Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil.

Published byLonnie Laughton Modified over 10 years ago

Similar presentations

Presentation on theme: "Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil."— Presentation transcript:

1 Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan and Ke Yang Presented by Shai Rubin

2 Security Seminar, Fall 2003 Theory/Practice Gap In practice Hackers successfully obfuscate viruses Researchers successfully obfuscate programs [2,4]2,4 Companies sell obfuscation products [3]3 In theory [1]1 There is no good algorithm for obfuscating programs Which side are you?

3 Security Seminar, Fall 2003 Why Do I Give This Talk? Understand Theory/Practice Gap An example of a good paper An example of an interesting research: –shows how to model a practical problem in terms of complexity theory –Illustrates techniques used by theoreticians I did not understand the paper. I thought that explaining the paper to others, will help me understand it To hear your opinion (free consulting) To learn how to pronounce obfuscation

4 Security Seminar, Fall 2003 Disclaimer This paper is mostly about complexity theory Im not a complexity theory expert I present and discuss only the main result of the paper The paper describes extensions to the main result which I did not fully explore Hence, some of my interpretations/conclusions/suggestions may be wrong/incomplete You are welcome to catch me

5 Security Seminar, Fall 2003 Talk Structure Motivation (Theory/Practice Gap) Obfuscation Model Impossibility Proof Theoretician Track Other Obfuscation Models Practitioner Track Summary Obfuscation Model Analysis

6 Security Seminar, Fall 2003 Obfuscation Concept A good obfuscator: a virtual black box Anything an adversary can compute from an obfuscated program O(P), it can compute given just an oracle access to P The weakest notion of compute: a predicate, or a property of P. Prog.c O(Prog.c) Prog.c p(Prog.c) Input/Output queries Code + Analysis + Input/Output queries

7 Security Seminar, Fall 2003 Turing Machine Obfuscator 1.[Functionality property] O(M) computes the same function as M. 2.[Efficiency property] O(M) running time 1 is the same as M. 3.[Black box property] For any efficient algorithm 2 A (Analysis) that computes a predicate p(M) from O(P), there is an efficient (oRacle access) algorithm 2 R M that for all M computes p(M) : 2 Probabalistic polynomial-time Turing machine 1 Polynomial slowdown is permitted A Turing machine O is a Turing Machine (TM) Obfuscator if for any Turing machine M : Pr[A(O(M)) = p(M)] Pr[R M (1 |M| ) = p(M)] In words: For every M, there is no predicate that can be (efficiently) computed from the obfuscated version of M, and cannot be computed by merely observing the input-output behavior of M.

8 Security Seminar, Fall 2003 Talk Structure Obfuscation Model Impossibility Proof Other Obfuscation Models Summary Motivation (Theory/Practice Gap) Theoretician Track Practitioner Track Obfuscation Model Analysis

9 Security Seminar, Fall 2003 Proof Outline 2. Really? Please provide O. 4. I show you a predicate p, and an (analysis) algorithm s.t.: A(O(E))=p(E). You must provide R M : Pr[R E (1 |E| )= p(E)] Pr[A(O(E))=p(E)]. 5. I choose another machine Z and obfuscate it using O. I show you that Pr[R Z (1 |Z| )= p(Z)] << Pr[A(O(Z))=p(Z)]. 1. You say: I have an obfuscator: for any Machine M, for any (analysis) algorithm A that computes a predicate p(M), there is an oracle access algorithm R M that for all M computes p(M). 3. Given O and a my chosen Turing machine E, I compute O(E). 6. Conclusion: please try another obfuscator (i.e., you do not have a good obfuscator)

10 Security Seminar, Fall 2003 Building E (1) Combination Machine. For any M,N : COMB M,N (1,x) M(x ) and COMB M,N (0,x) N(x). Hence, COMB M,N can be used to compute N(M). COMB M,N (b,x)= M(x) b=1 N(x) b=0

11 Security Seminar, Fall 2003 Building E (2) Let, {0,1} K Let Note: D, can distinguish between C, and C, when (, ) (, ) E, =COMB D,,C, Remember: E, can be used to compute D, (C, ) C, (x)= x= 0 otherwise D, (C)= 1 C( )= 0 otherwise

12 Security Seminar, Fall 2003 Proof Outline 2. Really? Please provide O. 4. I show you a predicate p, and an (analysis) algorithm s.t.: A(O(E, ))=p(E, ). You must provide R M : Pr[R E, (1 |E, | )= p(E, )] Pr[A(O(E, ))=p(E, )]. 5. I choose another machine Z and obfuscate it using O. I show you that Pr[R Z (1 |Z| )= p(Z)] >> Pr[A(O(Z))=p(Z)]. 1. You say: I have an obfuscator: for any Machine M, for any (analysis) algorithm A that computes a predicate p(M), there is an oracle access algorithm R M that for all M computes p(M). 3. Given O and a my chosen Turing machine E, I compute O(E, ). 6. Conclusion: please try another obfuscator (i.e., you do not have a good obfuscator)

13 Security Seminar, Fall 2003 The Analysis Algorithm Input: A combination machine COMB M,N (b,x). Algorithm: 1.Decompose COMB M,N into M and N. a.COMB M,N (1,x) M(x ) b.COMP M,N (0,x) N(x)). 2.Return M(N). Note: A(O(E, )) is a predicate that is always (i.e., with probability 1) true: A(O(E, )) = A(O(COMB D,,C, )) D, (C, ) = 1 You must provide oracle access algorithm: R M s.t. Pr[R E, (1 |E, | )=1] 1.

