Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anti Reverse Engineering. Static Techniques-Obfuscation.

Similar presentations


Presentation on theme: "Anti Reverse Engineering. Static Techniques-Obfuscation."— Presentation transcript:

1 Anti Reverse Engineering

2 Static Techniques-Obfuscation

3 SECURITY INNOVATION ©2003 Reverse Engineering Process of backtracking through the software processProcess of backtracking through the software process Obtaining source code from binary/ byte code.Obtaining source code from binary/ byte code. Understanding programs to realize intent.Understanding programs to realize intent. Intellectual property issues.Intellectual property issues.

4 SECURITY INNOVATION ©2003 Approaches Against Reverse Engineering Legal battlesLegal battles Service based softwareService based software Thin mobile codeThin mobile code Code encryptionCode encryption Distributing binariesDistributing binaries ObfuscationObfuscation

5 SECURITY INNOVATION ©2003Obfuscation Obfuscate – “to confuse”Obfuscate – “to confuse” Alter code so as to confuse reverse engineer, but preserve functionalityAlter code so as to confuse reverse engineer, but preserve functionality Behavior preserving transformations on code that preserve function but reduce readability or understandabilityBehavior preserving transformations on code that preserve function but reduce readability or understandability How do we confuse the reader?How do we confuse the reader?

6 SECURITY INNOVATION ©2003Problem. Focus on Java.Focus on Java. –Easy to decompile the software. –With software like Jad it’s easy to retrieve the exact source code..class files contain a lot of debug info..class files contain a lot of debug info.

7 SECURITY INNOVATION ©2003 What’s needed. Remove debug info.Remove debug info. Scramble all method, class and variable names (Constant pool)Scramble all method, class and variable names (Constant pool) Modify control flow.Modify control flow. Preserve functionalityPreserve functionality Preserve performance within a bounds.Preserve performance within a bounds.

8 SECURITY INNOVATION ©2003 Some papers. A Taxonomy of Obfuscating TransformationsA Taxonomy of Obfuscating Transformations Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs.Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. Hierarchy reconstruction.Hierarchy reconstruction.

9 SECURITY INNOVATION ©2003 T(P)=P’ is an Obfuscating Transformation if P has the same observable behavior.T(P)=P’ is an Obfuscating Transformation if P has the same observable behavior. –Legal if following hold: If P fails to terminate or terminates with an error condition, then P’ may or may not terminate.If P fails to terminate or terminates with an error condition, then P’ may or may not terminate. Otherwise, P’ must terminate and produce the same output as P.Otherwise, P’ must terminate and produce the same output as P.

10 SECURITY INNOVATION ©2003 Measures of Potency Let E(P)=Complexity of P.Let E(P)=Complexity of P. Potency of T is defined by:Potency of T is defined by: –T pot (P)=E(P’)/E(P)-1 –If T pot (P)>0 then T is potent.

11 SECURITY INNOVATION ©2003 Transformation Resilience Programmer Effort (pe) = Time requires for a person to deobfuscate P’Programmer Effort (pe) = Time requires for a person to deobfuscate P’ Deofuscator Effort (de) = Time and space required for an automated tool to deobfuscate P’Deofuscator Effort (de) = Time and space required for an automated tool to deobfuscate P’ T res (P)=one-ways if P cannot be reconstructed from P’T res (P)=one-ways if P cannot be reconstructed from P’ T res =Resilience(T de, T pe )T res =Resilience(T de, T pe )

12 SECURITY INNOVATION ©2003 Types of Transformation. Control TransformationsControl Transformations Data Transformations.Data Transformations. Opaque Values and PredicatesOpaque Values and Predicates

13 SECURITY INNOVATION ©2003 A Classification of Obfuscations Layout transformationsLayout transformations –Change formatting information Control transformationsControl transformations –Alter program control and computation Aggregation transformationsAggregation transformations –Refractor program using aggregation methods Data transformationsData transformations –Storage and encoding information

14 SECURITY INNOVATION ©2003 Control Transformations if(false) or if( … && false) { … } else { [original code] }

15 SECURITY INNOVATION ©2003 Opaque Values and PredicatesOpaque Values and Predicates –Objects and Aliases (very hard to analyze statically) Control Transformations

16 SECURITY INNOVATION ©2003 Control Transformations Opaque predicatesOpaque predicates –S1; S2; –S1; if (Pred) S1; S2; if (Pred) S2; Opaque constructs – always evaluate one way (known to obfuscator), unknown to deobfuscator.Opaque constructs – always evaluate one way (known to obfuscator), unknown to deobfuscator. Trivial and weak opaque constructs.Trivial and weak opaque constructs.

