Software Protection via Obfuscation

Similar documents
VOT4CS: A Virtualization Obfuscation Tool for C#

Industrial Approach: Obfuscating Transformations

Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning

Obfuscating Transformations. What is Obfuscator? Obfuscation Library. Obfuscation vs. Deobfuscation. Summary

Efficient Data Structures for Tamper-Evident Logging

PLT Course Project Demo Spring Chih- Fan Chen Theofilos Petsios Marios Pomonis Adrian Tang

Intellectual Property Protection using Obfuscation

Using Exception Handling to Build Opaque Predicates in Intermediate Code Obfuscation Techniques

Master Thesis 60 credits

Formal verification of program obfuscations

Software Protection with Obfuscation and Encryption

Implementation of an Obfuscation Tool for C/C++ Source Code Protection on the XScale Architecture *

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

A methodology for Assessing JavaScript Software Protections. Pedro Fortuna

Lecture 14. System Integrity Services Obfuscation

droidcon Greece Thessaloniki September 2015

The Rise and Fall of

A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory

Remote Entrusting by Orthogonal Client Replacement. Ceccato Mariano 1, Mila Dalla Preda 2, Anirban Majumbar 3, Paolo Tonella 1.

MobileFindr: Function Similarity Identification for Reversing Mobile Binaries. Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, Kang Li

Why do we need an interpreter? SICP Interpretation part 1. Role of each part of the interpreter. 1. Arithmetic calculator.

Software Protection with Obfuscation and Encryption

T Jarkko Turkulainen, F-Secure Corporation

Analysis of Java Code Protector

Detecting Self-Mutating Malware Using Control-Flow Graph Matching

Protecting binaries. Andrew Griffiths

Are Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

RUHR-UNIVERSITÄT BOCHUM. Probfuscation: An Obfuscation Approach using Probabilistic Control Flows

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

Protecting Against Unexpected System Calls

Probfuscation: An Obfuscation Approach using Probabilistic Control Flows

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

SentinelOne Technical Brief

Suggesting Potency Measures for Obfuscated Arrays and Usage of Source Code Obfuscators for Intellectual Property Protection of Java Products

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 7: Tamperproofing II Minsk, Belarus, Spring 2014

The Android security jungle: pitfalls, threats and survival tips. Scott

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

Instructions 1 Elevation of Privilege Instructions

Remote Entrusting by Orthogonal Client Replacement

Challenge #7 Solution

Introduction to Scientific Computing

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Surveying the Physical Landscape

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency

White-Box Cryptography State of the Art. Paul Gorissen

SentinelOne Technical Brief

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

BEAMJIT, a Maze of Twisty Little Traces

Bachelor Level/ First Year/ Second Semester/ Science Full Marks: 60 Computer Science and Information Technology (CSc. 154) Pass Marks: 24

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

9/21/17. Outline. Expression Evaluation and Control Flow. Arithmetic Expressions. Operators. Operators. Notation & Placement

Technical Analysis of Established Blockchain Systems

Operators. Lecture 12 Section Robb T. Koether. Hampden-Sydney College. Fri, Feb 9, 2018

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Mitigating Security Breaches in Retail Applications WHITE PAPER

Phosphor: Illuminating Dynamic. Data Flow in Commodity JVMs


Tribhuvan University Institute of Science and Technology Computer Science and Information Technology (CSC. 154) Section A Attempt any Two questions:

Bank Infrastructure - Video - 1

Outline STRANGER. Background

Automated static deobfuscation in the context of Reverse Engineering

Fixed-Point Math and Other Optimizations

Outline. Performing Computations. Outline (cont) Expressions in C. Some Expression Formats. Types for Operands

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

OS Security IV: Virtualization and Trusted Computing

Code deobfuscation by optimization. Branko Spasojević

Android Obfuscation and Deobfuscation. Group 11

Reverse Engineering Malware Binary Obfuscation and Protection

System-Level Failures in Security

Malicious Code Analysis II

Java Internals. Frank Yellin Tim Lindholm JavaSoft

Inline Reference Monitoring Techniques

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

Breaking and Securing Mobile Apps

Certified Secure Web Application Engineer

Video Game Security. Carter Jones

Cyber Moving Targets. Yashar Dehkan Asl

Background. How it works. Parsing. Virtual Deobfuscator

A novel runtime technique for identifying malicious applications

Metadata Recovery From Obfuscated Programs Using Machine Learning

RetDec: An Open-Source Machine-Code Decompiler. Jakub Křoustek Peter Matula

Contents. Figures. Tables. Examples. Foreword. Preface. 1 Basics of Java Programming 1. xix. xxi. xxiii. xxvii. xxix

Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 4: Code Obfuscation Minsk, Belarus, Spring 2014

The Impact of Third-party Code on Android App Security. Erik Derr

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

ISA 2 R: Improving Software Attack and Analysis Resilience via Compiler-level Software Diversity

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE

S.E. (Computer) (First Semester) EXAMINATION, 2011 DATA STRUCTURES AND ALGORITHM (2008 PATTERN) Time : Three Hours Maximum Marks : 100

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CodeHS: Arkansas Standards Alignment

Table 1 lists the projects and teams. If you want to, you can switch teams with other students.

Main idea. Demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit (GPU)

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Big and Bright - Security

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

APPLICATION OF WATERMARKING TO SOFTWARE PIRACY

Transcription:

Software Protection via Obfuscation Ciprian Lucaci InfoSec Meetup #1 1

About me Software Protection via Obfuscation - Ciprian LUCACI 2

About me 2008-2012 # Bachelor Computer Science @ Politehnica Univerity Timișoara Software Protection via Obfuscation - Ciprian LUCACI 2

About me 2008-2012 # Bachelor Computer Science @ Politehnica Univerity Timișoara 2012-2013 # Software Engineer @ Lasting Software Master Informatics @ Politehnica University, Timișoara Software Protection via Obfuscation - Ciprian LUCACI 2

About me 2008-2012 # Bachelor Computer Science @ Politehnica Univerity Timișoara 2012-2013 # Software Engineer @ Lasting Software Master Informatics @ Politehnica University, Timișoara 2013-2015 # Master Informatics @ Technische Universität München 2014 Research Assistant @ Software Engineering chair Software Protection via Obfuscation - Ciprian LUCACI 2

About me 2008-2012 # Bachelor Computer Science @ Politehnica Univerity Timișoara 2012-2013 # Software Engineer @ Lasting Software Master Informatics @ Politehnica University, Timișoara 2013-2015 # Master Informatics @ Technische Universität München 2014 Research Assistant @ Software Engineering chair 2015-today # Software Engineer @ Atigeo Software Protection via Obfuscation - Ciprian LUCACI 2

Outline Software Protection via Obfuscation - Ciprian LUCACI 3

Outline Context Software Protection Software Protection via Obfuscation - Ciprian LUCACI 3

Outline Context Software Protection Obfuscation Techniques and Tools Software Protection via Obfuscation - Ciprian LUCACI 3

Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Software Protection via Obfuscation - Ciprian LUCACI 3

Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Evaluation Selection Criteria Software Protection via Obfuscation - Ciprian LUCACI 3

Outline Context Software Protection Obfuscation Techniques and Tools Virtualization Obfuscation VOT4CS Tool Design Evaluation Selection Criteria Conclusion To Obfuscate Or Not To Obfuscate Software Protection via Obfuscation - Ciprian LUCACI 3

Context: Software protection Software Protection via Obfuscation - Ciprian LUCACI 4

Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Software Protection via Obfuscation - Ciprian LUCACI 4

Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Attack Scenario Man-At-The-End (MATE) Software Protection via Obfuscation - Ciprian LUCACI 4

Context: Software protection Threat Models [Ancakert2006] 1. Malicious Code Software security 2. Malicious Host Software protection Attack Scenario Man-At-The-End (MATE) Case Study Industry partner: Jungheinrich,.NET C# Master thesis @ Technische Universität München Software Protection via Obfuscation - Ciprian LUCACI 4

Context: Software protection Means [Collberg1998] Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation There is NO perfect security! Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Software protection Means [Collberg1998] 1. Legal 2. Remote Services 3. Encryption 4. Machine / Native code 5. Obfuscation There is NO perfect security! Obfuscation First layer of defense against intelligent tampering Prevent understanding and reuse of intellectual property Software Protection via Obfuscation - Ciprian LUCACI 5

Context: Protection via Obfuscation Techniques [Collberg1997] Software Protection via Obfuscation - Ciprian LUCACI 6

Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Software Protection via Obfuscation - Ciprian LUCACI 6

Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Software Protection via Obfuscation - Ciprian LUCACI 6

Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Software Protection via Obfuscation - Ciprian LUCACI 6

Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Control flow transformations Control flow flattening Software Protection via Obfuscation - Ciprian LUCACI 6

Context: Protection via Obfuscation Techniques [Collberg1997] Lexical transformations Renaming Data transformations String encoding Preventive transformations Code encryption Control flow transformations Control flow flattening Equivalence observable behavior Software Protection via Obfuscation - Ciprian LUCACI 6

State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No Software Protection via Obfuscation - Ciprian LUCACI 7

State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No C# decompilers Price 1. dotpeek 2. ILSpy Free 3. JustDecompile 4. ILDasm Software Protection via Obfuscation - Ciprian LUCACI 7

State of the Art Obfuscation tools C# obfuscators Price Code Virtualization 1. Agile.NET $795 Yes 2. Crypto Obfuscator $149 $4469 Yes 3. Eazfuscator.NET $399 Yes 4. ConfuserEx Free (opensource) No 5. Dotfuscator ~ $1600 No C# decompilers Price 1. dotpeek 2. ILSpy Free 3. JustDecompile 4. ILDasm C# tracers Price 1. dottrace ~$300 2. Intel Pin (binary) Free Software Protection via Obfuscation - Ciprian LUCACI 7

Thesis: Virtualization Obfuscation Goals design and implement virtualization obfuscator for C# programs an open source alternative to commercial obfuscators no free obfuscation tool with virtualization as a feature Software Protection via Obfuscation - Ciprian LUCACI 8

Thesis: Virtualization Obfuscation Goals design and implement virtualization obfuscator for C# programs an open source alternative to commercial obfuscators no free obfuscation tool with virtualization as a feature perform a case-study on a real-world software solution performance evaluation security evaluation Software Protection via Obfuscation - Ciprian LUCACI 8

Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Software Protection via Obfuscation - Ciprian LUCACI 9

Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Virtualization Tool Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 9

Background: Virtualization Obfuscation Input: Program P Generate a random new language Translate P to the new language as P` Synthetize an interpreter to translate the new instructions Program P Virtualization Tool Usage Software Diversification Mitigate MATE attacks Mitigate Static and Dynamic analysis Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 9

Background: Virtualization Obfuscation Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return... Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Background: Virtualization Obfuscation... Operations assignment addition subtraction method invocation return Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 10

Design and Implementation Virtualization Obfuscation Algorithm Refactoring Transformations Virtualization Transformations Virtualization tool Program P 1. Refactor 2. Virtualize Program P` Obfuscated program Interpreter Software Protection via Obfuscation - Ciprian LUCACI 11

Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Software Protection via Obfuscation - Ciprian LUCACI 12

Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Invocation simplification obj.m1().m2().m3() obj.member1.member13 Software Protection via Obfuscation - Ciprian LUCACI 12

Design and Implementation: Algorithm Refactoring transformations Virtualization tool Refactor Virtualize Arithmetic simplification +, -, *, /, ++, --, % Invocation simplification obj.m1().m2().m3() obj.member1.member13 Comparison simplification >, <, >=, <= For, ForEach, DoWhile conversion to While Switch conversion to chained If Local variables initialization Composed assignment Conditional expression Try/Catch statement Software Protection via Obfuscation - Ciprian LUCACI 12

Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Software Protection via Obfuscation - Ciprian LUCACI 13

Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Software Protection via Obfuscation - Ciprian LUCACI 13

Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Step 3. Process method s body statements. - generate CODE array Software Protection via Obfuscation - Ciprian LUCACI 13

Design and Implementation: Algorithm Virtualization transformations Virtualization tool Refactor Virtualize Step 1. Select method body to virtualize. Step 2. Virtualize constants, local arguments, parameters. - generate DATA array Step 3. Process method s body statements. - generate CODE array Step 4. For compound structures go to previous step and virtualize the statement s body. Software Protection via Obfuscation - Ciprian LUCACI 13

Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Software Protection via Obfuscation - Ciprian LUCACI 14

Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Software Protection via Obfuscation - Ciprian LUCACI 14

Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Operation Key Software Protection via Obfuscation - Ciprian LUCACI 14

Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Prefix Size Operation Key Operand Fake Software Protection via Obfuscation - Ciprian LUCACI 14

