program obfuscation: a quantitative approach presented by: mariusz jakubowski microsoft research...
TRANSCRIPT
Program Obfuscation:A Quantitative Approach
Presented by: Mariusz Jakubowski Microsoft Research
Third Workshop on Quality of Protection October 29 th, 2007
Bertrand Anckaert, Matias Madou, Bjorn De Sutter, Bruno De Bus, Koen De Bosschere, and Bart Preneel
Ghent University and K.U.Leuven, Belgium
2
Obfuscation has many applications
0101110 00111001010 00101011001000110001110110010111011011001011101010110100010110111111110001010110110011111001010111001110010111 1 11111111111111110
3
There is a large gap between theoretical results
- On the (Im)possibility of Obfuscating Programs – Barak et al. (2001)- On the Impossibility of Obfuscation with Auxiliary Input – Goldwasser et al. (2005)
- Positive Results and Techniques for Obfuscation – Lynn et al. (2004)- Towards Realizing Random Oracles: Hash Functions that Hide All Partial Information Canetti et al. (1997)
+
-
Large gapIntuitively, obfuscation does help
4
We need a practical system for evaluating obfuscating transformations
• It should be easy to evaluate existing and future transformations=> Automated
• The evaluation should convey difficulty of reverse-engineering=> Build upon experience from complexity metrics
5
o Introo Metrics
o Instruction Counto Cyclomatic Numbero Knot Count
o (De)Obfuscating transformations
Outline
6
Four axes based on typical reverse-engineering scenario
Disassemble Flow graph construction
Analyse Data Flow
Interpret Data
Code
Control flow
Data flow
Data
7
+ No uncertainty about executed code+ Always availabe- Only about covered part of the code
Evaluated Complexity Metrics
Code
Control flow
Data flow
Data
Instruction Count
Cyclomatic NumberKnot Count
Metrics are collected by a run-time instrumentation framework
8
Cyclomatic number and knot count
• Cyclomatic number: – #edges – #nodes + 2– Intuitively: the number of decision points
• Knot count: – #crossings– Intuitively: the unstructuredness
9
o Introo Metricso (De)Obfuscating transformations
o Jump redirection [Linn et al. 2003]
o Control flow flattening [Chenxi Wang et al. 2001]
o Opaque predicates [Collberg et al. 1998]
Outline
10
Jump redirection
• Redirect branches to function
1
Jmp 2
2
1call branch
Branch Function
2
garbage
assumed return site
11
Impact of Jump Redirectiongz
ip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
12
Jump redirection - deobfuscation
• Identify Branch Function– signature based– run-time behavior
• Record (call,return) pairs under debugger
• Overwrite calls
1call branch
Branch Function
2
garbage
assumed return site
(1,2)(4,7)(9,5)… jmp 2
13
Success of De-obfuscationgz
ip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
gzip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
14
Control flow flattening
All original basic blocks have the same predecessor and successor
1
4
32
1 432
switch
15
Control flow flattening significantly increases the complexity metrics
gzip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
300
350
400
450
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
16
gzip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
300
350
400
450
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
gzip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
50
100
150
200
250
300
350
400
450
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
Success of De-obfuscation
17
Opaque predicates
1
Jmp 2
2
1
Jmp if (2==2)
2fake
• Add fake decision statements
18
Impact of Opaque Predicationgz
ip vpr
cc1
mcf
craft
ypa
rser
perlb
mk
gap
vorte
xbz
ip2
twol
fav
erag
e
0
2
4
6
8
10
12
14
16
18
Instruction CountCyclomatic NumberKnot Count
Incr
ease
(%)
19
Conclusion
• A first step towards a unified quantitative evaluation of– obfuscating transformations– deobfuscating transformations
• Which leverages experience from the established field of complexity metrics
Program Obfuscation:A Quantitative Approach
Presented by: Mariusz Jakubowski Microsoft Research
Third Workshop on Quality of Protection October 29 th, 2007
Bertrand Anckaert, Matias Madou, Bjorn De Sutter, Bruno De Bus, Koen De Bosschere, and Bart Preneel
Ghent University and K.U.Leuven, Belgium