17 SECURITY INNOVATION ©2003 Computational TransformationsComputational Transformations –Dead or Irrelevant Code –Extend loop conditions –Replace library calls with your own library implementation (too costly?) –Table Interpretation – completely reconstruct the code to a different VM. –Convert a reducible to a non-reducible flow graph –Redundant operands –Parallelize code Control Transformations

18 SECURITY INNOVATION ©2003 Data transformations Change encodingChange encoding –Pack variables into bigger variables –Pack variables into arrays Convert static to procedural dataConvert static to procedural data Restructure arraysRestructure arrays Altering inheritance hierarchiesAltering inheritance hierarchies

19 SECURITY INNOVATION ©2003 Data transformationsData transformations –Change data encoding ( int i=1; …A[i]…; to int i=11; …A[(i-3)/8];) –Promote Variables (Encapsulate, make global, etc.) –Restructure Arrays (e.g. 2D to 1D) –Modify Inheritance. –And more. Data transformations

20 SECURITY INNOVATION ©2003 Opaque constructs The pointer aliasing problemThe pointer aliasing problem –Shown to be NP-hard or even undecidable Dynamic structures for producing opaque constructs.Dynamic structures for producing opaque constructs. Opaque constructs using threads.Opaque constructs using threads.

21 SECURITY INNOVATION ©2003 Hierarchy reconstruction Class Coalescence.Class Coalescence. Class Splitting.Class Splitting. Class Interfacification.Class Interfacification.

22 SECURITY INNOVATION ©2003 Class Coalescence Simple CoalescenceSimple Coalescence –No inheritance/interfaces involved –No Method overriding –No abstract classes No interfaces (not a class)No interfaces (not a class)

23 SECURITY INNOVATION ©2003 Simple Coalescence Move method and fields to the same classMove method and fields to the same class –Rename fields/methods if there are conflicts –Add an extra parameter to constructor if there are conflicts

24 SECURITY INNOVATION ©2003 Extended Coalescence Everything is involvedEverything is involved –Inheritance (graph 1) –Interfaces (graph 2) –Method overriding –Abstract classes

25 SECURITY INNOVATION ©2003Interfaces State variable is introducedState variable is introduced Result implements all the interfaces of input classes.Result implements all the interfaces of input classes.

26 SECURITY INNOVATION ©2003 Abstract ClassesAbstract Classes –Converted to concrete before Coalescence Method overridingMethod overriding –All classes must override method m if one of the input classes does. –State variable used to differentiate.

27 SECURITY INNOVATION ©2003 Class Splitting (graph 3)(graph 3) Split into 2 classes where one extends the other.Split into 2 classes where one extends the other. The subclass constructor contains a super class constructor.The subclass constructor contains a super class constructor.

28 SECURITY INNOVATION ©2003Interfacification Interfaces are created according to the methods of the class.Interfaces are created according to the methods of the class. The rest of application is modified to use these interfaces instead of the class.The rest of application is modified to use these interfaces instead of the class. Big optimization problem.Big optimization problem. Requires careful choice of classes.Requires careful choice of classes.

29 SECURITY INNOVATION ©2003 Software Metrics Program lengthProgram length –Complexity of program increases with the number of operators and operands in P. Cyclomatic complexityCyclomatic complexity –Complexity increases with the number of predicates in a function. Nesting complexityNesting complexity –Complexity increases with the number of nesting level of conditionals in a program. Data flow complexityData flow complexity –Complexity increases with the number of inter-block variable references.-

30 SECURITY INNOVATION ©2003 Software Metrics… Fan-in/fan-out complexityFan-in/fan-out complexity –Complexity increases with the number of formal parameters to a function, and with the number of global data structures read or updated in the function. Data structure complexityData structure complexity –Complexity increases with the complexity of the static data structures in the program. Variables, Vectors, Records. OO MetricsOO Metrics –Complexity increases with Level of inheritanceLevel of inheritance CouplingCoupling Number of methods triggered by another methodNumber of methods triggered by another method Non-cohesivenessNon-cohesiveness

31 SECURITY INNOVATION ©2003 Some Metrics for Obfuscations Assume complexity of a program be E(P) (based on metrics)Assume complexity of a program be E(P) (based on metrics) Potency of a transformation is the level of complexity it introduces.Potency of a transformation is the level of complexity it introduces. –E(P`)/E(P) – 1 Resilience of a transformation measures how well it can deal with a deobfuscation ‘attack’Resilience of a transformation measures how well it can deal with a deobfuscation ‘attack’ –On a scale of trivial to one-way Execution costExecution cost –Free, cheap, costly, dear Quality of an obfuscationQuality of an obfuscation –A combination of potency, resilience, and execution cost

32 SECURITY INNOVATION ©2003 Aggregation Transformations Inline and outline methodsInline and outline methods Interleave methodsInterleave methods Clone methodsClone methods Loop transformationsLoop transformations –Loop blocking –Loop unrolling –Loop fission Ordering transformationsOrdering transformations

33 SECURITY INNOVATION ©2003Deobfuscation Almost all obfuscating transforms have a deobfuscating transformAlmost all obfuscating transforms have a deobfuscating transform Essentially boils down to evaluating opaque constructsEssentially boils down to evaluating opaque constructs –Program slicing –Pattern matching –Statistical analysis –Data flow analysis –Theorem proving

