Remote Entrusting by Orthogonal Client Replacement Ceccato Mariano, Mila Dalla Preda 2, Anirban Majumbar 3, Paolo Tonella Fondazione Bruno Kessler, Trento, Italy 2 University of Verona, Italy 3 University of Trento, Italy Code integrity problem Orthogonal replacement Obfuscation Code splitting Empirical validation Outline 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 2
Remote software trusting Remote software authentication: ensuring a (server) that an un-trusted host (client) is running a healthy version of a program (code integrity) Before delivering any service the server wants to know that the client is executing according to its expectations Un-trusted client Un-trusted client Un-trusted client Un-trusted client Trusted server Un-trusted client 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 3 Attack model Attacker on un-trusted host: Any dynamic/static analysis tool Any software (buggers, emulators, ) Read/write any memory location, register, network message, file. Attacks: Reverse engineer and direct code change. Runtime modification of the memory. Produce (possibly tampered) copies of P that run in parallel. Interception and change of network messages. 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 4 2
Attacker goal Goal: to tamper with the application code without being detected by the server Substantial program understanding effort by a human to understand the inner logic to attack Client Server 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 5 Our approach Periodically replace the client code with a new version Orthogonal (obfuscated) Semantically different CP CP 2 CP 3 CP 0 Client Server 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 6 3
Obfuscation Transforming a program CP into an equivalent one CP that is harder to reverse engineer, while maintaining its semantics. Potency: obscurity added to a program Resilience: how difficult is to automatically de-obfuscate Cost: computation overhead of P CP T T 2 T 3 CP 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 7 Obfuscation!! "!! # " "#! $%&'( $%&'))( '( '!( '"( '!( '"( '"( )*! + #,, -. Layout obfuscation 2. Data obfuscation 3. Control flow obfuscation 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 8 4
Splitting The code of CP i can be split into (C i, S i ) where: C i remains on the client S i runs on the server This process ensures that the code left on the client is orthogonal with respect to the previous clients An expired client can not longer be used (it would not work with the new server) CP i Client C i Server S i 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 9 Orthogonality c CP i p CP j Statement orthogonality c p if: the understanding of the of c the role in CP i does not reveal information about the role of p in CP j Program orthogonality CP i CP j if: they contains only* orthogonal statements *Not possible to transform or move to the server: System calls Library calls Input output operations 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 0 5
Orthogonal client generation CP C,,C i- repeat CP i = RendomTransform (CP) CP = CP i (C i, S i ) = MoveCompToServer(CP i, C,,C i- ) until (C i C ) (C i C i- ) (C i, S i ) 9/06/2008 Remote Entrusting by Orthogonal Client Replacement Transformation repeat CP i = RendomTransform (CP) CP = CP i (C i, S i ) = MoveCompToServer(CP i, C,,C i- ) until (C i C ) (C i C i- ) Pool of semantic preserving transformations from a catalog Propagations of annotations about black statements and performance information The goal is to obstruct code comprehension 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 2 6
Splitting repeat CP i = RendomTransform (CP) CP = CP i (C i, S i ) = MoveCompToServer(CP i, C,,C i- ) until (C i C ) (C i C i- ) Leave on the client: Statement of CP i that are orthogonal to all previous C C i- Invariable part (black) Performance intensive statements 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 3 Acceptance condition repeat CP i = RendomTransform (CP) CP = CP i (C i, S i ) = MoveCompToServer(CP i, C,,C i- ) until (C i C ) (C i C i- ) The new client is orthogonal is not just black statements (performance) Iteration in case the condition is not met 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 4 7
Empirical validation 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 5 Clone based orthogonality Orthogonality from a program comprehension point of view is hard to define and quantify Practical and computable approximation of orthogonality: based on clones Clones Statement orthogonality c p if: the understanding of the of c the role in CP i does not reveal information about the role of p in CP j CP i CP j 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 6 8
Alias based opaque predicates Opaque predicate: conditional expression whose value is known to the obfuscator, but is difficult for an adversary to deduce statically Precise inter-procedural static analysis is intractable 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 7 Aliases : f = = g g! = h Update : updatealias ( ) class A { int f ; int f2 ; void m ( ) { f = ; f2 = f ++; int tmp = f ; tmp = tmp - f ; f = f + f2 ; Alias based opaque predicates class A { if ( g!= h ) { int f ; updatealias( ) ; int f2 ; tmp = f ; void m ( ) { tmp = tmp - f ; int tmp ; updatealias( ) ; if ( f ==g ) { f = f +f2 ; f = ; updatealias( ) ; else { f2 = f ++; f = tmp / f2 ; tmp = f2%59+f2 ; else { updatealias( ) ; updatealias( ) ; tmp = f +f2 / 5 ; f = f2 - tmp ; 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 8 9
Case studies CarRace (on-line game) CP race = 220 loc Chat application CP chat = 0 loc On line applications Written in java (~K loc each) Source code is sensitive to malicious modifications 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 9 Clone size threshold Small threshold Too many iterations of the algorithm exponential grown of the source code Most of the reposted clones are false positives Improvements do not bring more security Large threshold Algorithm is fast Too many false positives Clients contains clones that could leak information to an attacker repeat CP i = RendomTransform (CP) CP = CP i (C i, S i ) = MoveCompToServer(CP i, C,,C i- ) until (C i C ) (C i C i- ) 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 20 0
Clone size threshold Application CarRace ChatClinet Min. clone length Statements Tokens 4 2 28 3 42 4 56 5 70 2 2 24 3 36 4 48 5 60 Clones 23 33 6 0 69 27 5 0 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 2 Generation Performance Application CarRace ChatClient Application lifetime 5 years A replacement every 2 days No. of clients 0 50 00 500 000 0 50 00 500 000 No. of clones 9 2 60 347 7 97 28 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 22
Attacks Opaque predicates could be attacked through dynamic analysis (debugging) Removing branches that are not executed could cause the elimination of useful code We could add predicates that infrequently evaluate to True (False) and if removed cause the application to malfunction 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 23 Future works Clone size threshold estimation requires further investigation Implementation of a full catalog of obfuscations e.g., variable splitting/encoding of the code left on the client Evaluating how long a piece of code can resist before been attacked Correct estimation of the replacement frequency 9/06/2008 Remote Entrusting by Orthogonal Client Replacement 24 2