SlideShare a Scribd company logo

LLVM Obfuscation

Cyber Security Alliance
Cyber Security Alliance

This document discusses software obfuscation techniques. It provides an overview of the Obfuscator project, which aims to develop tools for LLVM-based source code obfuscation and binary obfuscation for ARM processors. Specific techniques discussed include code substitution, insertion of fake branches with opaque predicates, code flattening, addition of junk code, and use of opaque predicates and condition codes to add junk code to ARM binaries.

1 of 47
Download to read offline
Obfuscator reloaded Pascal Junod – HEIG-VD Julien Rinaldini – HEIG-VD Marc Romanens - EIA-FR Jean-Roland Schuler – EIA-FR Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
2 Agenda Context of the « Obfuscator » project LLVM-based obfuscation Playing with ARM binaries
In a Nutshell … cÄxtáx áxx à{|á tá âÇÑÜÉàxvàxw áÉyàãtÜx4 3
In a Nutshell … 4
In a Nutshell … cÄxtáx áxx à{|á tá Éuyâávtàxw áÉyàãtÜx4 5
In a Nutshell … äáA 6
In a Nutshell … `tÄ|v|Éâá exäxÜáx@XÇz|ÇxxÜ|Çz 7
In a Nutshell … W|z|àtÄ e|z{àá `tÇtzxÅxÇà 8
In a Nutshell … VÄÉâw VÉÅÑâà|Çz 9
In a Nutshell … • A typical attack can be decomposed in three phases: – Program analysis Extraction of an algorithm, secret, design – Code modification Removal of license check mechanisms – Distribution Violation of intellectual property 10
In a Nutshell … • Defense possibilities (aka « software protection ») – Confusion • Obfuscation – Tamper-resistance • SW/HW-based protections, node-locking, … – Watermark • SW watermarking, fingerprinting, … 11
In a Nutshell … • According to Wikipedia, «obfuscated code is source of machine code that has been made difficult to understand » • «difficult» … = costly = time-consuming not necessarily impossible 12
In a Nutshell … return (int) ((((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * (28 + z)) / ((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12 ) + .00001)) + (((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 10) * (x - 11) * (x - 12) * 30) / ((x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 11) * (x - 12) * 31) / ((x - 11) * (x - 12) + .00001)) + (((x - 12) * 30) / ((x - 12) + .00001)) + 31 + .1) - y; 13
In a Nutshell … @P=split//,".URRUUc8R";@d=split//, "nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$ p";++$p;($q*=2)+=$f=!fork;map{$P=$P [$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p; map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&<$_>}%p;$_=$d[$q] ;sleep rand(2)if/S/;print 14
In a Nutshell … void primes(int cap) { int i, j, composite; for(i = 2; i < cap; ++i) { composite = 0; for(j = 2; j * j <= i; ++j) composite += !(i % j); if(!composite) printf("%dt", i); _(__,___,____,_____){___/__<=___ } __?_(__,___+_____,____,_____):!( } ___%__)?_(__,___+_____,___%__,__ int main(void) { ___):___%__==___/ primes(100); } __&&!____?(printf("%dt",___/__) ,_(__,___+_____,____,_____)):(__ _%__>_____&&___%__<___/__)?_(__, ___+ _____,____,_____+!(___/__%(___%_ _))):___<__*__?_(__,___+_____,__ __,_____):0;}main(void){_(100,0, 0,1);} 15
In a Nutshell … 16
17 In a Nutshell … Different capabilities: – Code source vs. binary – Supported languages • .NET, C#, Java, Javascript, C/C++, … – Costs • Size, speed – Security towards RE
18 In a Nutshell … Usual techniques – Packing – Addition of junk code – Code transformations – Opaque predicates – White-box cryptography – Anti-debugging tricks – Virtualization –…
19 Context of « Obfuscator » Project funded by HES-SO (about CHF 160K, time span 2010-2012) – HEIG-VD • Pascal Junod • Gregory Ruch • Julien Rinaldini – EIA-FR • Jean-Roland Schuler • Marc Romanens • Adrien Giner
20 Context of «Obfuscator» Goal: – create knowledge and know-how in the domain of software obfuscation – Develop prototype tools • HEIG-VD: focusing on source code obfuscation • EIA-FR: focusing on binary obfuscation
21 LLVM-based Obfuscation No satisfactory open-source tool able to obfuscate C/C++ Cool project to play with! RE is hard, protecting against RE in an efficient way is even harder!
22 LLVM-based Obfuscation Several «false starts» (but that’s research ;-) Sébastien Bischof : parsing C with Python Grégory Ruch: hacking the LLVM Clang API
23 LLVM-based Obfuscation LLVM – Compiler infrastructure – Project initiated by the University of Illinois in 2000 – Since 2005, pushed by Apple Inc. – Front-ends: • C/C++, Objective C, Fortran, Ada, Haskell, Python, Ruby, … – Back-ends: • x86, x86-64, PowerPC, PowerPC-64, ARM, Thumb, Sparc, Alpha, CellSPU, MIPS, MSP430, SystemZ, XCore.
LLVM-based Obfuscation 24
25 LLVM-based Obfuscation Available obfuscation passes – Code substitution • A ^ B = (A & ~B) | (~A & B) • A + B = A - (-B) •…
26 LLVM-based Obfuscation Available obfuscation passes – Insertion of fake branches with opaque predicates (bachelor thesis of Julie Michielin)
27 LLVM-based Obfuscation Available obfuscation passes – Code flattening
28 LLVM-based Obfuscation Code flattening: case of IF-THEN-ELSE
29 LLVM-based Obfuscation Code flattening: case of a FOR loop
30 LLVM-based Obfuscation Code flattening: case of a SWITCH
31 LLVM-based Obfuscation Another example:
32 LLVM-based Obfuscation Test procedure – Run test suite of the cryptographic library libtomcrypt – Run test suite of the graphical library ImageMagick • Found a routine of 6000+ C lines in it !! – Run test suite of the MySQL database • A single test is still failing Todo – Flatten try-catch constructs as well – Test, debug, test, debug, test !
33 LLVM-based Obfuscation by vÉâÜáx? ãx âáxw
34 Part III Arm obfuscation About me – Marc Romanens – Scientific collaborator at EIA-FR – Works on a “Exploration Project” on binary obfuscation for processor ARM.
35 Agenda File format ELF Code insertion into ELF file ARM obfuscation Opaque predicate Junk code
36 File format ELF Summary I 3 headers tables – Header file • Entry point • Position of others headers • Architecture – Program header (define the segments) • Flags (RWE) • Offset / virtual addresses – Section header (define the sections (optional))
37 File Format Elf Summary II
38 Memory allocation of segment Image source: GNU Linux Magazine HS 32 Septembre Octobre 2007
39 Insertion of code Why ? – Obfuscation needs space How ? – Add a new segment – Increase size of old segment
40 Obfuscation technique : Opaque predicate Example : – (X2 + X) % 2 == 0 is always true – (3X3 + 2 X2 + X) % 6 == 0 is always true Opaque predicate aims at: – Creating false branch – Improving complexity of serial number – Watermarking
41 Obfuscation technique : Junk code Junk code aims at: – Hiding the useful part of code Implementation : – Use condition code in ARM – Use opaque predicate for enforcing the stealth
42
43
44
45 Junk code Optimisation Mix junk code and real code Change condition code with data processing instructions Add more predicates
46 Questions?
47 Merci/Thank you! Contact: pascal.junod@heig-vd.ch @cryptopathe http://crypto.junod.info romanens.m@gmail.com Slides: http://slideshare.net/ASF-WS/presentations

