LI Chengyang,HUANG Tianbo,CHEN Xiarun,WEN Weiping

DOI: https://doi.org/10.3778/j.issn.1002-8331.2112-0035

2023-01-01

Abstract:Software security issues are becoming more prominent in the post-epidemic era, and code obfuscation as a mature protection scheme provides the possibility of cross-platform use with the help of LLVM. However, LLVM-based control flow obfuscation algorithms are limited in terms of protection strength, on the one hand, the existing algorithm model is immutable and lacks structural innovation. On the other hand, the obfuscation processing does not take into account the fact that attackers can base on the basic block. Therefore, two algorithms are proposed:firstly, nested switch obfuscation, which breaks the inherent flat processing model and enhances the hiding of the hopping amount by reconstructing the switch structure internally; secondly, indegree obfuscation, which adds an anti-entry degree analysis strategy to the false control flow to circumvent the false block by changing the indegree of the false block. The results show that the obfuscation method can further reduce 58.67% of the basic block similarity and increase 64.44% of the jump instructions compared to the existing control-flow obfuscation scheme within 1.5 times the temporal overhead.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

FU Jian-jing,WANG Ke

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.012

2010-01-01

Abstract:A compiler built-in obfuscating technology was developed in order to protect software intellectual property and keep from reverse engineering and static analysis. A crossing control-flow code obfuscation technology and the corresponding compiling solution were presented. The control crossing principle of If statement and While loop statement were given out,which produced the control blocks of multi-level exit and entry,so the code control flow became more complicated. Meanwhile,the protected code block was placed in the crossing control blocks to conceal the true control flow. Then the automatic anti-compile can be effectively prevented and the difficulty of software analysis was enhanced. Because the crossing control-flow in source code level cannot be passed by compiler,a compatible compiling method of built-in functions was presented,which made programming simple and safe. The simulation and analysis results indicated that the technology had good protection effect for source code; the target code was slightly increased after compiled,and its running efficiency was almost not affected.

Hameeza Ahmed,Muhammad Faraz Hyder,Muhammad Fahim ul Haque,Paulo Cesar Santos

DOI: https://doi.org/10.1016/j.cose.2024.103704

IF: 5.105

2024-01-11

Computers & Security

Abstract:Code obfuscation is a promising technique for securing software and protecting it from adversaries. The objective is to harden the exploitation of security vulnerabilities for the attacker as well as launching of successful attacks. Obfuscation can be classified into layout, data, and control flow obfuscation. Control flow obfuscation impedes the understanding of the application logic by making it complicated to determine the actual control flows. Although numerous control flow methods exist in the literature, the role of existing compiler optimizations has just been discovered. This paper is the first one that explores the existing optimization space of LLVM compiler for obfuscating code. Our techniques optimally explore the native compiler's optimizations to improve the original code performance and reduce memory space with no disruptive efforts, tools, or extra costs. In the CBench benchmark suite, our work is able to improve 246%, 143%, and 468% in cyclomatic complexity, program length, and implementation effort, respectively, compared to unobfuscated code. Therefore, instead of inventing new obfuscation tools, the existing compiler optimizations can easily be used to obfuscate control flows, saving the overall cost and efforts.

computer science, information systems

Matteo Busi,Pierpaolo Degano,Letterio Galletta

DOI: https://doi.org/10.48550/arXiv.2003.05836

2020-03-12

Abstract:Obfuscating compilers protect a software by obscuring its meaning and impeding the reconstruction of its original source code. The typical concern when defining such compilers is their robustness against reverse engineering and the performance of the produced code. Little work has been done in studying whether the security properties of a program are preserved under obfuscation. In this paper we start addressing this problem: we consider control-flow flattening, a popular obfuscation technique used in industrial compilers, and a specific security policy, namely constant-time. We prove that this obfuscation preserves the policy, i.e., that every program satisfying the policy still does after the transformation.

Programming Languages,Cryptography and Security

Teng Long,Lin Liu,Yijun Yu,Zhiguo Wan

DOI: https://doi.org/10.1109/FCST.2010.85

2010-01-01

Abstract:Nowadays, software refactoring techniques are widely adopted to enhance the quality of software by improving its understandability, performance, as well as other quality related design attributes. On the other hand, various kinds of software obfuscation methods have been proposed to protect security-sensitive information involved in software implementations. This paper analyzes how refactoring and obfuscation use reverse transformations to improve quality and security of software code, and proposes a systematic modeling approach based on i* to support the selection of refactoring techniques and obfuscation methods under different social, environmental and operational situations. First, top-level softgoals guiding designer's decision making are identified and analyzed; next accidental programming “bad smells” and intentional code cracker's threats to these softgoals are identified and analyzed; then refactoring and obfuscation transformations are modeled as countermeasures for these threats; eventually their reversal relations and counteracting patterns are examined using example code segments.

