow goes back to the dispatcher which then jumps to the next block Figure : Principle of control flow flattening

  24. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Example Figure : CFG after the control flow flattening Figure : original CFG

  25. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Weakness What is the weakness of the control INIT flow flattening ? val = 1 DISPATCHER switch(val) block 1 block 2 block 3 some code some code some code val = 2 val = 3 return

  26. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Weakness What is the weakness of the control INIT flow flattening ? val = 1 ⇒ variable containing the execution flow DISPATCHER switch(val) block 1 block 2 block 3 some code some code some code val = 2 val = 3 return

  27. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Weakness What is the weakness of the control INIT flow flattening ? val = 1 ⇒ variable containing the execution flow DISPATCHER switch(val) Obfuscation techniques: multiple (context) variables block 1 block 2 block 3 opaque predicates some code some code some code val = 2 val = 3 return hash

  28. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Control flow flattening Weakness What is the weakness of the control INIT flow flattening ? val = 1 ⇒ variable containing the execution flow DISPATCHER switch(val) Obfuscation techniques: multiple (context) variables block 1 block 2 block 3 opaque predicates some code some code some code val = 2 val = 3 return hash ⇒ dynamic analysis (tracing) can also be used

  29. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Plan Introduction 1 Control flow obfuscation 2 Data flow obfuscation 3 Definition A few techniques Python obfuscation 4

  30. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Definition Data Flow analysis Several ways to do it Information provided by the program’s data: strings, numbers, structures... Relations between the data or between the input and output (of a program, a function, a basic block) Interactions between the program and the data: reading, writing, location in memory... Formal notions: live variable, data flow equations, backward and forward analysis...

  31. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation A few techniques Examples To make data analysis more complex:

  32. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation A few techniques Examples To make data analysis more complex: encode constants (strings for example);

  33. Introduction Control flow obfuscation Data flow obfuscation Python obfuscation A few techniques Examples To make data analysis more complex: encode constants (strings for example); → look for decoding routine

Recommend


More recommend