Recommended

openGl example
openGl exampleopenGl example
openGl exampleBrian Goggins
 
Math01_ogashin
Math01_ogashinMath01_ogashin
Math01_ogashinogashin
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202Mahmoud Samir Fayed
 
tetris
tetristetris
tetrisCameron White
 
SOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKASOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKAAfrilio Franseda
 
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」Ken'ichi Matsui
 
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料Ken'ichi Matsui
 
662305 LAB12
662305 LAB12662305 LAB12
662305 LAB12Nitigan Nakjuatong
 

Recommended

openGl example
openGl exampleopenGl example
openGl exampleBrian Goggins
 
Math01_ogashin
Math01_ogashinMath01_ogashin
Math01_ogashinogashin
 
The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202The Ring programming language version 1.8 book - Part 66 of 202
The Ring programming language version 1.8 book - Part 66 of 202Mahmoud Samir Fayed
 
tetris
tetristetris
tetrisCameron White
 
SOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKASOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKAAfrilio Franseda
 
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」Ken'ichi Matsui
 
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料Ken'ichi Matsui
 
662305 LAB12
662305 LAB12662305 LAB12
662305 LAB12Nitigan Nakjuatong
 
統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半Ken'ichi Matsui
 
Integral calculus
Integral calculus Integral calculus
Integral calculus منتدى الرياضيات المتقدمة
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphaelPippi Labradoodle
 
