Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

Haibo Chen,Liwei Yuan,Xi Wu,Binyu Zang,Bo Huang,Pen-Chung Yew

DOI: https://doi.org/10.1145/1669112.1669162

2009-01-01

Abstract:Recent micro-architectural research has proposed various schemes to enhance processors with additional tags to track various properties of a program. Such a technique, which is usually referred to as information flow tracking, has been widely applied to secure software execution (e.g., taint tracking), protect software privacy and improve performance (e.g., control speculation). In this paper, we propose a novel use of information flow tracking to obfuscate the whole control flow of a program with only modest performance degradation, to defeat malicious code injection, discourage software piracy and impede malware analysis. Specifically, we exploit two common features in information flow tracking: the architectural support for automatic propagation of tags and violation handling of tag misuses. Unlike other schemes that use tags as oracles to catch attacks (e.g., taint tracking) or speculation failures, we use the tags as flow-sensitive predicates to hide normal control flow transfers: the tags are used as predicates for control flow transfers to the violation handler, where the real control flow transfer happens. We have implemented a working prototype based on Itanium processors, by leveraging the hardware support for control speculation. Experimental results show that BOSH can obfuscate the whole control flow with only a mean of 26.7% (ranging from 4% to 59%) overhead on SPECINT2006. The increase in code size and compilation time is also modest.

Chengyang Li,Tianbo Huang,Xiarun Chen,Chenglin Xie,Weiping Wen

DOI: https://doi.org/10.5121/csit.2022.120409

2022-03-07

Abstract:Code obfuscation increases the difficulty of understanding programs, improves software security, and, in particular, OLLVM offers the possibility of cross-platform code obfuscation. For OLLVM, we provide enhanced solutions for control flow obfuscation and identifier obfuscation. First, we propose the nested switch obfuscation scheme and the in-degree obfuscation for bogus blocks in the control flow obfuscation. Secondly, the identifier obfuscation scheme is presented in the LLVM layer to fill the gap of OLLVM at this level. Finally, we experimentally verify the enhancement effect of the control flow method and the identifier obfuscation effect and prove that the program's security can be further improved with less overhead, providing higher software security.

Cryptography and Security

FU Jian-jing,WANG Ke

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.012

2010-01-01

Abstract:A compiler built-in obfuscating technology was developed in order to protect software intellectual property and keep from reverse engineering and static analysis. A crossing control-flow code obfuscation technology and the corresponding compiling solution were presented. The control crossing principle of If statement and While loop statement were given out,which produced the control blocks of multi-level exit and entry,so the code control flow became more complicated. Meanwhile,the protected code block was placed in the crossing control blocks to conceal the true control flow. Then the automatic anti-compile can be effectively prevented and the difficulty of software analysis was enhanced. Because the crossing control-flow in source code level cannot be passed by compiler,a compatible compiling method of built-in functions was presented,which made programming simple and safe. The simulation and analysis results indicated that the technology had good protection effect for source code; the target code was slightly increased after compiled,and its running efficiency was almost not affected.

Zheheng Liang,Wenlin Li,Jing Guo,Deyu Qi,Jijun Zeng

DOI: https://doi.org/10.1109/PIC.2017.8359575

2017-01-01

Abstract:In order to enhance the white box security of software, we proposed a reduplicate code obfuscation algorithm to protect the source code. Firstly, we apply the parameter decomposition tree to formalize the code, and then we utilize flattening control flow system to decompose the source code into a multi-branch WHILE-SWITCH loop structure. Finally, we apply opaque predicates to obfuscate the flattened code for the secondary obfuscation. In this paper, opaque predicate code representation and different methods of inserting opaque predicates into program braches and sequence blocks were given. Experiments has been made to compare time-space cost of source code and obfuscated code. The results demonstrate that the proposed algorithm can improve code's anti-attack ability, increasing the difficulty of reverse engineering as well.

王岩,黄章进,顾乃杰

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.06.1803

2017-01-01

Journal of Computer Applications

Abstract:Aiming at the simple obfuscating result of the existing control flow obfuscating algorithm,an obfuscating algorithm based on congruence equation and improved flat control flow was presented.First of all,a kind of opaque predicate used in the basic block of the source code was created by using secret keys and a group of congruence equation.Then,a new algorithm for creating N-state opaque predicate was presented based on Logistic chaotic mapping.The proposed algorithm was applied to the existing flat control flow algorithm for improving it.Finally,according to the combination of the above two proposed algorithms for obfuscating the source code,the complexity of the flat control flow in the code was increased and make it more difficult to be cracked.Compared with the flat control flow algorithm based on chaotic opaque predicate,the code's tamper-proof attack time of the obfuscated code was increased by above 22％ on average and its code's total cyclomatic complexity was improved by above 34％ on average by using the proposed obfuscating algorithm.The experimental results show that,the proposed algorithm can guarantee the correctness of execution result of the obfuscated program and has a high cyclomatic complexity,so it can effectively resist static and dynamic attacks.

Hameeza Ahmed,Muhammad Faraz Hyder,Muhammad Fahim ul Haque,Paulo Cesar Santos

DOI: https://doi.org/10.1016/j.cose.2024.103704

IF: 5.105

2024-01-11

Computers & Security

Abstract:Code obfuscation is a promising technique for securing software and protecting it from adversaries. The objective is to harden the exploitation of security vulnerabilities for the attacker as well as launching of successful attacks. Obfuscation can be classified into layout, data, and control flow obfuscation. Control flow obfuscation impedes the understanding of the application logic by making it complicated to determine the actual control flows. Although numerous control flow methods exist in the literature, the role of existing compiler optimizations has just been discovered. This paper is the first one that explores the existing optimization space of LLVM compiler for obfuscating code. Our techniques optimally explore the native compiler's optimizations to improve the original code performance and reduce memory space with no disruptive efforts, tools, or extra costs. In the CBench benchmark suite, our work is able to improve 246%, 143%, and 468% in cyclomatic complexity, program length, and implementation effort, respectively, compared to unobfuscated code. Therefore, instead of inventing new obfuscation tools, the existing compiler optimizations can easily be used to obfuscate control flows, saving the overall cost and efforts.

computer science, information systems

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Zhou Na-qin,Qi De-yu

DOI: https://doi.org/10.3969/j.issn.1000-565x.2015.05.021

2015-01-01

Abstract:Aiming at the security problem of software white box, an improved parameterized decomposition tree-based obfuscation method with double flattening control flow is put forward.On the basis of given upper bounds of depth, breadth and granularity, the method builds a decomposition tree, coordinates the whole tree with a cycle se-lection structure named while-switch, and then applies double flattering to relevant nodes that satisfy certain condi-tions.Experimental results indicate that, in comparison with the flattening obfuscation method of control flow on the basis of parameterized decomposition tree, the proposed method reduces the execution expense and solves the deep nonfeasance problem;and that, in comparison with the traditional method only with flattening control flow, the pro-posed method increases the difficulty in decompilation and reverse engineering.

Yong Peng,Jie Liang,Qi Li

DOI: https://doi.org/10.1109/ccis.2016.7790231

2017-01-01

China Communications

Abstract:With the rapid development of mobile Internet, the number of mobile applications has increased rapidly. How to protect the copyright of mobile applications is one of the most critical issues in nowadays. Software control flow obfuscation is a wildly used technique to protect the copyright of the software. In this paper, we proposed a control flow obfuscation method for Android applications. The proposed method combines and improves inserting redundant control flow and flattening control flow obfuscation, and further strengthen the strength of obfuscation by building control access policy. Experimental results indicate that the algorithm performs well against automated attacks.

LIU Liang,ZHU Jiacheng,ZHANG Zhe,SHEN Lixiang,SUN Yufeng,MU Dejun

DOI: https://doi.org/10.1051/jnwpu/20244210078

2024-01-01

Abstract:Logical obfuscation technique is a mainstream technical means to achieve intellectual property protection and prevent reverse engineering. In this paper, we propose a logical obfuscation attack method based on the gate-level information flow tracking technique, using the information flow analysis method at the gate-level abstraction level, establishing an information flow model, constraining the output and its contamination labels, and solving the obfuscation key sequence satisfying the constraints using an SAT solver. The experimental results show that the attack method has good cracking effect and efficiency for benchmarks generated by five obfuscated encryption algorithms with two test area costs.

Yongzhi Wang,Yu Zou,Yulong Shen,Yao Liu

DOI: https://doi.org/10.1109/tc.2021.3122903

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:Program control flow reflects the algorithm of that program and may reveal implementation vulnerabilities. Thus its confidentiality needs to be protected, especially in a cloud setting. However, most existing control flow obfuscation methods are software-based, which cannot offer high confidentiality while maintaining low performance overhead. In this paper, we propose CFHider, a hardware-assisted solution. By performing program transformation and leveraging Trusted Execution Environments (Intel SGX), CFHider moves branch statement conditions to an opaque and trusted memory space during the program execution. We proved that by generating Obfuscation Invariants, CFHider is able to provide provable control flow confidentiality protection. Based on the design of CFHider, we also developed a prototype system for Java applications. Our security analysis and experimental results indicate that CFHider is effective in protecting control flow confidentiality and incurs a much reduced performance overhead than existing software-based solutions (by a factor of 18.1).

engineering, electrical & electronic,computer science, hardware & architecture

Anirban Majumdar,Clark Thomborson,Stephen Drape

DOI: https://doi.org/10.1007/11961635_26

2006-01-01

Abstract:In this short survey, we provide an overview of obfuscation and then shift our focus to outlining various non-trivial control-flow obfuscation techniques. Along the way, we highlight two transforms having provable security properties: the dispatcher model and opaque predicates. We comment on the strength and weaknesses of these transforms and outline difficulties associated in generating generalised classes of these.

Renuka Kumar,Anjana Mariam Kurian

DOI: https://doi.org/10.48550/arXiv.1809.11037

2018-09-28

Abstract:Control flow obfuscation (CFO) alters the control flow path of a program without altering its semantics. Existing literature has proposed several techniques; however, a quick survey reveals a lack of clarity in the types of techniques proposed, and how many are unique. What is also unclear is whether there is a disparity in the theory and practice of CFO. In this paper, we systematically study CFO techniques proposed for Java programs, both from papers and commercially available tools. We evaluate 13 obfuscators using a dataset of 16 programs with varying software characteristics, and different obfuscator parameters. Each program is carefully reverse engineered to study the effect of obfuscation. Our study reveals that there are 36 unique techniques proposed in the literature and 7 from tools. Three of the most popular commercial obfuscators implement only 13 of the 36 techniques in the literature. Thus there appears to be a gap between the theory and practice of CFO. We propose a novel classification of the obfuscation techniques based on the underlying component of a program that is transformed. We identify the techniques that are potent against reverse engineering attacks, both from the perspective of a human analyst and an automated program decompiler. Our analysis reveals that majority of the tools do not implement these techniques, thus defeating the protection obfuscation offers. We furnish examples of select techniques and discuss our findings. To the best of our knowledge, we are the first to assemble such a research. This study will be useful to software designers to decide upon the best techniques to use based upon their needs, for researchers to understand the state-of-the-art and for commercial obfuscator developers to develop new techniques.

Cryptography and Security

Hui Xu,Yangfan Zhou,Yu Kang,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.1710.01139

2017-10-03

Abstract:Program obfuscation is a widely employed approach for software intellectual property protection. However, general obfuscation methods (e.g., lexical obfuscation, control obfuscation) implemented in mainstream obfuscation tools are heuristic and have little security guarantee. Recently in 2013, Garg et al. have achieved a breakthrough in secure program obfuscation with a graded encoding mechanism and they have shown that it can fulfill a compelling security property, i.e., indistinguishability. Nevertheless, the mechanism incurs too much overhead for practical usage. Besides, it focuses on obfuscating computation models (e.g., circuits) rather than real codes. In this paper, we aim to explore secure and usable obfuscation approaches from the literature. Our main finding is that currently we still have no such approaches made secure and usable. The main reason is we do not have adequate evaluation metrics concerning both security and performance. On one hand, existing code-oriented obfuscation approaches generally evaluate the increased obscurity rather than security guarantee. On the other hand, the performance requirement for model-oriented obfuscation approaches is too weak to develop practical program obfuscation solutions.

Cryptography and Security,Software Engineering

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Chenxi Wang,Jonathan Hill,John Knight,Jack Davidson

2000-01-01

Abstract:Reliable execution of software on untrustworthy platforms is a difficult problem. On the one hand, the underlying system services cannot be relied upon to provide execution assurance, while on the other hand, the effect of a tampered execution can be disastrous -- consider intrusion detection programs. What is needed, in this case, is tamper resistant software. Code obfuscation has been an area of development, in part, to enhance software tamper resistance. However, most obfuscation techniques are ad hoc, without the support of sound theoretical basis or provable results. In this paper, we address one aspect of software protection by obstructing static analysis of programs. Our techniques are based, fundamentally, on the difficulty of resolving aliases in programs. The presence of aliases has been proven to greatly restrict the precision of static data-flow analysis. Meanwhile, effective alias detection has been shown to be NP-Hard. While this represents a significant hurdle for code optimization, it provides a theoretical basis for structuring tamper-resistant programs -- systematic introduction of nontrivial aliases transforms programs to a form that yields data flow information very slowly and/or with little precision. Precise alias analysis relies on the collection of static control flow information. We further hinder the analysis by a systematic "break-down" of the program control-flow; transforming high level control transfers to indirect addressing through aliased pointers. By doing so, we have made the basic control-flow analysis into a general alias analysis problem, and the data-flow analysis and control-flow analysis are made co-dependent. We present a theoretical result which shows that a precise analysis of the transformed program, in the general case, is NP-hard and demonstrate the applicability of our techniques with empirical results.

Jinxin Ma,Zhoujun Li,Chaojian Hu

DOI: https://doi.org/10.1109/cicn.2012.216

2012-01-01

Abstract:Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

Jiliang Zhang,Binhang Qi,Gang Qu

DOI: https://doi.org/10.1109/JIOT.2018.2866164

2018-09-19

Abstract:Recently, code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threatens. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-based control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying compiler and leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances (EHDs) matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the liner encryption/decryption operation (XOR) between PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% run-time overhead and 0.78% binary size overhead on average.

Cryptography and Security,Hardware Architecture

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.