Presentation is loading. Please wait.

Presentation is loading. Please wait.

Focused obfuscation for 1-day attack delaying

Published bySimon Lambert Modified over 7 years ago

Similar presentations

Presentation on theme: "Focused obfuscation for 1-day attack delaying"— Presentation transcript:

1 Focused obfuscation for 1-day attack delaying
Francisco Blas Izquierdo Riera

2 Current situation Most people use the same software
Serious vulnerabilities are found regularly Patches are small so the attacker can focus on the changes to find the issue

3 Objective Try to make finding the issue harder.
Obfuscate the patched functions Add more obfuscated functions to make finding the changes harder Focus the obfuscation so patches can be generated

4 What is obfuscation? Modifying code so that it is:
Harder to understand Harder to reason about Functionally equivalent to the original

5 How does LLVM work? The frontend converts the original code into LLVM's IR The different optimization passes transform the LLVM IR The code is converted into DAGs The backend converts the DAGs into instructions and emits them

6 What's LLVM IR? A representation for programs similar to assembly.
The code is divided in modules. Modules contain functions and global variables Functions contain basic blocks Basic Blocks contain phi nodes followed by instructions and end with a terminator instruction

7 What was implemented? Wang's Control Flattening (with adaptations)
Constant Obfuscation Array fetch Equivalent arithmetic Reordering Instruction Reordering Basic Block Reordering Operand swapping

8 How are transformations focused?
We add a function parameter: the obfuscation key It can be added in the function declaration in any header file The key has two uses: Provides a secret used for the CPRNG Allows transformations know where should they be applied.

9 How is control flattening done?
Create a main block Create phi nodes for cross block references Move all phis to the main block Split blocks with a non processable terminator Create a phi on the main block to choose the destination based on the origin Add a switch depending on the previous phi value as terminator

10 How is constant obfuscation done?
Pick each constant we can obfuscate Choose an obfuscation technique Array fetch: the constant is fetched from an array Arithmetic: the constant is obtained as the result of an arithmetic operation Insert the new code and replace the constant by the result. Reobfuscate, if desired, any new constants

11 How is instruction reordering done?
Reorder phi nodes randomly Make a dependency map for the instructions (including hidden dependencies by side effects) Pick one of the instructions without dependencies Emit it Remove the instruction from the dependency map Repeat until no instructions are left

12 How is block reordering done
Reorder randomly keeping the entry block the same

13 How is register swapping done?
For each commutative operator decide randomly to rearrange the operands.

14 What do you mean “random”?
We mean pseudorandom for us but random looking to the attacker. We use AES in CTR mode to generate “random” data We generate the key for AES in CTR mode using the obfkey, the function name the module name and the pass name. As key we use a nothing up my sleeve number.

15 Is there an obfuscation pipeline?
Yes, the following order is recommended: addmodulekey propagatemodulekey bbsplit flattencontrol obfuscateconstants randins, randbb, randfun, randglb and swapops

16 How can I apply this on my project?
Create a header file with the declarations of the functions to be obfuscated with the corresponding obfuscation key function attributes. Use the -include flag to include that header when compiling. Use the clang | opt | clang recommended pipeline for compilation.

17 Live example

18 Can the techniques be reversed?
Control flattening can be reversed if the constants are known Constant obfuscation can be reversed by constant calculation The reordering transformations can be reversed by ordering according to an established order.

19 Security usage of obfuscation
The polymorphic transformations allow to create program variety by using different keys when compiling. The performance impacts are negligible (according to our small tests) as processors usually do internal reordering of instructions. This makes defense against attacks like return oriented programming easier as the attacker will need to know which of the combinations was chosen. These are very useful in ecosystems like Gentoo where users compile their own packages

20 swapops and randins against ROP
By reordering the instructions inside the basic blocks the attacker has no way of knowing which particular instructions will be executed before the return if he has no access to the library. In a similar way swapops results in sections of the code using different registers making the amount possible alternatives larger. Since each compilation has a different instruction sequence with different registers it's impossible to prepare an attack needing that information.

21 Static randomization It's easy to reorder things at compile time as all dependencies are known. Reordering basic blocks, functions and globals provides a randomized layout. But with smaller granularity than techniques like ASLR and with no need for kernel support!

22 Questions?

23 THANKS! Andrei Sabelfeld and Jonas Magazinius Grim Schjetne
The PAX Team and Anthony G. Basille You!

Download ppt "Focused obfuscation for 1-day attack delaying"

Similar presentations

Spring Semester 2013 Lecture 5

Spring Semester 2013 Lecture 5
Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.

Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
C Lecture Notes 1 Program Control (Cont...). C Lecture Notes 2 4.8The do / while Repetition Structure The do / while repetition structure –Similar to.

C Lecture Notes 1 Program Control (Cont...). C Lecture Notes 2 4.8The do / while Repetition Structure The do / while repetition structure –Similar to.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.
Address Space Layout Permutation

Address Space Layout Permutation
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. C How To Program - 4th edition Deitels Class 05 University.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. C How To Program - 4th edition Deitels Class 05 University.
Sharda University P. K. Mishra (Asst.Prof) Department of Computer Science & Technology Subject Name: Programming Using C Sub Code: CSE-106 Programming.

Sharda University P. K. Mishra (Asst.Prof) Department of Computer Science & Technology Subject Name: Programming Using C Sub Code: CSE-106 Programming.
Unit-1 Introduction Prepared by: Prof. Harish I Rathod

Unit-1 Introduction Prepared by: Prof. Harish I Rathod
An Object-Oriented Approach to Programming Logic and Design Fourth Edition Chapter 6 Using Methods.

An Object-Oriented Approach to Programming Logic and Design Fourth Edition Chapter 6 Using Methods.
Functions Top-down design Breaking a complex problem into smaller parts that we can understand is a common practice. The process of subdividing a problem.

Functions Top-down design Breaking a complex problem into smaller parts that we can understand is a common practice. The process of subdividing a problem.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.
1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.

1 Memory Management Chapter 7. 2 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated to ensure a reasonable.
Java™ How to Program, 9/e © Copyright 1992-2012 by Pearson Education, Inc. All Rights Reserved.

Java™ How to Program, 9/e © Copyright by Pearson Education, Inc. All Rights Reserved.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Operating System Protection Through Program Evolution Fred Cohen Computers and Security 1992.

Operating System Protection Through Program Evolution Fred Cohen Computers and Security 1992.
Assembly Language Co-Routines

Assembly Language Co-Routines
Programming Fundamentals Enumerations and Functions.

Programming Fundamentals Enumerations and Functions.
Building Programs from Existing Information Solutions for programs often can be developed from previously solved problems. Data requirements and solution.

Building Programs from Existing Information Solutions for programs often can be developed from previously solved problems. Data requirements and solution.
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.

Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.

Similar presentations

Ads by Google