![Page 1: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/1.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Obfuscating Transformations
Yury Lifshits
Mathematics & Mechanics FacultySaint Petersburg State University
Spring 2005 – SETLab
![Page 2: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/2.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
![Page 3: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/3.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
2 Library of Obfuscating TransformationsProgram RepresentationData & Control : Basic TricksControl Flow ObfuscationEven more transformations
![Page 4: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/4.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
2 Library of Obfuscating TransformationsProgram RepresentationData & Control : Basic TricksControl Flow ObfuscationEven more transformations
3 Obfuscation vs. DeobfuscationClassical Program AnalysisDeobfuscation HardnessFurther Research
![Page 5: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/5.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
![Page 6: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/6.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
![Page 7: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/7.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
Java:
Java Source Code↓
Java-byte Code↓
Virtual Processor = JVM
OS & Hardware
![Page 8: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/8.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
Java:
Java Source Code↓
Java-byte Code↓
Virtual Processor = JVM
OS & Hardware
Java Virtual Machine: implemented on huge number of hardwarearchitectures / operating systems
![Page 9: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/9.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
![Page 10: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/10.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
![Page 11: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/11.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
➯ Make code more complicated
![Page 12: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/12.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
➯ Make code more complicated
➯ Make decompilation & reverse engineering difficult
![Page 13: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/13.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
![Page 14: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/14.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
![Page 15: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/15.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
2 Makes a single transformation
![Page 16: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/16.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
2 Makes a single transformation
3 Repeats step 2 until task completed or constraintsexceeded
![Page 17: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/17.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
![Page 18: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/18.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
![Page 19: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/19.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methods
![Page 20: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/20.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)
![Page 21: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/21.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
![Page 22: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/22.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
![Page 23: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/23.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscated
![Page 24: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/24.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscatedImplement appropriate obfuscating transformation (fromobfuscator library)
![Page 25: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/25.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscatedImplement appropriate obfuscating transformation (fromobfuscator library)Update internal representation
![Page 26: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/26.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
![Page 27: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/27.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
So you supposed to explain it to me...
![Page 28: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/28.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
So you supposed to explain it to me...
Strength can be measured by:
➯ PotencyE(P′)E(P)
− 1
➯ ResilienceTrivial, weak, strong, full, one-way
➯ CostFree, cheap, costly, expensive
➯ Stealthy
![Page 29: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/29.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
![Page 30: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/30.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
![Page 31: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/31.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program length
![Page 32: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/32.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
![Page 33: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/33.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexity
![Page 34: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/34.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
![Page 35: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/35.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexity
![Page 36: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/36.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
![Page 37: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/37.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexity
![Page 38: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/38.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
![Page 39: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/39.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexity
![Page 40: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/40.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
![Page 41: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/41.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
➯ OO Metrics
![Page 42: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/42.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
➯ OO MetricsLevel of inheritance, coupling, number of methods triggered by
another method, non-cohesiveness
![Page 43: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/43.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
![Page 44: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/44.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
![Page 45: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/45.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
![Page 46: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/46.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
➯ Cost at execution timeChecking procedures, dummy code, inlining
![Page 47: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/47.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
➯ Cost at execution timeChecking procedures, dummy code, inlining
➯ Cost by not using efficiency enhancing mechanismsCaching is rarely possible; losing module structure
![Page 48: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/48.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
![Page 49: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/49.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
![Page 50: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/50.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstions
![Page 51: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/51.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
![Page 52: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/52.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
![Page 53: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/53.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variables
![Page 54: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/54.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processing
![Page 55: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/55.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
![Page 56: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/56.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
➯ Code patterns
![Page 57: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/57.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
➯ Code patternsDestroy long patterns in program
![Page 58: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/58.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
![Page 59: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/59.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model I
What is program from our point of view?
![Page 60: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/60.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model I
What is program from our point of view?
![Page 61: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/61.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
![Page 62: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/62.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
![Page 63: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/63.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
![Page 64: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/64.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
➯ Directed edges are used to represent jumps in thecontrol flow
![Page 65: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/65.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
➯ Directed edges are used to represent jumps in thecontrol flow
➯ Jump targets start a block; jumps end a block
![Page 66: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/66.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
![Page 67: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/67.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data Obfuscation
![Page 68: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/68.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splitting
![Page 69: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/69.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversion
![Page 70: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/70.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedure
![Page 71: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/71.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetime
![Page 72: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/72.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arrays
![Page 73: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/73.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encoding
![Page 74: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/74.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
![Page 75: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/75.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
![Page 76: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/76.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control Obfuscation
![Page 77: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/77.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocks
![Page 78: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/78.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methods
![Page 79: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/79.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statements
![Page 80: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/80.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loops
![Page 81: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/81.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loopsReorderstatements
![Page 82: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/82.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loopsReorderstatementsReorder loops
![Page 83: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/83.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
![Page 84: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/84.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
![Page 85: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/85.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
![Page 86: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/86.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
![Page 87: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/87.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
➯ Replace all calls by indirect pointing
![Page 88: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/88.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
➯ Replace all calls by indirect pointing
➯ Write a single dispatcher to maintain all control flow
![Page 89: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/89.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
![Page 90: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/90.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
![Page 91: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/91.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
![Page 92: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/92.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
Examples:
((q + q2) mod 2) = 0
![Page 93: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/93.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
Examples:
((q + q2) mod 2) = 0
((q3) mod 8) = 0 OR ((q3) mod 8) = 1
![Page 94: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/94.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
![Page 95: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/95.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
![Page 96: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/96.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
Idea: merge functions and call universal function withadditional parameterDifficulty: different signatures (input-output specifications)
![Page 97: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/97.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
Idea: merge functions and call universal function withadditional parameterDifficulty: different signatures (input-output specifications)
Solution: unify signatures (in groups)
![Page 98: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/98.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
![Page 99: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/99.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
![Page 100: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/100.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
![Page 101: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/101.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
![Page 102: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/102.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
![Page 103: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/103.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
➯ Store part of the program as a text and interpret it onlyduring runtime
![Page 104: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/104.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
➯ Store part of the program as a text and interpret it onlyduring runtime
➯ Remove library calls
![Page 105: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/105.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
![Page 106: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/106.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
![Page 107: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/107.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
![Page 108: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/108.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
![Page 109: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/109.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
✘ Even no hope for that
![Page 110: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/110.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
✘ Even no hope for that
✘ Weak against dynamicattacks
![Page 111: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/111.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
![Page 112: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/112.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
![Page 113: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/113.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
![Page 114: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/114.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
![Page 115: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/115.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
![Page 116: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/116.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
![Page 117: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/117.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
![Page 118: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/118.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
![Page 119: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/119.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
➯ May be used before kill
![Page 120: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/120.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
➯ May be used before kill
➯ May be referenced
![Page 121: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/121.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
![Page 122: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/122.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
![Page 123: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/123.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
![Page 124: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/124.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
We can prove program analysis to be hard for obfuscatedprograms:
![Page 125: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/125.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
We can prove program analysis to be hard for obfuscatedprograms:
Alias analysis of obfuscated programs is NP-hard!
![Page 126: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/126.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
![Page 127: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/127.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
![Page 128: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/128.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
![Page 129: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/129.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
![Page 130: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/130.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
![Page 131: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/131.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
➯ Data flow analysis
![Page 132: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/132.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
➯ Data flow analysis
➯ Pattern matching
![Page 133: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/133.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
![Page 134: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/134.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
![Page 135: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/135.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
![Page 136: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/136.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
![Page 137: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/137.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
![Page 138: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/138.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
![Page 139: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/139.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
Good Luck with this stuff!
![Page 140: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/140.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
![Page 141: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/141.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
![Page 142: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/142.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
![Page 143: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/143.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
![Page 144: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/144.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
Question Time!
![Page 145: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/145.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
Back UpSlidesNot covered by thetalk
References
Not covered by the talk
Obfuscation vs. watermarkingObfuscation for watermarkingMaking disassembling hard.Decompiled – uncompilable for JavaGeneral idea – make program dictionary as short aspossiblePreventive obfuscationProfiling in the obfuscatorReducible and non-reducible graphsAre obfuscating transformations comparable, e.g. one OT isevery time better than another OT?Program Analysis classification
![Page 146: Obfuscating Transformations - Yury Lifshitsflow and basic blocks) Makes some appropriateness suggestions Main while loop (until constraints are exceeded or quality is achieved) Choose](https://reader033.vdocuments.us/reader033/viewer/2022052014/602b4f50fa433726e30ddd3f/html5/thumbnails/146.jpg)
ObfuscatingTransforma-
tions
Yury Lifshits
Back UpSlidesNot covered by thetalk
References
For Further Reading
Collberg - Thomborson - LowSeries of papershttp://www.cs.arizona.edu/˜collberg/research/publications/