Ocr code
Ocr codeOcr code
Ocr codewi7sonjoseph
 
computer graphics practicals
computer graphics practicalscomputer graphics practicals
computer graphics practicalsManoj Chauhan
 
ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-ssusere0a682
 
ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ssusere0a682
 
Scrollytelling
ScrollytellingScrollytelling
ScrollytellingBaron Watts
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196Mahmoud Samir Fayed
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++Ankit Kumar
 
Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...Brase947
 
X2 T05 06 Partial Fractions
X2 T05 06 Partial FractionsX2 T05 06 Partial Fractions
X2 T05 06 Partial FractionsNigel Simmons
 
Algebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions ManualAlgebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions Manualkejeqadaqo
 
Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)Matthew Leingang
 
SAT/SMT solving in Haskell
SAT/SMT solving in HaskellSAT/SMT solving in Haskell
SAT/SMT solving in HaskellMasahiro Sakai
 
Computer graphics File for Engineers
Computer graphics File for EngineersComputer graphics File for Engineers
Computer graphics File for Engineersvarun arora
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programsAmit Kapoor
 
Mobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision DetectionMobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision DetectionJenchoke Tachagomain
 
Mobile Game and Application with J2ME
Mobile Game and Application with J2MEMobile Game and Application with J2ME
Mobile Game and Application with J2MEJenchoke Tachagomain
 
Robot Motion Source code
Robot Motion Source codeRobot Motion Source code
Robot Motion Source codeBrian Goggins
 
Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015ihji
 
Modular Macros for OCaml
Modular Macros for OCamlModular Macros for OCaml
Modular Macros for OCamlOCaml Labs
 

More Related Content

What's hot

統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半Ken'ichi Matsui
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphaelPippi Labradoodle
 
computer graphics practicals
computer graphics practicalscomputer graphics practicals
computer graphics practicalsManoj Chauhan
 
ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-ssusere0a682
 
ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ssusere0a682
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196Mahmoud Samir Fayed
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++Ankit Kumar
 
Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...Brase947
 
X2 T05 06 Partial Fractions
X2 T05 06 Partial FractionsX2 T05 06 Partial Fractions
X2 T05 06 Partial FractionsNigel Simmons
 
Algebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions ManualAlgebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions Manualkejeqadaqo
 
Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)Matthew Leingang
 
SAT/SMT solving in Haskell
SAT/SMT solving in HaskellSAT/SMT solving in Haskell
SAT/SMT solving in HaskellMasahiro Sakai
 
Computer graphics File for Engineers
Computer graphics File for EngineersComputer graphics File for Engineers
Computer graphics File for Engineersvarun arora
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programsAmit Kapoor
 
Mobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision DetectionMobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision DetectionJenchoke Tachagomain
 
Mobile Game and Application with J2ME
Mobile Game and Application with J2MEMobile Game and Application with J2ME
Mobile Game and Application with J2MEJenchoke Tachagomain
 
Robot Motion Source code
Robot Motion Source codeRobot Motion Source code
Robot Motion Source codeBrian Goggins
 

What's hot (20)

統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半統計的学習の基礎 4章 前半
統計的学習の基礎 4章 前半
 
Integral calculus
Integral calculus Integral calculus
Integral calculus
 
Creating masterpieces with raphael
Creating masterpieces with raphaelCreating masterpieces with raphael
Creating masterpieces with raphael
 
Ocr code
Ocr codeOcr code
Ocr code
 
computer graphics practicals
computer graphics practicalscomputer graphics practicals
computer graphics practicals
 
ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-ゲーム理論BASIC 第38回 -続・カーネル-
ゲーム理論BASIC 第38回 -続・カーネル-
 
ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-ゲーム理論BASIC 第37回 -カーネル-
ゲーム理論BASIC 第37回 -カーネル-
 
Scrollytelling
ScrollytellingScrollytelling
Scrollytelling
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196
 
Computer graphics programs in c++
Computer graphics programs in c++Computer graphics programs in c++
Computer graphics programs in c++
 
Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...Solutions manual for digital logic and microprocessor design with interfacing...
Solutions manual for digital logic and microprocessor design with interfacing...
 
