Program Obfuscation: A Quantitative Approach Presented by: Mariusz Jakubowski Microsoft Research Third Workshop on Quality of Protection October 29 th,

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Saumya Debray The University of Arizona Tucson, AZ
Evaluation of Abstraction Techniques. Uses for the complexity metrics in our framework Comparing the complexity of the reference model with the abstracted.
Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.
Control Flow Analysis. Construct representations for the structure of flow-of-control of programs Control flow graphs represent the structure of flow-of-control.
1 Ivan Marsic Rutgers University LECTURE 15: Software Complexity Metrics.
Iterated Transformations and Quantitative Metrics for Software Protection International Conference on Security and Cryptography SECRYPT 2009 July 7-10,
Tamper-Tolerant Software: Modeling and Implementation International Workshop on Security (IWSEC 2009) October 28-30, 2009 – Toyama, Japan Mariusz H. Jakubowski.
Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.
Whole-Program Linear-Constant Analysis with Applications to Link-Time Optimization Ludo Van Put – Dominique Chanet – Koen De Bosschere Ghent University.
Predicate Complete Testing * Thomas Ball * Thomas Ball, A Theory of Predicate-Complete Test Coverage and Generation, Technical Report MSR-TR ,
Wmobf.1 1/5/00 Clark Thomborson Watermarking, Tamper-Proofing and Obfuscation – Tools for Software Protection Christian Collberg & Clark Thomborson Computer.
Topics to be discussed Problem Definition Project Purpose – Building Obfuscator Obfuscation Using Opaque Predicates Implementation details Obfuscation.
Preventing Reverse Engineering by Obfuscating Bharath Kumar.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
Binary Program Rewriting with Diablo – Bjorn De Sutter – Engineering Sciences Faculty – Electronics and Information Systems Department p. 1 Binary.
Software engineering for real-time systems
Steganography for Executables and Code Transformation Signatures Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet and Koen De Bosschere.
Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
SMIILE Finaly COBOL! and what else is new Gordana Rakić, Zoran Budimac.
Unit Testing CS 414 – Software Engineering I Don Bagert Rose-Hulman Institute of Technology January 16, 2003.
2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.
Breaking Abstractions and Unstructuring Data Structures Christian Collberg Clark Thomborson Douglas Low “Mobile programs are distributed in forms that.
ECE355 Fall 2004Software Reliability1 ECE-355 Tutorial Jie Lian.
Software Systems Verification and Validation Laboratory Assignment 3
Class Specification Implementation Graph By: Njume Njinimbam Chi-Chang Sun.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 20 Slide 1 Defect testing l Testing programs to establish the presence of system defects.
1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.
A Model for Self-Modifying Code Bertrand Anckaert, Matias Madou and Koen De Bosschere 8 th Information Hiding Conference, July 11 th 2006.
KEVIN COOGAN, GEN LU, SAUMYA DEBRAY DEPARTMENT OF COMUPUTER SCIENCE UNIVERSITY OF ARIZONA 報告者:張逸文 Deobfuscation of Virtualization- Obfuscated Software.
Software Testing The process of operating a system or component under specified conditions, observing and recording the results, and making an evaluation.
Agenda Introduction Overview of White-box testing Basis path testing
Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.
Environment Change Information Request Change Definition has subtype of Business Case based upon ConceptPopulation Gives context for Statistical Program.
1 Program Testing (Lecture 14) Prof. R. Mall Dept. of CSE, IIT, Kharagpur.
BASIS PATH TESTING.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
1 Control Flow Analysis Topic today Representation and Analysis Paper (Sections 1, 2) For next class: Read Representation and Analysis Paper (Section 3)
White Box Testing Arun Lakhotia University of Southwestern Louisiana P.O. Box Lafayette, LA 70504, USA
Software Construction Lecture 19 Software Testing-2.
Theory and Practice of Software Testing
Formal Refinement of Obfuscated Codes Hamidreza Ebtehaj 1.
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
Control Flow Analysis Compiler Baojian Hua
CSE 522 WCET Analysis Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee (480)
White Box Testing by : Andika Bayu H.
Cyclomatic Complexity Philippe CHARMAN Last update:
Experience with Software Watermarking Jens Palsberg, Sowmya Krishnaswamy, Minseok Kwon, Di Ma, Qiuyun Shao, Yi Zhang CERIAS and Department of Computer.
Dynamic White-Box Testing What is code coverage? What are the different types of code coverage? How to derive test cases from control flows?
CS223: Software Engineering Lecture 26: Software Testing.
Ghent University Veerle Desmet Lieven Eeckhout Koen De Bosschere Using Decision Trees to Improve Program-Based and Profile-Based Static Branch Prediction.
Compilers and Security
BASIS PATH TESTING.
Application of Obfuscation Techniques on Android Applications
Software Metrics 1.
Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,
Lecture 5 Partial Redundancy Elimination
Weakest Precondition of Unstructured Programs
Software Engineering (CSI 321)
Types of Testing Visit to more Learning Resources.
Un</br>able’s MySecretSecrets
White-Box Testing.
Constructing and Using
LECTURE 15: Software Complexity Metrics
White-Box Testing.
1. Cyclomatic complexity
Unit III – Chapter 3 Path Testing.
Presentation transcript:

Program Obfuscation: A Quantitative Approach Presented by: Mariusz Jakubowski Microsoft Research Third Workshop on Quality of Protection October 29 th, 2007 Bertrand Anckaert, Matias Madou, Bjorn De Sutter, Bruno De Bus, Koen De Bosschere, and Bart Preneel Ghent University and K.U.Leuven, Belgium

Obfuscation has many applications 2

There is a large gap between theoretical results 3 - On the (Im)possibility of Obfuscating Programs – Barak et al. (2001) - On the Impossibility of Obfuscation with Auxiliary Input – Goldwasser et al. (2005) - Positive Results and Techniques for Obfuscation – Lynn et al. (2004) - Towards Realizing Random Oracles: Hash Functions that Hide All Partial Information Canetti et al. (1997) + - Large gap Intuitively, obfuscation does help

We need a practical system for evaluating obfuscating transformations It should be easy to evaluate existing and future transformations => Automated The evaluation should convey difficulty of reverse-engineering => Build upon experience from complexity metrics 4

oIntro oMetrics oInstruction Count oCyclomatic Number oKnot Count o(De)Obfuscating transformations Outline 5

Four axes based on typical reverse- engineering scenario 6 Disassemble Flow graph construction Analyse Data Flow Interpret Data Code Control flow Data flow Data

+ No uncertainty about executed code + Always availabe - Only about covered part of the code Evaluated Complexity Metrics 7 Code Control flow Data flow Data Instruction Count Cyclomatic Number Knot Count Metrics are collected by a run-time instrumentation framework

Cyclomatic number and knot count Cyclomatic number: – #edges – #nodes + 2 – Intuitively: the number of decision points Knot count: – #crossings – Intuitively: the unstructuredness 8

oIntro oMetrics o (De)Obfuscating transformations oJump redirection [Linn et al. 2003] oControl flow flattening [Chenxi Wang et al. 2001] oOpaque predicates [Collberg et al. 1998] Outline 9

Jump redirection Redirect branches to function 10 1 Jmp call branch Branch Function 2 garbage assumed return site

Impact of Jump Redirection 11

Jump redirection - deobfuscation Identify Branch Function – signature based – run-time behavior Record (call,return) pairs under debugger Overwrite calls 12 1 call branch Branch Function 2 garbage assumed return site (1,2) (4,7) (9,5) … jmp 2

Success of De-obfuscation 13

Control flow flattening All original basic blocks have the same predecessor and successor switch

Control flow flattening significantly increases the complexity metrics 15

Success of De-obfuscation 16

Opaque predicates 17 1 Jmp Jmp if (2==2) 2fake Add fake decision statements

Impact of Opaque Predication 18

Conclusion A first step towards a unified quantitative evaluation of – obfuscating transformations – deobfuscating transformations Which leverages experience from the established field of complexity metrics 19

Program Obfuscation: A Quantitative Approach Presented by: Mariusz Jakubowski Microsoft Research Third Workshop on Quality of Protection October 29 th, 2007 Bertrand Anckaert, Matias Madou, Bjorn De Sutter, Bruno De Bus, Koen De Bosschere, and Bart Preneel Ghent University and K.U.Leuven, Belgium