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

Robin David,Sébastien Bardin,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1612.05675

2016-12-17

Abstract:Software deobfuscation is a crucial activity in security analysis and especially, in malware analysis. While standard static and dynamic approaches suffer from well-known shortcomings, Dynamic Symbolic Execution (DSE) has recently been proposed has an interesting alternative, more robust than static analysis and more complete than dynamic analysis. Yet, DSE addresses certain kinds of questions encountered by a reverser namely feasibility questions. Many issues arising during reverse, e.g. detecting protection schemes such as opaque predicates fall into the category of infeasibility questions. In this article, we present the Backward-Bounded DSE, a generic, precise, efficient and robust method for solving infeasibility questions. We demonstrate the benefit of the method for opaque predicates and call stack tampering, and give some insight for its usage for some other protection schemes. Especially, the technique has successfully been used on state-of-the-art packers as well as on the government-grade X-Tunnel malware -- allowing its entire deobfuscation. Backward-Bounded DSE does not supersede existing DSE approaches, but rather complements them by addressing infeasibility questions in a scalable and precise manner. Following this line, we propose sparse disassembly, a combination of Backward-Bounded DSE and static disassembly able to enlarge dynamic disassembly in a guaranteed way, hence getting the best of dynamic and static disassembly. This work paves the way for robust, efficient and precise disassembly tools for heavily-obfuscated binaries.

Cryptography and Security,Software Engineering

Renuka Kumar,Anjana Mariam Kurian

DOI: https://doi.org/10.48550/arXiv.1809.11037

2018-09-28

Abstract:Control flow obfuscation (CFO) alters the control flow path of a program without altering its semantics. Existing literature has proposed several techniques; however, a quick survey reveals a lack of clarity in the types of techniques proposed, and how many are unique. What is also unclear is whether there is a disparity in the theory and practice of CFO. In this paper, we systematically study CFO techniques proposed for Java programs, both from papers and commercially available tools. We evaluate 13 obfuscators using a dataset of 16 programs with varying software characteristics, and different obfuscator parameters. Each program is carefully reverse engineered to study the effect of obfuscation. Our study reveals that there are 36 unique techniques proposed in the literature and 7 from tools. Three of the most popular commercial obfuscators implement only 13 of the 36 techniques in the literature. Thus there appears to be a gap between the theory and practice of CFO. We propose a novel classification of the obfuscation techniques based on the underlying component of a program that is transformed. We identify the techniques that are potent against reverse engineering attacks, both from the perspective of a human analyst and an automated program decompiler. Our analysis reveals that majority of the tools do not implement these techniques, thus defeating the protection obfuscation offers. We furnish examples of select techniques and discuss our findings. To the best of our knowledge, we are the first to assemble such a research. This study will be useful to software designers to decide upon the best techniques to use based upon their needs, for researchers to understand the state-of-the-art and for commercial obfuscator developers to develop new techniques.

Cryptography and Security

Chengyang Li,Tianbo Huang,Xiarun Chen,Chenglin Xie,Weiping Wen

DOI: https://doi.org/10.5121/csit.2022.120409

2022-03-07

Abstract:Code obfuscation increases the difficulty of understanding programs, improves software security, and, in particular, OLLVM offers the possibility of cross-platform code obfuscation. For OLLVM, we provide enhanced solutions for control flow obfuscation and identifier obfuscation. First, we propose the nested switch obfuscation scheme and the in-degree obfuscation for bogus blocks in the control flow obfuscation. Secondly, the identifier obfuscation scheme is presented in the LLVM layer to fill the gap of OLLVM at this level. Finally, we experimentally verify the enhancement effect of the control flow method and the identifier obfuscation effect and prove that the program's security can be further improved with less overhead, providing higher software security.

Cryptography and Security

陈惠羽,茅兵,谢立

DOI: https://doi.org/10.3969/j.issn.1006-6675-B.2012.02.046

2012-01-01

Abstract:Metamorphism and polymorphism are often applied on some malwares to protect their programs against reverse engineering or detected by some anti virus products. However, data structure information based malware signatures invalidate traditional metamorphic technologies. In this paper, we propose a metamorphism tool, which obfuscates data structure in binary code level. This obfuscation technology is more flexible compared to the previous randomizations. Preliminary experimental results show that our tool could obfuscate data structure remarkably with little performance overhead.

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.

Yongzhi Wang,Yu Zou,Yulong Shen,Yao Liu

DOI: https://doi.org/10.1109/tc.2021.3122903

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:Program control flow reflects the algorithm of that program and may reveal implementation vulnerabilities. Thus its confidentiality needs to be protected, especially in a cloud setting. However, most existing control flow obfuscation methods are software-based, which cannot offer high confidentiality while maintaining low performance overhead. In this paper, we propose CFHider, a hardware-assisted solution. By performing program transformation and leveraging Trusted Execution Environments (Intel SGX), CFHider moves branch statement conditions to an opaque and trusted memory space during the program execution. We proved that by generating Obfuscation Invariants, CFHider is able to provide provable control flow confidentiality protection. Based on the design of CFHider, we also developed a prototype system for Java applications. Our security analysis and experimental results indicate that CFHider is effective in protecting control flow confidentiality and incurs a much reduced performance overhead than existing software-based solutions (by a factor of 18.1).