X2 T05 06 Partial Fractions
X2 T05 06 Partial FractionsX2 T05 06 Partial Fractions
X2 T05 06 Partial Fractions
 
Algebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions ManualAlgebra and Trigonometry 9th Edition Larson Solutions Manual
Algebra and Trigonometry 9th Edition Larson Solutions Manual
 
Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)Lesson 21: Curve Sketching (Section 10 version)
Lesson 21: Curve Sketching (Section 10 version)
 
SAT/SMT solving in Haskell
SAT/SMT solving in HaskellSAT/SMT solving in Haskell
SAT/SMT solving in Haskell
 
Computer graphics File for Engineers
Computer graphics File for EngineersComputer graphics File for Engineers
Computer graphics File for Engineers
 
Cg my own programs
Cg my own programsCg my own programs
Cg my own programs
 
Mobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision DetectionMobile Game and Application with J2ME - Collision Detection
Mobile Game and Application with J2ME - Collision Detection
 
Mobile Game and Application with J2ME
Mobile Game and Application with J2MEMobile Game and Application with J2ME
Mobile Game and Application with J2ME
 
Robot Motion Source code
Robot Motion Source codeRobot Motion Source code
Robot Motion Source code
 

Similar to LLVM Obfuscation

Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015ihji
 
Modular Macros for OCaml
Modular Macros for OCamlModular Macros for OCaml
Modular Macros for OCamlOCaml Labs
 
Артём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data AnalysisАртём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data AnalysisSpbDotNet Community
 
2018 06-19 paris cybersecurity meetup
2018 06-19 paris cybersecurity meetup2018 06-19 paris cybersecurity meetup
2018 06-19 paris cybersecurity meetupRaphaël Laffitte
 
Prob-Dist-Toll-Forecast-Uncertainty
Prob-Dist-Toll-Forecast-UncertaintyProb-Dist-Toll-Forecast-Uncertainty
Prob-Dist-Toll-Forecast-UncertaintyAnkoor Bhagat
 
Haskellで学ぶ関数型言語
Haskellで学ぶ関数型言語Haskellで学ぶ関数型言語
Haskellで学ぶ関数型言語ikdysfm
 
8 minutes of monad transformers
8 minutes of monad transformers8 minutes of monad transformers
8 minutes of monad transformersArthur Kushka
 
Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06Aritra Sarkar
 
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Mozaic Works
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)David de Boer
 
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」Ken'ichi Matsui
 
Computer graphics lab manual
Computer graphics lab manualComputer graphics lab manual
Computer graphics lab manualUma mohan
 
Computer Graphics Lab File C Programs
Computer Graphics Lab File C ProgramsComputer Graphics Lab File C Programs
Computer Graphics Lab File C ProgramsKandarp Tiwari
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!Boy Baukema
 
Clojure for Data Science
Clojure for Data ScienceClojure for Data Science
Clojure for Data Sciencehenrygarner
 
BOXPLOT EXAMPLES in R And An Example for BEESWARM:
BOXPLOT EXAMPLES in R And An Example for BEESWARM:BOXPLOT EXAMPLES in R And An Example for BEESWARM:
BOXPLOT EXAMPLES in R And An Example for BEESWARM:Dr. Volkan OBAN
 

Similar to LLVM Obfuscation (20)

Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015
 
Modular Macros for OCaml
Modular Macros for OCamlModular Macros for OCaml
Modular Macros for OCaml
 
Артём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data AnalysisАртём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data Analysis
 
2018 06-19 paris cybersecurity meetup
2018 06-19 paris cybersecurity meetup2018 06-19 paris cybersecurity meetup
2018 06-19 paris cybersecurity meetup
 
Seminar PSU 10.10.2014 mme
Seminar PSU 10.10.2014 mmeSeminar PSU 10.10.2014 mme
Seminar PSU 10.10.2014 mme
 
Prob-Dist-Toll-Forecast-Uncertainty
Prob-Dist-Toll-Forecast-UncertaintyProb-Dist-Toll-Forecast-Uncertainty
Prob-Dist-Toll-Forecast-Uncertainty
 
Haskellで学ぶ関数型言語
Haskellで学ぶ関数型言語Haskellで学ぶ関数型言語
Haskellで学ぶ関数型言語
 
8 minutes of monad transformers
8 minutes of monad transformers8 minutes of monad transformers
8 minutes of monad transformers
 
Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06Fractal Rendering in Developer C++ - 2012-11-06
Fractal Rendering in Developer C++ - 2012-11-06
 
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
Stefan Kanev: Clojure, ClojureScript and Why They're Awesome at I T.A.K.E. Un...
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
 
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」
第13回数学カフェ「素数!!」二次会 LT資料「乱数!!」
 
