Software Protection via Obfuscation

Transcription

1 Software Protection via Obfuscation Ciprian Lucaci InfoSec Meetup #1 1

2 About me Software Protection via Obfuscation - Ciprian LUCACI 2

3 About me # Bachelor Computer Politehnica Univerity Timișoara Software Protection via Obfuscation - Ciprian LUCACI 2

4 About me # Bachelor Computer Politehnica Univerity Timișoara # Software Lasting Software Master Politehnica University, Timișoara Software Protection via Obfuscation - Ciprian LUCACI 2

5 About me # Bachelor Computer Politehnica Univerity Timișoara # Software Lasting Software Master Politehnica University, Timișoara # Master Technische Universität München 2014 Research Software Engineering chair Software Protection via Obfuscation - Ciprian LUCACI 2

6 About me # Bachelor Computer Politehnica Univerity Timișoara # Software Lasting Software Master Politehnica University, Timișoara # Master Technische Universität München 2014 Research Software Engineering chair 2015-today # Software Atigeo Software Protection via Obfuscation - Ciprian LUCACI 2

7 Outline Software Protection via Obfuscation - Ciprian LUCACI 3

8 Outline Context Software Protection Software Protection via Obfuscation - Ciprian LUCACI 3

9 Outline Context Software Protection Obfuscation Techniques and Tools Software Protection via Obfuscation - Ciprian LUCACI 3

10 Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Software Protection via Obfuscation - Ciprian LUCACI 3

11 Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Evaluation Selection Criteria Software Protection via Obfuscation - Ciprian LUCACI 3

12 Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Evaluation Selection Criteria Conclusion To Obfuscate Or Not To Obfuscate Software Protection via Obfuscation - Ciprian LUCACI 3

13 Context: Software protection Software Protection via Obfuscation - Ciprian LUCACI 4

14 Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Software Protection via Obfuscation - Ciprian LUCACI 4

15 Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Attack Scenario Man-At-The-End (MATE) Software Protection via Obfuscation - Ciprian LUCACI 4

16 Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Attack Scenario Man-At-The-End (MATE) Case Study Industry partner: Jungheinrich,.NET C# Master Technische Universität München Software Protection via Obfuscation - Ciprian LUCACI 4

17 Context: Software protection Means [Collberg1998] Software Protection via Obfuscation - Ciprian LUCACI 5

18 Context: Software protection Means [Collberg1998] 1. Legal Software Protection via Obfuscation - Ciprian LUCACI 5

19 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services Software Protection via Obfuscation - Ciprian LUCACI 5

20 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption Software Protection via Obfuscation - Ciprian LUCACI 5

21 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code Software Protection via Obfuscation - Ciprian LUCACI 5

22 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation Software Protection via Obfuscation - Ciprian LUCACI 5

23 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation There is NO perfect security! Software Protection via Obfuscation - Ciprian LUCACI 5

24 Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation There is NO perfect security! Obfuscation First layer of defense against intelligent tampering Prevent understanding and reuse of intellectual property Software Protection via Obfuscation - Ciprian LUCACI 5

25 Context: Protection via Obfuscation Techniques [Collberg1997] Software Protection via Obfuscation - Ciprian LUCACI 6

26 Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Software Protection via Obfuscation - Ciprian LUCACI 6

27 Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Software Protection via Obfuscation - Ciprian LUCACI 6

28 Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Software Protection via Obfuscation - Ciprian LUCACI 6

29 Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Control flow transformations Control flow flattening Software Protection via Obfuscation - Ciprian LUCACI 6

30 Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Control flow transformations Control flow flattening Equivalence observable behavior Software Protection via Obfuscation - Ciprian LUCACI 6

31 State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No Software Protection via Obfuscation - Ciprian LUCACI 7

32 State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No C# decompilers Price 1. dotpeek 2. ILSpy Free 3. JustDecompile 4. ILDasm Software Protection via Obfuscation - Ciprian LUCACI 7

33 State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No C# decompilers Price 1. dotpeek 2. ILSpy Free 3. JustDecompile 4. ILDasm C# tracers Price 1. dottrace ~$ Intel Pin (binary) Free Software Protection via Obfuscation - Ciprian LUCACI 7

34 Thesis: Virtualization Obfuscation Goals design and implement virtualization obfuscator for C# programs an open source alternative to commercial obfuscators no free obfuscation tool with virtualization as a feature Software Protection via Obfuscation - Ciprian LUCACI 8

35 Thesis: Virtualization Obfuscation Goals design and implement virtualization obfuscator for C# programs an open source alternative to commercial obfuscators no free obfuscation tool with virtualization as a feature perform a case-study on a real-world software solution performance evaluation security evaluation Software Protection via Obfuscation - Ciprian LUCACI 8

36 Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Software Protection via Obfuscation - Ciprian LUCACI 9

