Focused obfuscation for 1-day attack delaying Francisco Blas Izquierdo Riera

Current situation Most people use the same software Serious vulnerabilities are found regularly Patches are small so the attacker can focus on the changes to find the issue

Objective Try to make finding the issue harder. Obfuscate the patched functions Add more obfuscated functions to make finding the changes harder Focus the obfuscation so patches can be generated

What is obfuscation? Modifying code so that it is: Harder to understand Harder to reason about Functionally equivalent to the original

How does LLVM work? The frontend converts the original code into LLVM's IR The different optimization passes transform the LLVM IR The code is converted into DAGs The backend converts the DAGs into instructions and emits them

What's LLVM IR? A representation for programs similar to assembly. The code is divided in modules. Modules contain functions and global variables Functions contain basic blocks Basic Blocks contain phi nodes followed by instructions and end with a terminator instruction

What was implemented? Wang's Control Flattening (with adaptations) Constant Obfuscation Array fetch Equivalent arithmetic Reordering Instruction Reordering Basic Block Reordering Operand swapping

How are transformations focused? We add a function parameter: the obfuscation key It can be added in the function declaration in any header file The key has two uses: Provides a secret used for the CPRNG Allows transformations know where should they be applied.

How is control flattening done? Create a main block Create phi nodes for cross block references Move all phis to the main block Split blocks with a non processable terminator Create a phi on the main block to choose the destination based on the origin Add a switch depending on the previous phi value as terminator

How is constant obfuscation done? Pick each constant we can obfuscate Choose an obfuscation technique Array fetch: the constant is fetched from an array Arithmetic: the constant is obtained as the result of an arithmetic operation Insert the new code and replace the constant by the result. Reobfuscate, if desired, any new constants

How is instruction reordering done? Reorder phi nodes randomly Make a dependency map for the instructions (including hidden dependencies by side effects) Pick one of the instructions without dependencies Emit it Remove the instruction from the dependency map Repeat until no instructions are left

How is block reordering done Reorder randomly keeping the entry block the same

How is register swapping done? For each commutative operator decide randomly to rearrange the operands.

What do you mean “random”? We mean pseudorandom for us but random looking to the attacker. We use AES in CTR mode to generate “random” data We generate the key for AES in CTR mode using the obfkey, the function name the module name and the pass name. As key we use a nothing up my sleeve number.

Is there an obfuscation pipeline? Yes, the following order is recommended: addmodulekey propagatemodulekey bbsplit flattencontrol obfuscateconstants randins, randbb, randfun, randglb and swapops

How can I apply this on my project? Create a header file with the declarations of the functions to be obfuscated with the corresponding obfuscation key function attributes. Use the -include flag to include that header when compiling. Use the clang | opt | clang recommended pipeline for compilation.

Live example

Can the techniques be reversed? Control flattening can be reversed if the constants are known Constant obfuscation can be reversed by constant calculation The reordering transformations can be reversed by ordering according to an established order.

Security usage of obfuscation The polymorphic transformations allow to create program variety by using different keys when compiling. The performance impacts are negligible (according to our small tests) as processors usually do internal reordering of instructions. This makes defense against attacks like return oriented programming easier as the attacker will need to know which of the combinations was chosen. These are very useful in ecosystems like Gentoo where users compile their own packages

swapops and randins against ROP By reordering the instructions inside the basic blocks the attacker has no way of knowing which particular instructions will be executed before the return if he has no access to the library. In a similar way swapops results in sections of the code using different registers making the amount possible alternatives larger. Since each compilation has a different instruction sequence with different registers it's impossible to prepare an attack needing that information.

Static randomization It's easy to reorder things at compile time as all dependencies are known. Reordering basic blocks, functions and globals provides a randomized layout. But with smaller granularity than techniques like ASLR and with no need for kernel support!

Questions?

THANKS! Andrei Sabelfeld and Jonas Magazinius Grim Schjetne The PAX Team and Anthony G. Basille You!