Computer graphics lab manual
Computer graphics lab manualComputer graphics lab manual
Computer graphics lab manual
 
Computer Graphics Lab File C Programs
Computer Graphics Lab File C ProgramsComputer Graphics Lab File C Programs
Computer Graphics Lab File C Programs
 
ES6 is Nigh
ES6 is NighES6 is Nigh
ES6 is Nigh
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
 
Clojure for Data Science
Clojure for Data ScienceClojure for Data Science
Clojure for Data Science
 
BOXPLOT EXAMPLES in R And An Example for BEESWARM:
BOXPLOT EXAMPLES in R And An Example for BEESWARM:BOXPLOT EXAMPLES in R And An Example for BEESWARM:
BOXPLOT EXAMPLES in R And An Example for BEESWARM:
 
mean_variance
mean_variancemean_variance
mean_variance
 
Farewell to Disks: Efficient Processing of Obstinate Data
Farewell to Disks: Efficient Processing of Obstinate DataFarewell to Disks: Efficient Processing of Obstinate Data
Farewell to Disks: Efficient Processing of Obstinate Data
 

More from Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

More from Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

LLVM Obfuscation

  • 1. Obfuscator reloaded Pascal Junod – HEIG-VD Julien Rinaldini – HEIG-VD Marc Romanens - EIA-FR Jean-Roland Schuler – EIA-FR Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  • 2. 2 Agenda Context of the « Obfuscator » project LLVM-based obfuscation Playing with ARM binaries
  • 3. In a Nutshell … cÄxtáx áxx à{|á tá âÇÑÜÉàxvàxw áÉyàãtÜx4 3
  • 5. In a Nutshell … cÄxtáx áxx à{|á tá Éuyâávtàxw áÉyàãtÜx4 5
  • 6. In a Nutshell … äáA 6
  • 7. In a Nutshell … `tÄ|v|Éâá exäxÜáx@XÇz|ÇxxÜ|Çz 7
  • 8. In a Nutshell … W|z|àtÄ e|z{àá `tÇtzxÅxÇà 8
  • 9. In a Nutshell … VÄÉâw VÉÅÑâà|Çz 9
  • 10. In a Nutshell … • A typical attack can be decomposed in three phases: – Program analysis Extraction of an algorithm, secret, design – Code modification Removal of license check mechanisms – Distribution Violation of intellectual property 10
  • 11. In a Nutshell … • Defense possibilities (aka « software protection ») – Confusion • Obfuscation – Tamper-resistance • SW/HW-based protections, node-locking, … – Watermark • SW watermarking, fingerprinting, … 11
  • 12. In a Nutshell … • According to Wikipedia, «obfuscated code is source of machine code that has been made difficult to understand » • «difficult» … = costly = time-consuming not necessarily impossible 12
  • 13. In a Nutshell … return (int) ((((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 2) * (x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * (28 + z)) / ((x - 3) * (x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 4) * (x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 5) * (x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 6) * (x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12 ) + .00001)) + (((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 30) / ((x - 7) * (x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 8) * (x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 9) * (x - 10) * (x - 11) * (x - 12) * 31) / ((x - 9) * (x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 10) * (x - 11) * (x - 12) * 30) / ((x - 10) * (x - 11) * (x - 12) + .00001)) + (((x - 11) * (x - 12) * 31) / ((x - 11) * (x - 12) + .00001)) + (((x - 12) * 30) / ((x - 12) + .00001)) + 31 + .1) - y; 13
  • 14. In a Nutshell … @P=split//,".URRUUc8R";@d=split//, "nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$ p";++$p;($q*=2)+=$f=!fork;map{$P=$P [$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p; map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&&<$_>}%p;$_=$d[$q] ;sleep rand(2)if/S/;print 14
  • 15. In a Nutshell … void primes(int cap) { int i, j, composite; for(i = 2; i < cap; ++i) { composite = 0; for(j = 2; j * j <= i; ++j) composite += !(i % j); if(!composite) printf("%dt", i); _(__,___,____,_____){___/__<=___ } __?_(__,___+_____,____,_____):!( } ___%__)?_(__,___+_____,___%__,__ int main(void) { ___):___%__==___/ primes(100); } __&&!____?(printf("%dt",___/__) ,_(__,___+_____,____,_____)):(__ _%__>_____&&___%__<___/__)?_(__, ___+ _____,____,_____+!(___/__%(___%_ _))):___<__*__?_(__,___+_____,__ __,_____):0;}main(void){_(100,0, 0,1);} 15