37 Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Virtualization Tool Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 9

38 Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Virtualization Tool Usage Software Diversification Mitigate MATE attacks Mitigate Static and Dynamic analysis Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 9

39 Background: Virtualization Obfuscation Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

40 Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

41 Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

42 Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

43 Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

44 Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

45 Design and Implementation Virtualization Obfuscation Algorithm Refactoring Transformations Virtualization Transformations Virtualization tool Program P 1. Refactor 2. Virtualize Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 11

46 Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

47 Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

48 Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

49 Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Invocation simplification obj.m1().m2().m3() obj.member1.member13 Software Protection via Obfuscation - Ciprian LUCACI 12

50 Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Invocation simplification obj.m1().m2().m3() obj.member1.member13 Comparison simplification >, <, >=, <= For, ForEach, DoWhile conversion to While Switch conversion to chained If Local variables initialization Composed assignment Conditional expression Try/Catch statement Software Protection via Obfuscation - Ciprian LUCACI 12

51 Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Software Protection via Obfuscation - Ciprian LUCACI 13

52 Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Software Protection via Obfuscation - Ciprian LUCACI 13

53 Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Step 3. Process method s body statements. - generate CODE array Software Protection via Obfuscation - Ciprian LUCACI 13

54 Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Step 3. Process method s body statements. - generate CODE array Step 4. For compound structures go to previous step and virtualize the statement s body. Software Protection via Obfuscation - Ciprian LUCACI 13

55 Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Software Protection via Obfuscation - Ciprian LUCACI 14

56 Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Software Protection via Obfuscation - Ciprian LUCACI 14

57 Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Operation Key Software Protection via Obfuscation - Ciprian LUCACI 14

58 Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Prefix Size Operation Key Operand Fake Software Protection via Obfuscation - Ciprian LUCACI 14

59 Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Prefix Size Operation Key Postfix Size Operand Fake Operand Fake Software Protection via Obfuscation - Ciprian LUCACI 14

60 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

61 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

62 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

63 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Refactoring Max operands Max invocations Software Protection via Obfuscation - Ciprian LUCACI 16

64 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Operation Prefix size Postfix size Junk code Refactoring Max operands Max invocations Software Protection via Obfuscation - Ciprian LUCACI 16

65 Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Refactoring Max operands Max invocations Operation Prefix size Postfix size Junk code Switch Default section Operation size Software Protection via Obfuscation - Ciprian LUCACI 16

66 Design and Implementation: Obfuscation settings Randomization points Software Protection via Obfuscation - Ciprian LUCACI 17

67 Design and Implementation: Obfuscation settings Randomization points Operation key Software Protection via Obfuscation - Ciprian LUCACI 17

68 Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Software Protection via Obfuscation - Ciprian LUCACI 17

69 Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Software Protection via Obfuscation - Ciprian LUCACI 17

70 Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Software Protection via Obfuscation - Ciprian LUCACI 17

71 Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Switch: Default section Software Protection via Obfuscation - Ciprian LUCACI 17

72 Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Switch: Default section Operation size Software Protection via Obfuscation - Ciprian LUCACI 17

73 Evaluation Framework [Collberg1998] Potency: To what degree is a human reader confused? Resilience: How well are automatic deobfuscation attacks resisted? Cost: How much time/space overhead is added? Stealth: How well does obfuscated code blend in the original code? Software Protection via Obfuscation - Ciprian LUCACI 18

74 Evaluation - Potency To what degree is a human reader confused? Software Protection via Obfuscation - Ciprian LUCACI 19

75 Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Software Protection via Obfuscation - Ciprian LUCACI 19

76 Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Software Protection via Obfuscation - Ciprian LUCACI 19

77 Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Method overloading Class / Instance interpreter Same interpreter for multiple methods Software Protection via Obfuscation - Ciprian LUCACI 19

78 Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Method overloading Class / Instance interpreter Same interpreter for multiple methods Data transformations Variables and constants are stored in DATA array Software Protection via Obfuscation - Ciprian LUCACI 19

79 Evaluation - Resilience To what degree is an automatic tool confused? Obfuscation Goal Attacker Goal Attacker Model protect intellectual property extract source code or control flow graph man-at-the-end (MATE) Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 20

80 Evaluation - Resilience To what degree is an automatic tool confused? Virtualization Obfuscation analysis Obfuscation Goal Attacker Goal Attacker Model protect intellectual property extract source code or control flow graph man-at-the-end (MATE) Paper Level Automation Type Result Limitation Risk Applicable 1 [Rolles2009] binary no / partial static manual analysis extract original code time consuming not scalable 2 [Sharif2009] binary yes dynamic analysis control flow graph strong assumptions high no 3 [Coogan2011] binary yes dynamic automatic analysis approximation of original code significant trace 4 [Kinder2012] binary yes static analysis approximated data values 5 [Yadegari2015] binary yes dynamic analysis trace analysis control flow graph difficult to convert equations to CFG code of the emulator analyzed large input space trace simplification high high Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 20 low high yes yes no yes