34 Software Tamper-Proofing

35 SECURITY INNOVATION ©2003 The Hacker World Super-Hackers (The White Knights)Super-Hackers (The White Knights) –Organized (suppliers, crackers, coders, web hosters) –Friendly competition but cooperation on tough problems Custom ToolsCustom Tools –Debuggers & add-ons (anti-debugger aids, memory dumps...) –Advanced Hex-editors –Packers & unpackers (PEcrypt, Procdump,…)

36 SECURITY INNOVATION ©2003 The Hacker World Hacker’s goals: to beat any and all copy protectionHacker’s goals: to beat any and all copy protection –Generate tamper-proof patches –Generate essays on your technology –Generate essays on hack techniques

37 SECURITY INNOVATION ©2003 :.:[ #HUMMERS_WareZ ]:. :.:[ Application Form ]:. §-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§ WE'RE LOOKING FOR: Suppliers, Web Hosters, Crackers, Coders Check the position(s) you want to apply for, look for the section & answer the questions. :[]Topsite FTP Courier X1 : X2 : X9 : :[]Web Hoster X1 : X3 : X9 : :[]Site Operator X1 : X4 : X9 : :[]Shell SupplierX1 : X5 : X9 : :[]Supplier X1 : X6 : X9 : :[]CrackerX1 : X7 : X9 : :[]Coder X1 : X8 : X9 : :[]OtherX1 : X9 : X9 : §-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§ Hackers’ Application Form – Part 1

38 SECURITY INNOVATION ©2003 Hacker Tools & Security Risks DebuggersDebuggers Disassemblers File Level AttacksDisassemblers File Level Attacks Memory LiftsMemory Lifts SpoofingSpoofing Cryptographic AttacksCryptographic Attacks ProceduralProcedural

39 SECURITY INNOVATION ©2003Debuggers Step through codeStep through code Set memory and code breakpointsSet memory and code breakpoints Disassemble codeDisassemble code Change operation of codeChange operation of code General experimentation toolGeneral experimentation tool e.g. SoftIce, TRW and Microsoft debuggerse.g. SoftIce, TRW and Microsoft debuggers

40 SECURITY INNOVATION ©2003Disassemblers Can analyse security code in a file on hard driveCan analyse security code in a file on hard drive Allow authentication and security code to be easily patched and recompiledAllow authentication and security code to be easily patched and recompiled Help remove obfuscation codeHelp remove obfuscation code e.g. idaproe.g. idapro

41 SECURITY INNOVATION ©2003Spoofing Spy programs used to monitor application calls to system functionsSpy programs used to monitor application calls to system functions Spoof program intercepts calls and returns data expected for an authenticationSpoof program intercepts calls and returns data expected for an authentication e.g. frogsice, spy32e.g. frogsice, spy32

42 SECURITY INNOVATION ©2003 Memory Lifts Copies decrypted application (or sections) from memory to a file.Copies decrypted application (or sections) from memory to a file. Reconstructs the remainder of the applicationReconstructs the remainder of the application Can memory lift security code or protected applicationCan memory lift security code or protected application e.g. procdumpe.g. procdump

43 SECURITY INNOVATION ©2003 Cryptographic Attacks Use of cryptographic techniques to analyse encrypted-protected applicationsUse of cryptographic techniques to analyse encrypted-protected applications Use of cryptographic techniques to find decryption keysUse of cryptographic techniques to find decryption keys

44 SECURITY INNOVATION ©2003Procedural Leaks from publishersLeaks from publishers Release of demo buildsRelease of demo builds Publishing cracks on the WWWPublishing cracks on the WWW Publishing cracker toolsPublishing cracker tools

45 SECURITY INNOVATION ©2003 The Lessons Super-Hackers will work together:Super-Hackers will work together: –You are facing large skilled groups not individuals Hacks are more than one break:Hacks are more than one break: –Frequently reflect systematic understanding of whole security system

46 SECURITY INNOVATION ©2003 The Lessons Hacks are more a matter of “when” than “if”Hacks are more a matter of “when” than “if” Essays on your security techniques will be publishedEssays on your security techniques will be published Patches will be tamper-proofed (just to show you)Patches will be tamper-proofed (just to show you)

47 SECURITY INNOVATION ©2003 The Lessons (cont.) Security hardness when raised to the level of Super-HackersSecurity hardness when raised to the level of Super-Hackers –Diminishes number of hacks –Diminishes distribution sites for patches –Deters cautious users from applying patches

48 SECURITY INNOVATION ©2003 How to Win Be proactive:Be proactive: –New security techniques must be added frequently –Expect to develop major changes in security architecture on a regular basis Be patient:Be patient: –Monitor hackers techniques & tools –Devise multiple techniques before releasing counter-attack Focus on slowing down hacks:Focus on slowing down hacks: –Put as many layers of security as you can in all critical areas Focus on limiting hack effectiveness:Focus on limiting hack effectiveness: –Use polymorphism: Each installation is different –Dedicate resources to monitor and close Web sites


Download ppt "Anti Reverse Engineering. Static Techniques-Obfuscation."

Similar presentations


Ads by Google