Presentation is loading. Please wait.

Presentation is loading. Please wait.

Iterated Transformations and Quantitative Metrics for Software Protection International Conference on Security and Cryptography SECRYPT 2009 July 7-10,

Published byBrooklynn Sias Modified over 9 years ago

Similar presentations

Presentation on theme: "Iterated Transformations and Quantitative Metrics for Software Protection International Conference on Security and Cryptography SECRYPT 2009 July 7-10,"— Presentation transcript:

1 Iterated Transformations and Quantitative Metrics for Software Protection International Conference on Security and Cryptography SECRYPT 2009 July 7-10, 2009 – Milan, Italy Mariusz H. Jakubowski Chit Wei (Nick) Saw Ramarathnam Venkatesan Microsoft Research Redmond, WA (USA)

2 SECRYPT 2009 Milan, Italy July 7-10, 20092 Introduction Software protection –Complicate reverse engineering and tampering. –Enforce execution as intended by developer. –DRM, licensing, anti-malware, OS security, etc. Iterated code transformations –Multiple, often simple transformations applied repeatedly –Protection built up via cascading effects –Emergent program structures and operation Goals of our work: –Develop protection framework based on iterated transformations. –Study security of iterated protection via metrics on code.

3 SECRYPT 2009 Milan, Italy July 7-10, 20093 Overview Introduction Background Iterated protection Metrics for security analysis Implementation and experiments Conclusion Iterated protection and security metrics

4 SECRYPT 2009 Milan, Italy July 7-10, 20094 Background: Iterative Systems Complex systems –Agents controlled by iterative evolution rules Traffic, crowds, economic markets, ant colonies, … Cellular automata (Game of Life) –Emergent behavior over time Cryptography –Iterated rounds in ciphers, hash functions, etc. –Better security as number of rounds increases

5 SECRYPT 2009 Milan, Italy July 7-10, 20095 Overview Introduction Background Iterated protection Metrics for security analysis Implementation and experiments Conclusion Iterated protection and security metrics

6 SECRYPT 2009 Milan, Italy July 7-10, 20096 Iterated Protection A framework for design, implementation and analysis of software-protection methods Protective operators are applied repeatedly over already obfuscated code. Interaction among operators leads to complex (emergent) code behavior and structure. –“Whole greater than the sum of its parts” –Security bootstrapped even via simple iterated primitives –Complexity derived from iteration and recombination Methodology may offer hope for security analysis. –Metrics to estimate complexity of breaking –Foundation for analysis of practical obfuscation methods –Just one element to aid with comprehensive approaches

7 SECRYPT 2009 Milan, Italy July 7-10, 20097 An Analogy: Iterated Translation “Weakly obfuscating” transformations that create complexity when iterated: Original: Code-obfuscation and tamper-resistance technologies aim to protect software against reverse engineering and hacking. Such methods include code-integrity verification, control-flow obfuscation, data encoding, anti- debugging, and many others. This technology is useful for applications such as content protection and Digital Rights Management, where code must execute as intended in order to enforce anti-piracy measures. Software protection is also helpful against viruses, worms, trojans, rootkits, and malicious code in general. English  German  French  Spanish  English  Chinese  English (via Babel Fish): Causes to change the dark code and the payment technology resistance cares for to protect r3etechnique and the Zerhacken program computer science opposition. Such method including code data fullness reconsideraci3on, Steuerung-fliessen changes darkly, compiles the statute book, AntiAuspruefen and other people. This technology is the useful legal management the protection which likely satisfies for the application and, in the code numeral the application must, expect there, imposes the antipiraterie set. The computer science program protection is the very useful opposition virus, the endless screw, Turlogh 伊人, rootkits and code boeswilligen in brief to general. English  German  English  German  English  German  English: If you code Kollusion and resistance technologies supplying, the goal away away of protecting for of of software from back technology and the Zerhacken. Such methods close completeness of the code test, taxliquid the Kollusion, the data coding out and anti-examining and that differently the many. This technology is for applications like content protection and must the right management, which is useful, the code digitally inside accomplish, for Piraterie mass anti forces there been supposed. Software protection is useful generally also against viruses, continuous screws, trojans, root installation of sentences and bad-ready code.