  • 16. In a Nutshell … 16
  • 17. 17 In a Nutshell … Different capabilities: – Code source vs. binary – Supported languages • .NET, C#, Java, Javascript, C/C++, … – Costs • Size, speed – Security towards RE
  • 18. 18 In a Nutshell … Usual techniques – Packing – Addition of junk code – Code transformations – Opaque predicates – White-box cryptography – Anti-debugging tricks – Virtualization –…
  • 19. 19 Context of « Obfuscator » Project funded by HES-SO (about CHF 160K, time span 2010-2012) – HEIG-VD • Pascal Junod • Gregory Ruch • Julien Rinaldini – EIA-FR • Jean-Roland Schuler • Marc Romanens • Adrien Giner
  • 20. 20 Context of «Obfuscator» Goal: – create knowledge and know-how in the domain of software obfuscation – Develop prototype tools • HEIG-VD: focusing on source code obfuscation • EIA-FR: focusing on binary obfuscation
  • 21. 21 LLVM-based Obfuscation No satisfactory open-source tool able to obfuscate C/C++ Cool project to play with! RE is hard, protecting against RE in an efficient way is even harder!
  • 22. 22 LLVM-based Obfuscation Several «false starts» (but that’s research ;-) Sébastien Bischof : parsing C with Python Grégory Ruch: hacking the LLVM Clang API
  • 23. 23 LLVM-based Obfuscation LLVM – Compiler infrastructure – Project initiated by the University of Illinois in 2000 – Since 2005, pushed by Apple Inc. – Front-ends: • C/C++, Objective C, Fortran, Ada, Haskell, Python, Ruby, … – Back-ends: • x86, x86-64, PowerPC, PowerPC-64, ARM, Thumb, Sparc, Alpha, CellSPU, MIPS, MSP430, SystemZ, XCore.
  • 25. 25 LLVM-based Obfuscation Available obfuscation passes – Code substitution • A ^ B = (A & ~B) | (~A & B) • A + B = A - (-B) •…
  • 26. 26 LLVM-based Obfuscation Available obfuscation passes – Insertion of fake branches with opaque predicates (bachelor thesis of Julie Michielin)
  • 27. 27 LLVM-based Obfuscation Available obfuscation passes – Code flattening
  • 28. 28 LLVM-based Obfuscation Code flattening: case of IF-THEN-ELSE
  • 29. 29 LLVM-based Obfuscation Code flattening: case of a FOR loop
  • 30. 30 LLVM-based Obfuscation Code flattening: case of a SWITCH
  • 32. 32 LLVM-based Obfuscation Test procedure – Run test suite of the cryptographic library libtomcrypt – Run test suite of the graphical library ImageMagick • Found a routine of 6000+ C lines in it !! – Run test suite of the MySQL database • A single test is still failing Todo – Flatten try-catch constructs as well – Test, debug, test, debug, test !
  • 33. 33 LLVM-based Obfuscation by vÉâÜáx? ãx âáxw
  • 34. 34 Part III Arm obfuscation About me – Marc Romanens – Scientific collaborator at EIA-FR – Works on a “Exploration Project” on binary obfuscation for processor ARM.
  • 35. 35 Agenda File format ELF Code insertion into ELF file ARM obfuscation Opaque predicate Junk code
  • 36. 36 File format ELF Summary I 3 headers tables – Header file • Entry point • Position of others headers • Architecture – Program header (define the segments) • Flags (RWE) • Offset / virtual addresses – Section header (define the sections (optional))
  • 38. 38 Memory allocation of segment Image source: GNU Linux Magazine HS 32 Septembre Octobre 2007
  • 39. 39 Insertion of code Why ? – Obfuscation needs space How ? – Add a new segment – Increase size of old segment
  • 40. 40 Obfuscation technique : Opaque predicate Example : – (X2 + X) % 2 == 0 is always true – (3X3 + 2 X2 + X) % 6 == 0 is always true Opaque predicate aims at: – Creating false branch – Improving complexity of serial number – Watermarking
  • 41. 41 Obfuscation technique : Junk code Junk code aims at: – Hiding the useful part of code Implementation : – Use condition code in ARM – Use opaque predicate for enforcing the stealth
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. 45 Junk code Optimisation Mix junk code and real code Change condition code with data processing instructions Add more predicates
  • 47. 47 Merci/Thank you! Contact: pascal.junod@heig-vd.ch @cryptopathe http://crypto.junod.info romanens.m@gmail.com Slides: http://slideshare.net/ASF-WS/presentations