Your SlideShare is downloading. ×
0
Obfuscator reloadedPascal Junod – HEIG-VDJulien Rinaldini – HEIG-VDMarc Romanens - EIA-FRJean-Roland Schuler – EIA-FR     ...
2Agenda Context of the « Obfuscator » project LLVM-based obfuscation Playing with ARM binaries
In a Nutshell …                  cÄxtáx áxx à{|á tá                  âÇÑÜÉàxvàxw áÉyàãtÜx4                                ...
In a Nutshell …                  4
In a Nutshell …                  cÄxtáx áxx à{|á tá                  Éuyâávtàxw áÉyàãtÜx4                                 ...
In a Nutshell …                  äáA                        6
In a Nutshell … `tÄ|v|Éâá exäxÜáx@XÇz|ÇxxÜ|Çz                             7
In a Nutshell …  W|z|àtÄ e|z{àá `tÇtzxÅxÇà                              8
In a Nutshell …         VÄÉâw VÉÅÑâà|Çz                           9
In a Nutshell …• A typical attack can be decomposed in three  phases:  – Program analysis       Extraction of an algorithm...
In a Nutshell …• Defense possibilities (aka « software protection »)  – Confusion     • Obfuscation  – Tamper-resistance  ...
In a Nutshell …• According to Wikipedia, «obfuscated code is  source of machine code that has been made  difficult to unde...
In a Nutshell …    return (int) ((((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) *                               (x - 7)...
In a Nutshell …         @P=split//,".URRUUc8R";@d=split//,         "nrekcah xinU / lreP rehtona         tsuJ";sub p{      ...
In a Nutshell …  void primes(int cap) {    int i, j, composite;    for(i = 2; i < cap; ++i) {      composite = 0;      for...
In a Nutshell …                  16
17In a Nutshell … Different capabilities:  – Code source vs. binary  – Supported languages     • .NET, C#, Java, Javascrip...
18In a Nutshell … Usual techniques  – Packing  – Addition of junk code  – Code transformations  – Opaque predicates  – Whi...
19Context of « Obfuscator » Project funded by HES-SO (about CHF 160K, time span 2010-2012) – HEIG-VD    • Pascal Junod    ...
20Context of «Obfuscator» Goal: – create knowledge and know-how in the domain of   software obfuscation – Develop prototyp...
21LLVM-based Obfuscation No satisfactory open-source tool able to obfuscate C/C++ Cool project to play with! RE is hard, p...
22LLVM-based Obfuscation Several «false starts» (but that’s research ;-) Sébastien Bischof : parsing C with Python Grégory...
23LLVM-based Obfuscation LLVM – Compiler infrastructure – Project initiated by the University of Illinois in 2000 – Since ...
LLVM-based Obfuscation                         24
25LLVM-based Obfuscation Available obfuscation passes – Code substitution    • A ^ B = (A & ~B) | (~A & B)    • A + B = A ...
26LLVM-based Obfuscation Available obfuscation passes – Insertion of fake branches with opaque predicates   (bachelor thes...
27LLVM-based Obfuscation Available obfuscation passes – Code flattening
28LLVM-based Obfuscation Code flattening: case of IF-THEN-ELSE
29LLVM-based Obfuscation Code flattening: case of a FOR loop
30LLVM-based Obfuscation Code flattening: case of a SWITCH
31LLVM-based Obfuscation Another example:
32LLVM-based Obfuscation Test procedure – Run test suite of the cryptographic library   libtomcrypt – Run test suite of th...
33LLVM-based Obfuscation by vÉâÜáx? ãx âáxw
34Part III Arm obfuscation About me  – Marc Romanens  – Scientific collaborator at EIA-FR  – Works on a “Exploration Proje...
35Agenda File format ELF Code insertion into ELF file ARM obfuscation    Opaque predicate    Junk code
36File format ELFSummary I 3 headers tables  – Header file     • Entry point     • Position of others headers     • Archit...
37File Format ElfSummary II
38Memory allocation of segment Image source: GNU Linux Magazine HS 32 Septembre Octobre 2007
39Insertion of code Why ?  – Obfuscation needs space How ?  – Add a new segment  – Increase size of old segment
40Obfuscation technique :Opaque predicate Example : – (X2 + X) % 2 == 0 is always true – (3X3 + 2 X2 + X) % 6 == 0 is alwa...
41Obfuscation technique :Junk code Junk code aims at: – Hiding the useful part of code Implementation : – Use condition co...
42
43
44
45Junk codeOptimisation Mix junk code and real code Change condition code with data processing instructions Add more predi...
46Questions?
47Merci/Thank you!Contact:   pascal.junod@heig-vd.ch   @cryptopathe   http://crypto.junod.info   romanens.m@gmail.com   Sl...
Upcoming SlideShare
Loading in...5
×