8 SECRYPT 2009 Milan, Italy July 7-10, 20098 Sample Operator: Oblivious Hashing Injection of code to perform integrity checks of execution –Hash updates after state changes (e.g., assignments and branches) –Periodic checks for hash correctness First hashing round verifies execution of target code. Each subsequent round verifies execution of all previous rounds (along with target code). int x = 123; if (GetUserInput() > 10) { x = x + 1; } else { printf("Hello\n "); } INITIALIZE_HASH(hash1); int x = 123; UPDATE_HASH(hash1, x); if (GetUserInput() > 10) { UPDATE_HASH(hash1, BRANCH_ID_1); x = x + 1; UPDATE_HASH(hash1, x); } else { UPDATE_HASH(hash1, BRANCH_ID_2); printf("Hello\n"); } VERIFY_HASH(hash1);

9 SECRYPT 2009 Milan, Italy July 7-10, 20099 Two Iterated Rounds of OH Second round verifies both the original code and the first round of OH. int x = 123; if (GetUserInput() > 10) { x = x + 1; } else { printf("Hello\n"); } INITIALIZE_HASH(hash1); int x = 123; UPDATE_HASH(hash1, x); if (GetUserInput() > 10) { UPDATE_HASH(hash1, BRANCH_ID_1); x = x + 1; UPDATE_HASH(hash1, x); } else { UPDATE_HASH(hash1, BRANCH_ID_2); printf("Hello\n"); } VERIFY_HASH(hash1); INITIALIZE_HASH(hash1); INITIALIZE_HASH(hash2); int x = 123; UPDATE_HASH(hash1, x); UPDATE_HASH(hash2, x); UPDATE_HASH(hash2, hash1); if (GetUserInput() > 10) { UPDATE_HASH(hash1, BRANCH_ID_1); UPDATE_HASH(hash2, BRANCH_ID_1); UPDATE_HASH(hash2, hash1); x = x + 1; UPDATE_HASH(hash1, x); UPDATE_HASH(hash2, x); UPDATE_HASH(hash2, hash1); } else { UPDATE_HASH(hash1, BRANCH_ID_2); UPDATE_HASH(hash2, BRANCH_ID_2); UPDATE_HASH(hash2, hash1); printf("Hello\n"); } VERIFY_HASH(hash1); VERIFY_HASH(hash2);

10 SECRYPT 2009 Milan, Italy July 7-10, 200910 Example Protection Operators Complexity derived from iteration and recombination Pointer conversion –Conversion of variable references to be performed via pointers –Addition of arbitrary layers of indirection int x = GetTickCount(); printf("%d\n", x); int * ptr_x_2; int ** ptr_ptr_x_0_1; int * ptr_x_0; int x; ptr_ptr_x_0_1 = &ptr_x_0; ptr_x_2 = &x; *(int **) ptr_ptr_x_0_1 = ptr_x_2; unsigned int tmp_151 = (* (unsigned int (__stdcall *)()) &GetTickCount)(); int tmp_152 = (int) tmp_151; int * tmp_ptr_159 = * (int **) ptr_ptr_x_0_1; * (int *) tmp_ptr_159 = tmp_152; char * tmp_ptr_154 = (char *) "%d\n"; int * tmp_ptr_160 = * (int **) ptr_ptr_x_0_1; printf(tmp_ptr_154, * (int *) tmp_ptr_160); int * ptr_x_0; int x; ptr_x_0 = &x; unsigned int tmp_151 = (* (unsigned int (__stdcall *)()) &GetTickCount)(); int tmp_152 = (int) tmp_151; *(int *) ptr_x_0 = tmp_152; char * tmp_ptr_154 = (char *) "%d\n"; printf(tmp_ptr_154, * (int *) ptr_x_0);

11 SECRYPT 2009 Milan, Italy July 7-10, 200911 Example Protection Operators Complexity derived from iteration and recombination Code outlining –Extraction of code sections into separate functions –Complementary operation to common code-inlining optimizations –Potential for creation of arbitrarily structured control-flow graphs Superdiversification –Peephole instruction replacement –Guided brute-force search for equivalent instruction sequences –Generation of arbitrarily individualized code Dataflow flattening –Injection of artificial variable dependencies –Implementation via opaque predicates or “chaff” expressions on two variables –Production of flat (complete or nearly complete) dataflow graphs

12 SECRYPT 2009 Milan, Italy July 7-10, 200912 Design of Protection Operators Arbitrary operators are possible. –May be designed heuristically to achieve specific objectives. –Operation over time may be emergent and thus apparent only via experimentation. –Very simple operators in combination may reduce the need to construct complicated schemes. Classic techniques can serve as operators: –Opaque predicates –Control-flow flattening –Data encoding –Chaff-code injection –…

13 SECRYPT 2009 Milan, Italy July 7-10, 200913 Overview Introduction Background Iterated protection Metrics for security analysis Implementation and experiments Conclusion Iterated protection and security metrics

14 SECRYPT 2009 Milan, Italy July 7-10, 200914 Quantitative Security Metrics Complex systems do not lend themselves to modeling of future states. –“Must be run to see what happens.” –“Cannot be short-cut.” One solution: Analyze security via complexity metrics computed over protected code.