81 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

82 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

83 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

84 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

85 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Step 3: Simplify traces Python scripts Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

86 Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Step 3: Simplify traces Python scripts Step 4: Compare traces Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

87 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

88 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

89 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

90 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

91 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

92 Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

93 Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

94 Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

95 Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

96 Evaluation - Resilience Step 4: Compare traces

97 Evaluation - Resilience Step 4: Compare traces Levenshtein distance (edit distance) Character = generic instruction, e.g. load, store, method call Compare: original simplified trace with obfuscated simplified trace

98 Evaluation - Resilience Step 4: Compare traces Levenshtein distance (edit distance) Character = generic instruction, e.g. load, store, method call Compare: original simplified trace with obfuscated simplified trace Different obfuscation settings Max number of operands Max number of invocations

99 Distance Evaluation - Resilience Distance / Iterations / Max # Invocations Maximum # Invocations Loop Iterations 1 invocation 2 invocations 3 invocations 4 invocations 5 invocations Maximum 4 Operands Software Protection via Obfuscation - Ciprian LUCACI 25

100 Evaluation - Resilience Resilience to Settings correlation More Aggressive Refactorization

101 Evaluation - Cost Runtime overhead How much overhead is added? Software Protection via Obfuscation - Ciprian LUCACI 27

102 Evaluation - Cost How much overhead is added? Runtime overhead Quick Sort: Iterative and Recursive Binary Search: Iterative and Recursive GitHub Opensource Project: ResourceLib Jungheinrich Components: Startup time Software Protection via Obfuscation - Ciprian LUCACI 27

103 Evaluation - Cost Runtime overhead Quick Sort: Iterative and Recursive Binary Search: Iterative and Recursive GitHub Opensource Project: ResourceLib Jungheinrich Components: Startup time Size Managed code assembly on the disk How much overhead is added? Software Protection via Obfuscation - Ciprian LUCACI 27

104 Evaluation - Cost Binary Search runtime performance elements Software Protection via Obfuscation - Ciprian LUCACI 28

105 Evaluation - Cost Binary Search runtime performance Binary Search iterative - slowdown trend Binary Search recursive - slowdown trend Software Protection via Obfuscation - Ciprian LUCACI 29

106 Evaluation - Cost Open Source Project: ResourceLib C# File Resource Management Library 46 unit tests 8 obfuscated methods in 4 different classes out of >100 methods, >40 classes >1300 calls to obfuscated methods 25 times evaluated runtime performance Software Protection via Obfuscation - Ciprian LUCACI 30

107 Evaluation - Cost Jungheinrich Components: Startup time Software Protection via Obfuscation - Ciprian LUCACI 31

108 Evaluation - Cost Jungheinrich Components: Startup time Logging Component 4 methods obfuscated Software Protection via Obfuscation - Ciprian LUCACI 31

109 Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

110 Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

111 Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

112 Evaluation - Stealth How well does obfuscated code blend in the original code? Software Protection via Obfuscation - Ciprian LUCACI 33

113 Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Software Protection via Obfuscation - Ciprian LUCACI 33

114 Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Side effects maintained Fields Lambda expressions Software Protection via Obfuscation - Ciprian LUCACI 33

115 Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Side effects maintained Fields Lambda expressions Annotations for non-intrusive tagging Use annotations to mark which methods to obfuscate Software Protection via Obfuscation - Ciprian LUCACI 33

116 Conclusion To Obfuscate or Not To Obfuscate Software Protection via Obfuscation - Ciprian LUCACI 34

117 Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Software Protection via Obfuscation - Ciprian LUCACI 34

118 Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Software Protection via Obfuscation - Ciprian LUCACI 34

119 Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Reverse Engineering reconstruct source code from simplified traces think as the other side Software Protection via Obfuscation - Ciprian LUCACI 34

120 Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Little protection is always better than no protection Reverse Engineering reconstruct source code from simplified traces think as the other side Software Protection via Obfuscation - Ciprian LUCACI 34

121 Thank you for your attention! Any questions? References [Rolles2009] Unpacking Virtualization Obfuscators [Sharif2009] Automatic Reverse Engineering of Malware Emulators [Coogan2011] Deobfuscation of Virtualization-Obfuscated Software [Kinder2012] Towards Static Analysis of Virtualization-Obfuscated Binaries [Yadegari2015] A Generic Approach to Automatic Deobfuscation of Executable Code [Cazalas2014] Probing the Limits of Virtualized Software Protection [Anckaert2006] Proteus: Virtualization for Diversified Tamper-Resistance [Cohen1993] Operating system protection through program evolution [Collberg1998] Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs Microsoft Roslyn Project: Software Protection via Obfuscation - Ciprian LUCACI 35