TTTTSecurity By Obscurity:Code ObfuscationIntroductionWhat is Code ObfuscationCriteria for evaluating Obfuscation QualityObfuscation TechniquesLayout TransformationPreventive TransformationData TransformationControl TransformationOpaque Constructs: Key of ObfuscationLibrary of Math FactsAlias Based Opaque ConstructsImplementationApplicationsConclusionSecurity By Obscurity: Code ObfuscationKai-fan Lee Apr. 14, 20020Introduction With the recent fast development in Internet, and distributed computing, a demand for protectingintellectual property has raised. Especially true is when programs are shipped in ArchitectureNeutral Distribution Format (ANDF). Examples are Java class files, which have highlystandardized format, use very well defined standard library, and have detailed specificationavailable on Internet. With those resources in hand, an attacker can easily reverse engineer a Javaapplication, and gain unfair advantage over software vendors. Therefore an effective method forprotecting intellectual property is in demand.Some of the common protection methods are legal protection, server-side execution, encryption,and code obfuscation. Legal protection is effective, but is not a viable choice for smallcompanies who don’t have a lot of money. Server-side execution is a way of selling “softwareservice” to client, the main program runs on the server of the software vendor, and customersinstall a thin client to access services on server. It is very effective, since the main program is notphysically accessible to the outside world, but it may slow down the performance, because datahas to travel through the Internet. Code encryption is the technique that encrypts executable witha key before send off to users, and the user decrypt the code before executing it. However, thistechnique requires specialized and expensive hardware; otherwise determined cracker can still“sniff” the decrypted code in memory before it is executed. That leaves us the last option, codeobfuscation.In this paper, we will go through the basic definition and terminology of code obfuscation, as wellas some different techniques to obfuscate code.What is Code Obfuscation Code Obfuscation can be defined as follows:Note that the definition given above does not suggest how the transformation T obfuscates aprogram to have the same observable behavior.Criteria for evaluating Obfuscation QualityBefore we go into techniques for obfuscation, we need to know what is our goal in obfuscating,thus we need a set of criterias to evaluate our obfuscation. The common criteria to evaluate codeobfuscation are as follows:- Potency: Measure of how much obscurity T introduces to the program. This metricindicates how much more difficult it is for the human hacker to understand the code. Toachieve potency, we can increase code size, increase the number and nesting levels ofpredicates (if ..then else clause), change loop conditions or increase number of methodarguments, etc. - Resilience: How difficult is T for automatic deobfuscator to undo. The obfuscationprocess may introduce some obscure language constructs to confuse human reader, but it1Let 'PPT be a transformation of a source program P into a target program P’ such that'PPT is an obfuscating transformation if P and P’ have the same observable behavior.may not be all that difficult for machine to deobfuscate. For example, we have thefollowing transformation, which would be very trivial for a compiler to detect andremove the “if (5>1)” clause. - Stealth: How apparent the transformation is to a human attacker. While a transformationis not susceptible to machine attack, it might still appear obvious to the human attacker,and give clues for attack. The following is an unstealthy transformation:- Cost: How much computation overhead is introduced into the program. This includeextra execution time/space penalty incurred on the obfuscated application.Therefore, an ideal obfuscation transformation would have high potency, high resilience, highstealthness, and low cost. And in the following section, we will describe techniques toachieve these goals.Obfuscation TechniquesChristian Collberg, pioneer in research of obfuscation had classified code transformation into thefollowing areas: Layout Transformation, Data Transformation, Control Transformation, andPreventive Transformation.Layout TransformationLayout transformation involves the changing of source/binary structure. Some typicalapproaches include stripping out comments and debugging info, line number andencode/scramble variable/function names.Preventive TransformationPreventive measures are made to stop automatic de-obfuscators and decompilers from functioning correctly. There are two types of preventive transformation, inherent and targeted. Inherent transformation makes known automatic de-obfuscation hard to employ; while targeted transformation use known exploits of a decompiler to crash the decompiler. An example of this would be HoseMocha, which attacks the weakness of Mocha decompiler by inserting an extra instruction after the return instruction in Java bytecodes. This change would not affect the program in anyway but would crash Mocha decompiler.Data TransformationData Transformation is change applied to local and global data structures; it can be further divided into Storage and Encoding, Aggregation, and Ordering obfuscation.Storage and Encoding: change representations of variables and methods of usage of variables. Some examples are:1. Change encoding:Since data value and its binary representation are convention rather than absolute, we can redefine their representation and usage.Ex: we have variable y of type int, and we redefine to become int y=8y+52Main() {S1;S2;}Main() {S1;If (5>1) S2;}If (isPrime(5286274….83273)) S1; T2. Converting Static Data to procedures: Static global data (especially strings) contains much ofuseful information for reverse engineers. What we can do is to construct a generator functionthat will create static string at run time.Ex: Where function G() is a NFA/DFA that maps 1 to “0x62837732”, and a=bAggregation: merge independent data and split dependent data, and some examples are:1. Modifying class hierarchy: For OO programs, the complexity of program grows with increasing
View Full Document
Unlocking...