15 SECRYPT 2009 Milan, Italy July 7-10, 200915 Security Evaluation via Metrics [Anckaert et al. ‘07]: Code-complexity metrics to evaluate protection –Instruction count –Cyclomatic number #edges – #nodes + 2 “Number of decision points” –Knot count: #crossings “Unstructuredness”

16 SECRYPT 2009 Milan, Italy July 7-10, 200916 Security Evaluation via Metrics Other metrics –Variable density (#variables per instruction) –Operational indirection (fraction of references performed via pointers) –… Metrics should be chosen to reflect difficulty of various analysis tasks.

17 SECRYPT 2009 Milan, Italy July 7-10, 200917 Overview Introduction Background Iterated protection Metrics for security analysis Implementation and experiments Conclusion Iterated protection and security metrics

18 SECRYPT 2009 Milan, Italy July 7-10, 200918 Implementation Iterated-protection tool –Compiler plug-in for C/C++ code –Based on Microsoft Phoenix compiler framework –Source-to-source transformations Simple architecture –Each protection operator is straightforward to implement and test. –Power of tool derives from iteration and recombination of multiple operators.

19 SECRYPT 2009 Milan, Italy July 7-10, 200919 Experimental Results Tables display values of metrics (ratios) relative to original code. Selected SPEC benchmarks

20 SECRYPT 2009 Milan, Italy July 7-10, 200920 Experimental Results

21 SECRYPT 2009 Milan, Italy July 7-10, 200921 Experimental Results

22 SECRYPT 2009 Milan, Italy July 7-10, 200922 Conclusion Iterated-protection framework –Iteration and mixing of simple primitives –Cascading effects and emergent behavior –Quantitative metrics over code to assess security Future directions –Additional protection operators to achieve given objectives –Closer linking of metrics to actual difficulty of analysis and breaking

Download ppt "Iterated Transformations and Quantitative Metrics for Software Protection International Conference on Security and Cryptography SECRYPT 2009 July 7-10,"

Similar presentations

Chapter 14 Software Testing Techniques - Testing fundamentals - White-box testing - Black-box testing - Object-oriented testing methods (Source: Pressman,

Chapter 14 Software Testing Techniques - Testing fundamentals - White-box testing - Black-box testing - Object-oriented testing methods (Source: Pressman,
Unit-V testing strategies and tactics.

Unit-V testing strategies and tactics.
Section 3-1 to 3-2, 3-5 Drawing Lines Some of the material in these slides may have been adapted from university of Virginia, MIT, and Åbo Akademi University.

Section 3-1 to 3-2, 3-5 Drawing Lines Some of the material in these slides may have been adapted from university of Virginia, MIT, and Åbo Akademi University.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Tamper-Tolerant Software: Modeling and Implementation International Workshop on Security (IWSEC 2009) October 28-30, 2009 – Toyama, Japan Mariusz H. Jakubowski.

Tamper-Tolerant Software: Modeling and Implementation International Workshop on Security (IWSEC 2009) October 28-30, 2009 – Toyama, Japan Mariusz H. Jakubowski.
Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.

Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Randomized Radon Transforms for Biometric Authentication via Fingerprint Hashing 2007 ACM Digital Rights Management Workshop Alexandria, VA (USA) October.

Randomized Radon Transforms for Biometric Authentication via Fingerprint Hashing 2007 ACM Digital Rights Management Workshop Alexandria, VA (USA) October.
1 Static Testing: defect prevention SIM3302. 2 objectives Able to list various type of structured group examinations (manual checking) Able to statically.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Honors Compilers Semantic Analysis and Attribute Grammars Mar 5th 2002.

Honors Compilers Semantic Analysis and Attribute Grammars Mar 5th 2002.
Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.

Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.
The Long-Short-Key Primitive and Its Applications to Key Security Mariusz H. Jakubowski Ramarathnam Venkatesan Microsoft Research Matthew Cary Google Matthias.

The Long-Short-Key Primitive and Its Applications to Key Security Mariusz H. Jakubowski Ramarathnam Venkatesan Microsoft Research Matthew Cary Google Matthias.
Code Generation for Basic Blocks Introduction Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc03.html Chapter 4.2.5.

Code Generation for Basic Blocks Introduction Mooly Sagiv html:// Chapter
Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.

Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.
Copyright © 1998 Wanda Kunkle Computer Organization 1 Chapter 2.1 Introduction.

Copyright © 1998 Wanda Kunkle Computer Organization 1 Chapter 2.1 Introduction.
The Superdiversifier: Peephole Individualization for Software Protection Mariusz H. Jakubowski Prasad Naldurg Chit Wei (Nick) Saw Ramarathnam Venkatesan.

The Superdiversifier: Peephole Individualization for Software Protection Mariusz H. Jakubowski Prasad Naldurg Chit Wei (Nick) Saw Ramarathnam Venkatesan.
Improving Code Generation Honors Compilers April 16 th 2002.

Improving Code Generation Honors Compilers April 16 th 2002.
Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.

Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google