engineering, electrical & electronic,computer science, hardware & architecture

Hui Xu,Yangfan Zhou,Jiang Ming,Michael Lyu

DOI: https://doi.org/10.1186/s42400-020-00049-3

2020-01-01

Abstract:Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/tcad.2018.2864220

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Since the first circuit obfuscation technique was proposed to thwart reverse engineering (RE) attacks to integrated circuits (ICs), there have been active research in de-obfuscation attacks and new obfuscation countermeasures. Although it is crucial for an obfuscation method to be secure against known de-obfuscation attacks, it is equally important to keep the cost of circuit obfuscation low. Most importantly, obfuscation methods need to be formally analyzed for their effectiveness and efficiency. In this paper, we propose a set of quantitatively evaluable metrics for this purpose, particularly facilitated by a recently proposed circuit partition attack (CPA) and the powerful SAT-based attack (SATA). Moreover, we find that CPA can be applied prior to any de-obfuscation attacks to reduce RE efforts exponentially. We then propose a new equivalent class guided obfuscation scheme (ECG-Obfus) to defeat CPA which leverages specially designed camouflaged cells to replace judiciously selected logic gates. Specifically, we select candidate gates for obfuscation from one certain equivalent class, in which the underlying equivalent relation is defined based on IC topological structure information. We evaluate ECG-Obfus using the proposed metrics and conduct experiments on ISCAS 85/89 standard benchmark suites and OpenSparc T1 microprocessor. The results show that ECG-Obfus gains good resilience against known de-obfuscation attacks (including CPA and SATA), with low design complexity and performance overhead.

Hui Xu,Yangfan Zhou,Yu Kang,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.1710.01139

2017-10-03

Abstract:Program obfuscation is a widely employed approach for software intellectual property protection. However, general obfuscation methods (e.g., lexical obfuscation, control obfuscation) implemented in mainstream obfuscation tools are heuristic and have little security guarantee. Recently in 2013, Garg et al. have achieved a breakthrough in secure program obfuscation with a graded encoding mechanism and they have shown that it can fulfill a compelling security property, i.e., indistinguishability. Nevertheless, the mechanism incurs too much overhead for practical usage. Besides, it focuses on obfuscating computation models (e.g., circuits) rather than real codes. In this paper, we aim to explore secure and usable obfuscation approaches from the literature. Our main finding is that currently we still have no such approaches made secure and usable. The main reason is we do not have adequate evaluation metrics concerning both security and performance. On one hand, existing code-oriented obfuscation approaches generally evaluate the increased obscurity rather than security guarantee. On the other hand, the performance requirement for model-oriented obfuscation approaches is too weak to develop practical program obfuscation solutions.

Cryptography and Security,Software Engineering

Christian Collberg,Clark Thomborson,Douglas Low

1997-01-01

Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering....

Anirban Majumdar,Clark Thomborson,Stephen Drape

DOI: https://doi.org/10.1007/11961635_26

2006-01-01

Abstract:In this short survey, we provide an overview of obfuscation and then shift our focus to outlining various non-trivial control-flow obfuscation techniques. Along the way, we highlight two transforms having provable security properties: the dispatcher model and opaque predicates. We comment on the strength and weaknesses of these transforms and outline difficulties associated in generating generalised classes of these.

C Collberg,C Thomborson,D Low

DOI: https://doi.org/10.1109/ICCL.1998.674154

1998-01-01

Abstract:To ensure platform independence, mobile programs are distributed in forms that are isomorphic to the original source code. Such codes are easy to decompile, and hence they increase the risk of malicious reverse engineering attacks.Code obfuscation is one of several techniques which has been proposed to alleviate this situation. An obfuscator is a tool which - through the application of code transformations - converts a program into an equivalent one that is more difficult to reverse engineer:In a previous paper [5] Me have described the design of a control flow obfuscator for Java. In this paper,ve extend the design with transformations that obfuscate data structures and abstractions. In particular; we shore how to obfuscate classes, arrays, procedural abstractions and built-in data types like strings, integers, and booleans.

Weiping WEN,Han ZHANG,Xianglei CAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.05.011

2016-01-01

Abstract:With the rapid development of mobile intelligent terminals, Android operating system has become one of the most widely used mobile intelligent operating systems in the world. Java is famous for its features of good cross-platform, high efficiency and a large amount of developers, therefore the designers of Android choose Java as the system development language. The characteristics of the Java language make Java program easy be decompiled by decompilation tools and be analyzed, which makes Android applications face great risks. This paper focuses on the study of code obfuscation technology for the purpose of protecting Android applications, improving the dififculty of the attacker's reverse analysis and adding no extra time cost for the execution of the program. Based on Android executable ifle reorganization, this paper designs and implements a kind of Android obfuscation tool and carries out test and performances analysis. This Android obfuscation tool enhances the security of Android applications, protects Android applications developers' intellectual property rights, and avoids reverse analysis, piracy and malicious tampering to Android applications to a certain extent.