an overview of control flow graph...
TRANSCRIPT
![Page 1: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/1.jpg)
An overview of
control flow graph flattening
Jan Cappaert, Bart Preneel
K.U.Leuven / ESAT / SCD-COSIC
![Page 2: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/2.jpg)
Jan Cappaert - An overview of CFG flattening 3/23RE-TRUST workshop
Overview
• Introduction and related research
• CFG flattening
• Experiments and ideas
• Conclusions and future work
![Page 3: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/3.jpg)
Jan Cappaert - An overview of CFG flattening 4/23RE-TRUST workshop
Introduction
• Software protection against
– Analysis
– Tampering
– Plagiarism
• In a “white-box attack context”
– Attacker has full privileges to the system
– System behaves as a white box (vs. black box)
![Page 4: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/4.jpg)
Jan Cappaert - An overview of CFG flattening 5/23RE-TRUST workshop
Introduction
• Software analysis
– Static
• No code execution
• E.g.: disassembling, decompiling, …
– Dynamic
• Code executed
• E.g.: debugging, tracing, emulation, …
![Page 5: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/5.jpg)
Jan Cappaert - An overview of CFG flattening 6/23RE-TRUST workshop
against tamperingagainst analysis
Introduction
confidentiality data authenticity
|
secrecy
|
integrity
software
guards
code encryptioncode signing
static
�
dynamicobfuscation
obfuscation
crypto
guards
CFG flattening
![Page 6: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/6.jpg)
Jan Cappaert - An overview of CFG flattening 7/23RE-TRUST workshop
Introduction
• Control flow graph (CFG)
– Nodes: basic blocks
– Edges: control transfers
• Basic blocks
– Group of statements always executed sequentially
• Control transfers
– Transfer control from one block to another
![Page 7: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/7.jpg)
Jan Cappaert - An overview of CFG flattening 8/23RE-TRUST workshop
Introduction
![Page 8: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/8.jpg)
Jan Cappaert - An overview of CFG flattening 9/23RE-TRUST workshop
Introduction
• Why performing CFG analysis?
– Data usage depending on control flow
– Static analysis:
• Flow-insensitive: incomplete, on 1 basic block
• Flow-sensitive: more complete, over CFG
![Page 9: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/9.jpg)
Jan Cappaert - An overview of CFG flattening 10/23RE-TRUST workshop
Related research
• Intra-procedural
– CFG flattening
• Inter-procedural
– Function pointers
– Branch functions
[Linn and Debray, 2003]
main
func1 func2
call/return
![Page 10: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/10.jpg)
Jan Cappaert - An overview of CFG flattening 11/23RE-TRUST workshop
CFG transformations
• CFG flattening [Wang, 2000]
– “degeneration of static program control flow”
• Control flow transformations [Collberg et
al., 1997]
– Opaque predicates
– Loop/branch transformations
![Page 11: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/11.jpg)
Jan Cappaert - An overview of CFG flattening 12/23RE-TRUST workshop
A control flow graph
![Page 12: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/12.jpg)
Jan Cappaert - An overview of CFG flattening 13/23RE-TRUST workshop
A control flow graph - flattened
![Page 13: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/13.jpg)
Jan Cappaert - An overview of CFG flattening 14/23RE-TRUST workshop
CFG flattening - steps
[Wang, 2001]
1. High-level constructs →if-then-goto
2. goto targets → dynamically determined
� common flattened form
3. Further hindrance of data flow analysis
• Index computation (hard)
• Aliasing (NP-complete …)
![Page 14: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/14.jpg)
Jan Cappaert - An overview of CFG flattening 15/23RE-TRUST workshop
Experiments and ideas
for (i = 0; i < 9; i ++) {
for (j = 0; j < 9 - i; j ++) {
if (a [j] > a [j + 1]) {
t = a [j];
a [j] = a [j + 1];
a [j + 1] = t;
}
}
}
![Page 15: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/15.jpg)
Jan Cappaert - An overview of CFG flattening 16/23RE-TRUST workshop
Experiments and ideas
int swVar = 1;
case 1 :
i = 0;
swVar = 2;
break;
case 2 :
if (i < 9) swVar = 3;
else swVar = 4;
break;
case 9 :
j ++;
swVar = 5;
break;
while (swVar) switch (swVar)
…case 8 :
t = a [j];
a [j] = a [j + 1];
a [j + 1] = t;
swVar = 9;
break;
![Page 16: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/16.jpg)
Jan Cappaert - An overview of CFG flattening 17/23RE-TRUST workshop
A flattened CFG - attacks
• Use-def analysis: 1↔2↔[3,4]↔…
• Forward? Backward? What if
swVar = swVar + constant;
swVar = swVar + condition * constant
• Constant propagation: 1→2→[3,4]→…
• Backward?
![Page 17: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/17.jpg)
Jan Cappaert - An overview of CFG flattening 18/23RE-TRUST workshop
A flattened CFG - attacks
• Solution: one-way function
e.g.: x → gx mod pswitch(ow(swVar)) or
swVar = ow(swVar) …
• What if g changes at
runtime? …
case 1 :
i = 0;
swVar = swVar + 1;
break;
switch (swVar)
swVar ==1
swVar ==2
![Page 18: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/18.jpg)
Jan Cappaert - An overview of CFG flattening 19/23RE-TRUST workshop
Additional ideas
• Relative updates of swVar
– Conditions versus opaque predicates
• One-way functions, lookup tables, hash chains, …
• Aliasing + pointer permutation blocks
• Equivalent / almost equivalent blocks
– Random / targeted conditions
• Block refactoring (splitting, merging, …)
![Page 19: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/19.jpg)
Jan Cappaert - An overview of CFG flattening 20/23RE-TRUST workshop
Additional ideas
• Almost equivalent
block
– Under certain
conditionscase 9 :
j = j + 1;
swVar = 5;
break;
case 10 :
j = j ^ 1;
swVar = 5;
break;
j odd j even
![Page 20: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/20.jpg)
Jan Cappaert - An overview of CFG flattening 21/23RE-TRUST workshop
Additional ideas
• Block
refactoring
– Swap pointers
– Swap data
case 7 :
i ++;
swVar = …
break;
case 9 :
j ++;
swVar = …
break;
case 7 :
i ^= j;
j ^= i;
i ^= j;
swVar = …
break;
case 9 :
j ++;
swVar = …
break;
…
…
![Page 21: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/21.jpg)
Jan Cappaert - An overview of CFG flattening 22/23RE-TRUST workshop
Conclusions
• Static CFG flattening
– Common form; no explicit control flow
– Control flow analysis requires data flow
analysis
– Data flow analysis can be hard (NP-complete)
under certain conditions (e.g. general pointers)
![Page 22: An overview of control flow graph flatteningre-trust.dit.unitn.it/files/20081015Doc/session2-1... · 2008-10-20 · • Control flow graph (CFG) – Nodes: basic blocks – Edges:](https://reader033.vdocuments.mx/reader033/viewer/2022050222/5f67c02845332d4af60f1cfb/html5/thumbnails/22.jpg)
Jan Cappaert - An overview of CFG flattening 23/23RE-TRUST workshop
Further work
• Formalization of ideas
– One way function versus backward analysis
– Hash chains and related
– Basic block refactoring
• Implementation and performance overhead
• Interested?
talk to me