14 Security Seminar, Fall 2003 Proof Outline 2. Really? Please provide O. 5. I choose another machine Z and obfuscate it using O. I show you that Pr[R Z (1 |Z| )= p(Z)] << Pr[A(O(Z))=p(Z)]. 1. You say: I have an obfuscator: for any Machine M, for any (analysis) algorithm A that computes a predicate p(M), there is an oracle access algorithm R M that for all M computes p(M). 3. Given O and a my chosen Turing machine E, I compute O(E). 6. Conclusion: please try another obfuscator (i.e., you do not have a good obfuscator) 4. I show you a predicate p, and an (analysis) algorithm s.t.: A(O(E, ))=1. You must provide R M : Pr[R E, (1 |E, | )= 1] Pr[A(O(E, ))=1] = 1.

15 Security Seminar, Fall 2003 The Z machine Let Z k be a machine that always return 0 k. Z is similar to E, (COMB D,,C, ): replace C, with Z k. Z=COMB D,,Z k Note A(O(Z)): is a predicate that is always (i.e., with probability 1) false: A(O(Z)) = A(O(COMB D,, Z k )) D, (Z k ) = 0 Pr[R Z (1 |Z| ]=0) 1 ?. If we show that Pr[R Z (1 |Z| ]=0) << 1, we are done.

16 Security Seminar, Fall 2003 Why Pr[R Z (1 |Z| ]=0) <<1 ? Let us look at the execution of R E, : StartEnd D, C, 1 StartEnd Out When we replace the oracle to C, with oracle to Z k, we get R Z. What will change in the execution? Pr(out=0) = Pr(a query to C, returns non-zero) = Pr(query= )=2 -k ZkZk D, ZkZk ZkZk C, R E, : RZ:RZ: C, 3 Inaccurate, see paper. 3

17 Security Seminar, Fall 2003 Proof Outline 2. Really? Please provide O. 4. I show you a predicate p, and an (analysis) algorithm s.t.: A(O(E))=1. You must provide R M : Pr[R E (1 |E| )= 1] Pr[A(O(E))=1] = 1. 5. I choose another machine Z and obfuscate it using O. I show you that Pr[R Z (1 |Z| )= 0]=2 -k << Pr[A(O(Z))=0] = 1. 1. You say: I have an obfuscator: for any Machine M, for any (analysis) algorithm A that computes a predicate p(M), there is an oracle access algorithm R M that for all M computes p(M). 3. Given O and a my chosen Turing machine E, I compute O(E). 6. Conclusion: please try another obfuscator (i.e., you do not have a good obfuscator)

18 Security Seminar, Fall 2003 Talk Structure Obfuscation Model Impossibility Proof Obfuscation Model Analysis Other Obfuscation Models Summary Theoretician Track Practitioner Track Motivation (Theory/Practice Gap)

19 Security Seminar, Fall 2003 Modeling Obfuscation A good obfuscator: a virtual black box Anything that an adversary can compute from an obfuscation O(P), it can also compute given just an oracle access to P Prog.c O(Prog.c) Prog.c Knowledge Barak shows: there are properties that cannot be efficiently learned from I/O queries, but can be learned from the code However, we informally knew it: for example, whether a program is written in C or Pascal, or which data structure a program uses Input/Output queries Code + Analysis + Input/Output queries

20 Security Seminar, Fall 2003 Obfuscation Model Space Difficulty to gain information from O(P). Efficientinefficient Information hidden by obfuscator. Specific predicate All predicates Baraks Model

21 Security Seminar, Fall 2003 TM Obfuscator 1.O(M) computes the same function as M. 2.O(M) running time 1 is the same as M. 3.For any efficient algorithm 2 A (Analysis) that computes a predicate p(M), there is an efficient (oRacle) algorithm 2 R M that for all M computes p(M) : 2 Probabalistic polynomial-time Turing machine 1 Polynomial slowdown is permitted A Turing machine O is a TM obfuscator if for any Turing machine M : Pr[A(O(M)) = p(M)] Pr[R M (1 |M| ) = p(M)]

22 Security Seminar, Fall 2003 Obfuscation Model Space EfficientInefficient Programs All Programs Difficulty to gain information from O(P). Baraks Model Information gained from O(P). Specific predicate All predicates Specific Program