ASFWS 2012 - Obfuscator, ou comment durcir un code source ou un binaire contre le reverse-engineering par Pascal Junod / Jean-Roland Schuler

636

Published on

Le projet Obfuscator, mené conjointement par des équipes de l’HEIG-VD et de l’EIA-FR, vise à explorer des techniques de durcissement de logiciel, sous forme de code source ou d’exécutable, contre le reverse-engineering. Le but de cette présentation est de décrire les résultats obtenus. Cet exposé sera structurée en plusieurs parties:
- Rapide présentation de la problématique de la sécurité du logiciel par rapport au reverse-engineering;
- Description de quelques techniques d’obfuscation implémentées sous forme de “passes” pour le compilateur LLVM (substitution de code, injection de branchements factices, applatissement de code, …), et présentation des résultats obtenus ainsi que des difficultés rencontrées.
- Présentation de quelques techniques d’obfuscation de binaires pour processeurs ARM. Méthodes d’insertions de code dans un fichier binaire au format ELF. Présentation de méthodes d’obfuscation sur processeur ARM avec leurs particularités d’implémentation.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
636
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "ASFWS 2012 - Obfuscator, ou comment durcir un code source ou un binaire contre le reverse-engineering par Pascal Junod / Jean-Roland Schuler"

  1. 1. Obfuscator reloadedPascal Junod – HEIG-VDJulien Rinaldini – HEIG-VDMarc Romanens - EIA-FRJean-Roland Schuler – EIA-FR Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  2. 2. 2Agenda Context of the « Obfuscator » project LLVM-based obfuscation Playing with ARM binaries
  3. 3. In a Nutshell … cÄxtáx áxx à{|á tá âÇÑÜÉàxvàxw áÉyàãtÜx4 3
  4. 4. In a Nutshell … 4
  5. 5. In a Nutshell … cÄxtáx áxx à{|á tá Éuyâávtàxw áÉyàãtÜx4 5
  6. 6. In a Nutshell … äáA 6
  7. 7. In a Nutshell … `tÄ|v|Éâá exäxÜáx@XÇz|ÇxxÜ|Çz 7
  8. 8. In a Nutshell … W|z|àtÄ e|z{àá `tÇtzxÅxÇà 8
  9. 9. In a Nutshell … VÄÉâw VÉÅÑâà|Çz 9
  10. 10. In a Nutshell …• A typical attack can be decomposed in three phases: – Program analysis Extraction of an algorithm, secret, design – Code modification Removal of license check mechanisms – Distribution Violation of intellectual property 10
  11. 11. In a Nutshell …• Defense possibilities (aka « software protection ») – Confusion • Obfuscation – Tamper-resistance • SW/HW-based protections, node-locking, … – Watermark • SW watermarking, fingerprinting, … 11
  12. 12. In a Nutshell …• According to Wikipedia, «obfuscated code is source of machine code that has been made difficult to understand »• «difficult» … = costly = time-consuming not necessarily impossible 12
  13. 13. In a Nutshell … return (int) ((((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * (28 + z)) / ((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12 ) + .00001)) + (((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 10) * (x - 11) * (x - 12) * 30) / ((x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 11) * (x - 12) * 31) / ((x - 11) * (x - 12) + .00001)) + (((x - 12) * 30) / ((x - 12) + .00001)) + 31 + .1) - y; 13
  14. 14. In a Nutshell … @P=split//,".URRUUc8R";@d=split//, "nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$ p";++$p;($q*=2)+=$f=!fork;map{$P=$P [$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p; map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&<$_>}%p;$_=$d[$q] ;sleep rand(2)if/S/;print 14
  15. 15. In a Nutshell … void primes(int cap) { int i, j, composite; for(i = 2; i < cap; ++i) { composite = 0; for(j = 2; j * j <= i; ++j) composite += !(i % j); if(!composite) printf("%dt", i); _(__,___,____,_____){___/__<=___ } __?_(__,___+_____,____,_____):!( } ___%__)?_(__,___+_____,___%__,__ int main(void) { ___):___%__==___/ primes(100); } __&&!____?(printf("%dt",___/__) ,_(__,___+_____,____,_____)):(__ _%__>_____&&___%__<___/__)?_(__, ___+ _____,____,_____+!(___/__%(___%_ _))):___<__*__?_(__,___+_____,__ __,_____):0;}main(void){_(100,0, 0,1);} 15
  16. 16. In a Nutshell … 16
  17. 17. 17In a Nutshell … Different capabilities: – Code source vs. binary – Supported languages • .NET, C#, Java, Javascript, C/C++, … – Costs • Size, speed – Security towards RE