Design and Implementation: Algorithm Virtualization transformations int[] code Virtual Operation Operation Key List<Operand> Prefix Size Postfix Size Offset Frequency Operation Size Prefix Size Operation Key Postfix Size Operand Fake Operand Fake Software Protection via Obfuscation - Ciprian LUCACI 14

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Software Protection via Obfuscation - Ciprian LUCACI 15

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Refactoring Max operands Max invocations Software Protection via Obfuscation - Ciprian LUCACI 16

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Operation Prefix size Postfix size Junk code Refactoring Max operands Max invocations Software Protection via Obfuscation - Ciprian LUCACI 16

Design and Implementation: Obfuscation settings Interpreter Inside Method Class Instance Class Static Refactoring Max operands Max invocations Operation Prefix size Postfix size Junk code Switch Default section Operation size Software Protection via Obfuscation - Ciprian LUCACI 16

Design and Implementation: Obfuscation settings Randomization points Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Switch: Default section Software Protection via Obfuscation - Ciprian LUCACI 17

Design and Implementation: Obfuscation settings Randomization points Operation key Operands position Switch sections Array initialization VPC initialization Switch: Default section Operation size Software Protection via Obfuscation - Ciprian LUCACI 17

Evaluation Framework [Collberg1998] Potency: To what degree is a human reader confused? Resilience: How well are automatic deobfuscation attacks resisted? Cost: How much time/space overhead is added? Stealth: How well does obfuscated code blend in the original code? Software Protection via Obfuscation - Ciprian LUCACI 18

Evaluation - Potency To what degree is a human reader confused? Software Protection via Obfuscation - Ciprian LUCACI 19

Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Software Protection via Obfuscation - Ciprian LUCACI 19

Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Software Protection via Obfuscation - Ciprian LUCACI 19

Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Method overloading Class / Instance interpreter Same interpreter for multiple methods Software Protection via Obfuscation - Ciprian LUCACI 19

Evaluation - Potency To what degree is a human reader confused? Layout transformations Remove comments Variable lose names Control flow obfuscation Logic hidden in CODE array Method overloading Class / Instance interpreter Same interpreter for multiple methods Data transformations Variables and constants are stored in DATA array Software Protection via Obfuscation - Ciprian LUCACI 19

Evaluation - Resilience To what degree is an automatic tool confused? Obfuscation Goal Attacker Goal Attacker Model protect intellectual property extract source code or control flow graph man-at-the-end (MATE) Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 20

Evaluation - Resilience To what degree is an automatic tool confused? Virtualization Obfuscation analysis Obfuscation Goal Attacker Goal Attacker Model protect intellectual property extract source code or control flow graph man-at-the-end (MATE) Paper Level Automation Type Result Limitation Risk Applicable 1 [Rolles2009] binary no / partial static manual analysis extract original code time consuming not scalable 2 [Sharif2009] binary yes dynamic analysis control flow graph strong assumptions high no 3 [Coogan2011] binary yes dynamic automatic analysis approximation of original code significant trace 4 [Kinder2012] binary yes static analysis approximated data values 5 [Yadegari2015] binary yes dynamic analysis trace analysis control flow graph difficult to convert equations to CFG code of the emulator analyzed large input space trace simplification high high Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 20 low high yes yes no yes

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Step 3: Simplify traces Python scripts Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Manual static analysis: [Rolles2009] Revert Interpreter Automatic dynamic analysis [Coogan2011] Step 1: Mark method to trace ConfuserEx, CIL instructions Code injection Step 2: Trace instructions Data Dump Runtime trace Step 3: Simplify traces Python scripts Step 4: Compare traces Master Thesis: Virtualization Obfuscation - Ciprian Lucaci 21

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Simplified Obfuscated Software Protection via Obfuscation - Ciprian LUCACI 22

Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

Evaluation - Resilience Step 3: Simplify traces Software Protection via Obfuscation - Ciprian LUCACI 23

Evaluation - Resilience Step 4: Compare traces

Evaluation - Resilience Step 4: Compare traces Levenshtein distance (edit distance) Character = generic instruction, e.g. load, store, method call Compare: original simplified trace with obfuscated simplified trace

Evaluation - Resilience Step 4: Compare traces Levenshtein distance (edit distance) Character = generic instruction, e.g. load, store, method call Compare: original simplified trace with obfuscated simplified trace Different obfuscation settings Max number of operands Max number of invocations