23 Security Seminar, Fall 2003 TM Obfuscator 1.O(M) computes the same function as M. 2.O(M) running time 1 is the same as M. 3.For any efficient algorithm 2 A (Analysis) that computes a predicate p(M), there is an efficient (oRacle) algorithm 2 R M that for all M computes p(M) : 2 Probabalistic polynomial-time Turing machine 1 Polynomial slowdown is permitted A Turing machine O is a TM obfuscator if for any Turing machine M : Pr[A(O(M)) = p(M)] Pr[R M (1 |M| ) = p(M)]

24 Security Seminar, Fall 2003 Talk Structure Motivation Obfuscation Model Impossibility Proof Other Obfuscation Models Summary Theoretician Track Practitioner Track Obfuscation Model Analysis

25 Security Seminar, Fall 2003 Signature obfuscation: Other Obfuscation Models Efficient Inefficient Baraks Model Programs Signature obfuscation: 1.Not all properties 2.Not virtual black box? Difficulty to gain information from O(P). All Programs Information gained from O(P). All predicates Static Disassembly [2]: Specific predicate Static Disassembly [2]: 1.Not all properties 2.Not difficult 3.Not virtual black box?

26 Security Seminar, Fall 2003 Baraks Model Limitation Virtual Black Box: –Not surprising in some sense (but, still excellent work) –Does not corresponds to what attackers/researchers are doing: the virtual black box paradigm for obfuscation is inherently flawed Too general: –obfuscator must work for all programs –for any property (Barak addresses this in the extensions) Too restrictive: does not allow to fit the oracle algorithm per Turing machine (does it matter?).

27 Security Seminar, Fall 2003 Alternative Models Property Hiding Model: for a given property q : (i) q can be computed from P, (ii) q cannot be (is more difficult to?) computed from O(P). Given an algorithm A, and a Turing machine M such that A(M)=q(M), obfuscate M such that 1. [property hiding] for every algorithm A, A(O(M)) q (M) 2. [functionality] M and O(M) computes the same function Virus Signature Obfuscation A(M) = q(M) = substring of instructions inside M O(M) does not contain this substring Static Disassembly A(M)=( particular) Dissembler q(M) = A(M) 90% of the instruction in A(M) are different than the instructions in A(O(M))

28 Security Seminar, Fall 2003 Alternative Models (2) Backdoor Model: hide functionality for a single input, change functionality for most other inputs Given a Turing machine M and an input x 1. [obfuscated back door] there exists y such that M(x)=O(M)(y) 2. [non functionality] for every z y Pr[M(z) O(M)(z)] is high

29 Security Seminar, Fall 2003 Summary What to take home: The gap is possible because: –Virtual black box paradigm is different than real world obfuscation. –The Obfuscation Model Space.Obfuscation Model Space Nice research: Concept Formalism Properties A lot remain to be done

30 Security Seminar, Fall 2003 Bibliography 1.B. Barak, O. Goldreich R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan and K. Yang, "On the (Im)possibility of Obfuscating Programs", CRYPTO, Aug. 2001, Santa Barbara, CA. 2.Cullen Linn and Saumya Debray. "Obfuscation of Executable Code to Improve Resistance to Static Disassembly", CCS Oct. 2003, Washington DC. 3.www.cloakware.com.www.cloakware.com 4.Christian S. Collberg, Clark D. Thomborson, Douglas Low: Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. POPL 1998.

Download ppt "Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Reductions Complexity ©D.Moshkovitz.

Reductions Complexity ©D.Moshkovitz.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
The SeETL Business Presentation 1/1/2012 www.InstantBI.com.

The SeETL Business Presentation 1/1/2012
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Space complexity [AB 4]. 2 Input/Work/Output TM Output.

Space complexity [AB 4]. 2 Input/Work/Output TM Output.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Complexity Theory Lecture 1 Lecturer: Moni Naor. Computational Complexity Theory Study the resources needed to solve computational problems –Computer.

Complexity Theory Lecture 1 Lecturer: Moni Naor. Computational Complexity Theory Study the resources needed to solve computational problems –Computer.
CAPTCHA: Using Hard AI Problems for Security 12 Jun 2007 Ohad Barak (a.k.a. jo) Luis Von Ahn, EuroCrypt 2003.

CAPTCHA: Using Hard AI Problems for Security 12 Jun 2007 Ohad Barak (a.k.a. jo) Luis Von Ahn, EuroCrypt 2003.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Nathan Brunelle Department of Computer Science University of Virginia www.cs.virginia.edu/~njb2b/theory Theory of Computation CS3102 – Spring 2014 A tale.

Nathan Brunelle Department of Computer Science University of Virginia Theory of Computation CS3102 – Spring 2014 A tale.
Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.

Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.
January 5, 2015CS21 Lecture 11 CS21 Decidability and Tractability Lecture 1 January 5, 2015.

January 5, 2015CS21 Lecture 11 CS21 Decidability and Tractability Lecture 1 January 5, 2015.
Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.

Program Verification as Probabilistic Inference Sumit Gulwani Nebojsa Jojic Microsoft Research, Redmond.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Tractable and intractable problems for parallel computers

Tractable and intractable problems for parallel computers
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.

Similar presentations

Ads by Google