  18. 18. 18In a Nutshell … Usual techniques – Packing – Addition of junk code – Code transformations – Opaque predicates – White-box cryptography – Anti-debugging tricks – Virtualization –…
  19. 19. 19Context of « Obfuscator » Project funded by HES-SO (about CHF 160K, time span 2010-2012) – HEIG-VD • Pascal Junod • Gregory Ruch • Julien Rinaldini – EIA-FR • Jean-Roland Schuler • Marc Romanens • Adrien Giner
  20. 20. 20Context of «Obfuscator» Goal: – create knowledge and know-how in the domain of software obfuscation – Develop prototype tools • HEIG-VD: focusing on source code obfuscation • EIA-FR: focusing on binary obfuscation
  21. 21. 21LLVM-based Obfuscation No satisfactory open-source tool able to obfuscate C/C++ Cool project to play with! RE is hard, protecting against RE in an efficient way is even harder!
  22. 22. 22LLVM-based Obfuscation Several «false starts» (but that’s research ;-) Sébastien Bischof : parsing C with Python Grégory Ruch: hacking the LLVM Clang API
  23. 23. 23LLVM-based Obfuscation LLVM – Compiler infrastructure – Project initiated by the University of Illinois in 2000 – Since 2005, pushed by Apple Inc. – Front-ends: • C/C++, Objective C, Fortran, Ada, Haskell, Python, Ruby, … – Back-ends: • x86, x86-64, PowerPC, PowerPC-64, ARM, Thumb, Sparc, Alpha, CellSPU, MIPS, MSP430, SystemZ, XCore.
  24. 24. LLVM-based Obfuscation 24
  25. 25. 25LLVM-based Obfuscation Available obfuscation passes – Code substitution • A ^ B = (A & ~B) | (~A & B) • A + B = A - (-B) •…
  26. 26. 26LLVM-based Obfuscation Available obfuscation passes – Insertion of fake branches with opaque predicates (bachelor thesis of Julie Michielin)
  27. 27. 27LLVM-based Obfuscation Available obfuscation passes – Code flattening
  28. 28. 28LLVM-based Obfuscation Code flattening: case of IF-THEN-ELSE
  29. 29. 29LLVM-based Obfuscation Code flattening: case of a FOR loop
  30. 30. 30LLVM-based Obfuscation Code flattening: case of a SWITCH
  31. 31. 31LLVM-based Obfuscation Another example:
  32. 32. 32LLVM-based Obfuscation Test procedure – Run test suite of the cryptographic library libtomcrypt – Run test suite of the graphical library ImageMagick • Found a routine of 6000+ C lines in it !! – Run test suite of the MySQL database • A single test is still failing Todo – Flatten try-catch constructs as well – Test, debug, test, debug, test !
  33. 33. 33LLVM-based Obfuscation by vÉâÜáx? ãx âáxw
  34. 34. 34Part III Arm obfuscation About me – Marc Romanens – Scientific collaborator at EIA-FR – Works on a “Exploration Project” on binary obfuscation for processor ARM.
  35. 35. 35Agenda File format ELF Code insertion into ELF file ARM obfuscation Opaque predicate Junk code
  36. 36. 36File format ELFSummary I 3 headers tables – Header file • Entry point • Position of others headers • Architecture – Program header (define the segments) • Flags (RWE) • Offset / virtual addresses – Section header (define the sections (optional))
  37. 37. 37File Format ElfSummary II
  38. 38. 38Memory allocation of segment Image source: GNU Linux Magazine HS 32 Septembre Octobre 2007
  39. 39. 39Insertion of code Why ? – Obfuscation needs space How ? – Add a new segment – Increase size of old segment
  40. 40. 40Obfuscation technique :Opaque predicate Example : – (X2 + X) % 2 == 0 is always true – (3X3 + 2 X2 + X) % 6 == 0 is always true Opaque predicate aims at: – Creating false branch – Improving complexity of serial number – Watermarking
  41. 41. 41Obfuscation technique :Junk code Junk code aims at: – Hiding the useful part of code Implementation : – Use condition code in ARM – Use opaque predicate for enforcing the stealth
  42. 42. 42
  43. 43. 43
  44. 44. 44
  45. 45. 45Junk codeOptimisation Mix junk code and real code Change condition code with data processing instructions Add more predicates
  46. 46. 46Questions?
  47. 47. 47Merci/Thank you!Contact: pascal.junod@heig-vd.ch @cryptopathe http://crypto.junod.info romanens.m@gmail.com Slides: http://slideshare.net/ASF-WS/presentations
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×