Distance Evaluation - Resilience 3125 625 Distance / Iterations / Max # Invocations Maximum # Invocations 125 25 5 1 5 25 125 Loop Iterations 1 invocation 2 invocations 3 invocations 4 invocations 5 invocations Maximum 4 Operands Software Protection via Obfuscation - Ciprian LUCACI 25

Evaluation - Resilience Resilience to Settings correlation More Aggressive Refactorization

Evaluation - Cost Runtime overhead How much overhead is added? Software Protection via Obfuscation - Ciprian LUCACI 27

Evaluation - Cost How much overhead is added? Runtime overhead Quick Sort: Iterative and Recursive Binary Search: Iterative and Recursive GitHub Opensource Project: ResourceLib Jungheinrich Components: Startup time Software Protection via Obfuscation - Ciprian LUCACI 27

Evaluation - Cost Runtime overhead Quick Sort: Iterative and Recursive Binary Search: Iterative and Recursive GitHub Opensource Project: ResourceLib Jungheinrich Components: Startup time Size Managed code assembly on the disk How much overhead is added? Software Protection via Obfuscation - Ciprian LUCACI 27

Evaluation - Cost Binary Search runtime performance 4.000.000 elements Software Protection via Obfuscation - Ciprian LUCACI 28

Evaluation - Cost Binary Search runtime performance Binary Search iterative - slowdown trend Binary Search recursive - slowdown trend Software Protection via Obfuscation - Ciprian LUCACI 29

Evaluation - Cost Open Source Project: ResourceLib C# File Resource Management Library 46 unit tests 8 obfuscated methods in 4 different classes out of >100 methods, >40 classes >1300 calls to obfuscated methods 25 times evaluated runtime performance +0.5 https://github.com/dblock/resourcelib Software Protection via Obfuscation - Ciprian LUCACI 30

Evaluation - Cost Jungheinrich Components: Startup time Software Protection via Obfuscation - Ciprian LUCACI 31

Evaluation - Cost Jungheinrich Components: Startup time Logging Component 4 methods obfuscated +0.05 Software Protection via Obfuscation - Ciprian LUCACI 31

Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

Evaluation - Cost Size Software Protection via Obfuscation - Ciprian LUCACI 32

Evaluation - Stealth How well does obfuscated code blend in the original code? Software Protection via Obfuscation - Ciprian LUCACI 33

Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Software Protection via Obfuscation - Ciprian LUCACI 33

Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Side effects maintained Fields Lambda expressions Software Protection via Obfuscation - Ciprian LUCACI 33

Evaluation - Stealth How well does obfuscated code blend in the original code? Method Signatures maintained No broken dependencies Side effects maintained Fields Lambda expressions Annotations for non-intrusive tagging Use annotations to mark which methods to obfuscate Software Protection via Obfuscation - Ciprian LUCACI 33

Conclusion To Obfuscate or Not To Obfuscate Software Protection via Obfuscation - Ciprian LUCACI 34

Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Software Protection via Obfuscation - Ciprian LUCACI 34

Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Software Protection via Obfuscation - Ciprian LUCACI 34

Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Reverse Engineering reconstruct source code from simplified traces think as the other side Software Protection via Obfuscation - Ciprian LUCACI 34

Conclusion To Obfuscate or Not To Obfuscate Software Protection there is NO silver bullet!!! always consider the ENTIRE system use OWASP testing guide consider concurrency issues Evaluation do you really need to obfuscate everything? consider worst case scenario use potency, resilience, cost, and stealth as criteria Little protection is always better than no protection Reverse Engineering reconstruct source code from simplified traces think as the other side Software Protection via Obfuscation - Ciprian LUCACI 34

Thank you for your attention! Any questions? References [Rolles2009] Unpacking Virtualization Obfuscators [Sharif2009] Automatic Reverse Engineering of Malware Emulators [Coogan2011] Deobfuscation of Virtualization-Obfuscated Software [Kinder2012] Towards Static Analysis of Virtualization-Obfuscated Binaries [Yadegari2015] A Generic Approach to Automatic Deobfuscation of Executable Code [Cazalas2014] Probing the Limits of Virtualized Software Protection [Anckaert2006] Proteus: Virtualization for Diversified Tamper-Resistance [Cohen1993] Operating system protection through program evolution [Collberg1998] Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs Microsoft Roslyn Project: https://github.com/dotnet/roslyn Software Protection via Obfuscation - Ciprian LUCACI 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback