obfuscating transformations - yury lifshitsflow and basic blocks) makes some appropriateness...
TRANSCRIPT
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Obfuscating Transformations
Yury Lifshits
Mathematics & Mechanics FacultySaint Petersburg State University
Spring 2005 – SETLab
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
2 Library of Obfuscating TransformationsProgram RepresentationData & Control : Basic TricksControl Flow ObfuscationEven more transformations
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Outline
1 What is Obfuscator?Notion of ObfuscatorAnatomy of ObfuscatorObfuscator Characteristics
2 Library of Obfuscating TransformationsProgram RepresentationData & Control : Basic TricksControl Flow ObfuscationEven more transformations
3 Obfuscation vs. DeobfuscationClassical Program AnalysisDeobfuscation HardnessFurther Research
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
Java:
Java Source Code↓
Java-byte Code↓
Virtual Processor = JVM
OS & Hardware
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Motivation: Java Virtual Machine
What is difference between Java and others?
Most programming languages:
Source Code↓
Machine Code↓
PredefinedArchitecture
Java:
Java Source Code↓
Java-byte Code↓
Virtual Processor = JVM
OS & Hardware
Java Virtual Machine: implemented on huge number of hardwarearchitectures / operating systems
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
➯ Make code more complicated
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Notion of Obfuscator
Objectives:
➯ Make code not readable by human
➯ Make automated analysis difficult
➯ Make code more complicated
➯ Make decompilation & reverse engineering difficult
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
2 Makes a single transformation
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator I
How real obfuscator works?
1 Prepares program to be obfuscated
2 Makes a single transformation
3 Repeats step 2 until task completed or constraintsexceeded
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methods
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscated
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscatedImplement appropriate obfuscating transformation (fromobfuscator library)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Anatomy of Obfuscator II
How real obfuscator works (more precisely)?
The workflow is:
➯ Parse input program
Makes a list of obfuscation candidates: classes, variables,methodsConstructs internal representation of the program (e.g. controlflow and basic blocks)Makes some appropriateness suggestions
➯ Main while loop (until constraints are exceeded or quality isachieved)
Choose next (by priority) element of the program to beobfuscatedImplement appropriate obfuscating transformation (fromobfuscator library)Update internal representation
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
So you supposed to explain it to me...
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Quality of Obfuscation
Slide from Lecture 1
So you supposed to explain it to me...
Strength can be measured by:
➯ PotencyE(P′)E(P)
− 1
➯ ResilienceTrivial, weak, strong, full, one-way
➯ CostFree, cheap, costly, expensive
➯ Stealthy
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program length
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexity
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexity
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexity
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexity
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
➯ OO Metrics
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Program Complexity Metrics
We want: make program complicated
So what is program code complexity?
➯ Program lengthNumber of operators and operands
➯ Data flow complexityNumber of inter-block variable references
➯ Cyclomatic complexityNumber of predicates in a function
➯ Nesting complexityNumber of nesting level of conditionals in a program
➯ Data structure complexityComplexity of the static data structures in the program like
variables, vectors, records
➯ OO MetricsLevel of inheritance, coupling, number of methods triggered by
another method, non-cohesiveness
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
➯ Cost at execution timeChecking procedures, dummy code, inlining
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Cost Analysis
What do we pay for security?
➯ Costs at creation timeObfuscation need time!
➯ Costs at transmition time (resulting size)Inlining library functions may increase size enormously!
➯ Cost at execution timeChecking procedures, dummy code, inlining
➯ Cost by not using efficiency enhancing mechanismsCaching is rarely possible; losing module structure
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstions
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variables
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processing
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
➯ Code patterns
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Statistics measurement
Other metrics?
Statistics! What kind of?
➯ Distribution of basic construstionsUse rare elements more often
➯ Clustering of program elements. Uniform distribution –difficult to understand!
Usage of variablesData processingControl flow commands
➯ Code patternsDestroy long patterns in program
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model I
What is program from our point of view?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model I
What is program from our point of view?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
➯ Directed edges are used to represent jumps in thecontrol flow
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Model II
Compilers and program optimization theory representprograms by control flow graph (CFG)
➯ Each node in the graph represents a basic block
➯ Basic block: straight-line piece of code without anyjumps or jump targets
➯ Directed edges are used to represent jumps in thecontrol flow
➯ Jump targets start a block; jumps end a block
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data Obfuscation
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splitting
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversion
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedure
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetime
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arrays
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encoding
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control Obfuscation
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocks
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methods
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statements
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loops
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loopsReorderstatements
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Simple transformations
So what transformations do you can suggest?
➯ Data ObfuscationVariable splittingScalar/objectconversionStatic data to procedureChange variable lifetimeSplit/fold/merge arraysChange encodingMerge scalar variables
➯ Control ObfuscationBreak basic blocksInline methodsOutline statementsUnroll loopsReorderstatementsReorder loops
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
➯ Replace all calls by indirect pointing
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Control Flow Flattening
How to destroy control flow graph?
Step by step:
➯ Write down a list of all basic blocks
➯ Split and merge some of them
➯ Enumerate them
➯ Replace all calls by indirect pointing
➯ Write a single dispatcher to maintain all control flow
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
Examples:
((q + q2) mod 2) = 0
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Opaque predicates
How can we use IF operator for obfuscation?
Opaque predicates: every time the same valueDifficult to discover by automatical static analysis
Examples:
((q + q2) mod 2) = 0
((q3) mod 8) = 0 OR ((q3) mod 8) = 1
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
Idea: merge functions and call universal function withadditional parameterDifficulty: different signatures (input-output specifications)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Functions Unifying
How can we make program proceduresindistinguishable?
Procedures relations are expressed by Program Call Graph:procedures are nodes and procedure calls are directededges
Idea: merge functions and call universal function withadditional parameterDifficulty: different signatures (input-output specifications)
Solution: unify signatures (in groups)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
➯ Store part of the program as a text and interpret it onlyduring runtime
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Even more transformations
Question: Can you invent more?
➯ Reuse identifiers
➯ Introduce misleading comments :-)
➯ Modify inheritance relations
➯ Convert static data to procedural data
➯ Store part of the program as a text and interpret it onlyduring runtime
➯ Remove library calls
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
✘ Even no hope for that
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Current Techniques: Pro and Contra
Advantages
✔ Easy to implement
✔ Universal
✔ Good against staticanalysis
Disadvantages
✘ No guaranteed security
✘ Even no hope for that
✘ Weak against dynamicattacks
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
➯ May be used before kill
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Classical Program Analysis
What’s about program analysis?
Static analysis: only read codeDynamic analysis: execute code
Usual tasks:
➯ May be aliased
➯ Must be aliased
➯ May be modified
➯ Must be constant
➯ Must be killed
➯ Must be available
➯ May be used before kill
➯ May be referenced
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
We can prove program analysis to be hard for obfuscatedprograms:
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Is Deobfuscation Hard?
Can we prove the difficulty of deobfuscation?
Not yet. But...
We can prove program analysis to be hard for obfuscatedprograms:
Alias analysis of obfuscated programs is NP-hard!
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
➯ Data flow analysis
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Approaches to Deobfuscation
Almost all obfuscating transformations have a efficientdeobfuscating method...
Do you believe?
Deobfuscator can use:
➯ Functions parameters catching
➯ Program slicing
➯ Statistical analysis
➯ Data flow analysis
➯ Pattern matching
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Further Research
What can we do here?
➯ Just new transformations
➯ Preventive transformations
➯ Protection against recompilation
➯ Introducing more deobufuscation hardness results
Good Luck with this stuff!
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
ObfuscatingTransforma-
tions
Yury Lifshits
What isObfuscator?Notion ofObfuscator
Anatomy ofObfuscator
ObfuscatorCharacteristics
ObfuscationLibraryProgramRepresentation
Data & Control :Basic Tricks
Control FlowObfuscation
Even moretransformations
Obfuscationvs. Deobfus-cationClassical ProgramAnalysis
DeobfuscationHardness
Further Research
Summary
Summary
➯ Obfuscator analyse and modify program by series oftransformations
➯ Obfuscating transformations consist of layout, data andcontrol tricks
➯ Hardness of deobfuscation is not proved
Question Time!
ObfuscatingTransforma-
tions
Yury Lifshits
Back UpSlidesNot covered by thetalk
References
Not covered by the talk
Obfuscation vs. watermarkingObfuscation for watermarkingMaking disassembling hard.Decompiled – uncompilable for JavaGeneral idea – make program dictionary as short aspossiblePreventive obfuscationProfiling in the obfuscatorReducible and non-reducible graphsAre obfuscating transformations comparable, e.g. one OT isevery time better than another OT?Program Analysis classification
ObfuscatingTransforma-
tions
Yury Lifshits
Back UpSlidesNot covered by thetalk
References
For Further Reading
Collberg - Thomborson - LowSeries of papershttp://www.cs.arizona.edu/˜collberg/research/publications/