code-level cyber-security: mate, attack &...
TRANSCRIPT
![Page 1: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/1.jpg)
| 1Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Code-level Cyber-Security:
MATE, attack & defense
Sébastien Bardin (CEA LIST)
Richard Bonichon (CEA LIST)
(heavily inspired from C. Collberg and B. de Sutter)
![Page 2: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/2.jpg)
| 2Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 3: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/3.jpg)
| 3Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Scenario
• Examples
• Ideas for defense
• What matters
![Page 4: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/4.jpg)
| 4Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (1)
MITM: Man-In-The-Middle
Attacker is on the network
• Observe messages
• Forge messages
Realm of cryptos
![Page 5: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/5.jpg)
| 5Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (2)
« Man-Beyond-The-Door »
Attacker has limited access
• Try to escalate
• Forge specially crafted files/queries
Realm of program analysis
![Page 6: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/6.jpg)
| 6Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (3) *** topic of the day ***
MATE: Man-At-The-End
Attacker is on the computer
• R/W the code
• Execute step by step
• Patch on-the-fly
Realm of program analysis?
White-box crypto?
![Page 7: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/7.jpg)
| 7Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
MAN AT THE END
![Page 8: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/8.jpg)
| 8Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Examples
![Page 9: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/9.jpg)
| 9Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
WHAT FOR?
![Page 10: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/10.jpg)
| 10Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
FACT: SOFTWARE IS JUST DATA
• You can execute it
• But you may prefer to:
• Read it <reverse legacy code, or …………….. steal crypto keys>
• Modify it <patch a bug, or ………………………. bypass a security check>
Code & Data protection
(obfuscation)
Code & Data attack
(MATE)
![Page 11: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/11.jpg)
| 11Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
NOT SO HARD FOR EXPERTS
![Page 12: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/12.jpg)
| 12Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
HOW TO? Look at the code
![Page 13: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/13.jpg)
| 13Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
HOW TO? Trick (tamper) the code
![Page 14: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/14.jpg)
| 14Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CODE TAMPERING
char[4] buff,secret;
buff = getInput();
secret = getPassword();
for (i=0 to 3) do
if(buff[i] != secret[i]) then
return false;
endif
endFor
return true;
![Page 15: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/15.jpg)
| 15Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
About the attacker
• Malicious user
• Malicious insider
• Malicious outsider, got in through exploit
• Malware
![Page 16: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/16.jpg)
| 16Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Question
![Page 17: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/17.jpg)
| 17Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
(Tools vs counter-tools)*
• Attacker
• Static: control-flow graph, disassembly, decompilation, tainting, slicing, etc.
• Dynamic: debuging, emulation
• Defender
• Obfuscation // vs static
• Anti-tampering // vs dynamic
• Attacker
• Better static / dynamic, hybrid, semantic
• Defender
• Better anti-better …
Raise the bar
![Page 18: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/18.jpg)
| 18Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
What matters?
![Page 19: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/19.jpg)
| 19Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Perfs? Depend on context
![Page 20: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/20.jpg)
| 20Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Perfs for math-proven obfuscation. Not yet …
![Page 21: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/21.jpg)
| 21Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Time to crack!
Context matters
How long for cracking?
• 5 min (VOD)
• 2 weeks (video game)
• 1 year
• No limit
How much overhead is affordable?
![Page 22: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/22.jpg)
| 22Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OBFUSCATION
Transform P into P’ such that
• P’ behaves like P
• P’ roughly as efficient as P
• P’ is very hard to understand
State of the art
• No usable math-proven solution
• Useful ad hoc solutions (strength?)
![Page 23: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/23.jpg)
| 23Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
DEOBFUSCATION
• Ideally, get P back from P’
• Or, get close enough
• Or, help understand P
![Page 24: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/24.jpg)
| 24Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
WHY WORKING ON DEOBFUSCATION? <in an ethical manner>
• Software protection
• Assess the power of current obfuscation schemes
• Special case: white-box crypto <hide keys>
• Malware analysis
• Comprehension: help to understand the malware <goal, functions, weaknesses>
• Detection: remove the protection layer
![Page 25: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/25.jpg)
| 25Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (1)
![Page 26: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/26.jpg)
| 26Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (2)
![Page 27: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/27.jpg)
| 27Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (3)
![Page 28: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/28.jpg)
| 28Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (4)
![Page 29: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/29.jpg)
| 29Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (5)
![Page 30: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/30.jpg)
| 30Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of tamper-proofing
![Page 31: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/31.jpg)
| 31Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Question
• Tamper-proof and obfuscation
• Link?
• Use both or not?
![Page 32: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/32.jpg)
| 32Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 33: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/33.jpg)
| 33Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Static vs dynamic
![Page 34: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/34.jpg)
| 34Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Static
![Page 35: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/35.jpg)
| 35Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Control-flow analysis
![Page 36: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/36.jpg)
| 36Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Control-flow analysis (2)
![Page 37: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/37.jpg)
| 37Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Disassembly
Hard task – basic methods:
• Linear sweep
• Recursive traversal
• + heuristics
![Page 38: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/38.jpg)
| 38Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Disassembly
![Page 39: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/39.jpg)
| 39Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Dynamic
![Page 40: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/40.jpg)
| 40Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 41: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/41.jpg)
| 41Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Basic defense
• Obfuscation
• Anti-tampering
![Page 42: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/42.jpg)
| 42Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
• Obfuscation
• Opaque expressions
• Opaque predicates
• Stack tampering
• Strange asm code
• CFG flattening
• Virtualization
• Anti-tampering
• Redundant check, hash functions
• Anti-debug, anti-emulation
OVERVIEW
![Page 43: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/43.jpg)
| 43Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION
![Page 44: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/44.jpg)
| 44Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (2)
![Page 45: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/45.jpg)
| 45Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (3)
![Page 46: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/46.jpg)
| 46Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (4)
![Page 47: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/47.jpg)
| 47Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: Control-flow flattening
![Page 48: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/48.jpg)
| 48Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE PREDICATE
Constant-value predicates
(always true, always false)
• dead branch points to spurious code
• goal = waste reverser time & efforts
![Page 49: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/49.jpg)
| 49Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: STACK TAMPERING
Alter the standard compilation scheme:
ret do not go back to call
• hide the real target
• return site is spurious code
![Page 50: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/50.jpg)
| 50Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: VIRTUALIZATION
Turns code P into
• a proprietary bytecode program
• + a homemade VM (runtime)
• Easy to recover the VM structure
• But does not say anything about P
long secret(long x) {
……
return x;
}
Bytecodes - Custom ISA
Fetching
Decoding
Dispatcher
Operator 2
Terminator
Operator 3Operator 1
![Page 51: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/51.jpg)
| 51Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: arithmetic encoding
![Page 52: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/52.jpg)
| 52Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: dynamic obfuscation
• unpacking
• Self-modification
![Page 53: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/53.jpg)
| 53Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 54: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/54.jpg)
| 54Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
BETTER ATTACKS & DEFENSE
• Attacks (both static or dynamic)
• Combine static & dynamic!
• Tainting what is user-dependent! (remove all non user dependent protections)
• Slicing what affects the output (remove junk)
• Code simplification remove undully complex code (duplicate, etc.)
• Defense: attacks the attack (prog. analysis indecidable : always flaws)
• Diffuse dependecies (fake relations: memory, branches, etc.)
• Hide dependencies (through physical relationship)
![Page 55: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/55.jpg)
| 55Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
THE ARM RACE
• No protection static disassembly
• Dynamic protection dynamic analysis
• User/env-dependent dynamic protection semantic analysis
• …
![Page 56: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/56.jpg)
| 56Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 57: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/57.jpg)
| 57Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (theoretic)
Barak formalization of obfuscation
• P’ behaves like P
• P’ at most polynomial slowdown
• Blackbox obfuscation: cannot get more information
from P’ than through a BB access to P
• Impossible to get in general
• More recent : indistinguishability obfuscation
• Two equivalent programs P and P’
• Game = you got O(P) or O(P’). Try to guess which one it is
• IO: (polynomial) attacker cannot do better than 50% guess
• POSSIBLE !!!
• QUESTIONS• Is it the good notion?
• Current overhead huge in practice
![Page 58: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/58.jpg)
| 58Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic)
![Page 59: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/59.jpg)
| 59Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (2)
![Page 60: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/60.jpg)
| 60Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
![Page 61: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/61.jpg)
| 61Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
![Page 62: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/62.jpg)
| 62Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
![Page 63: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/63.jpg)
| 63Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 64: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/64.jpg)
| 64Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
TIGRESS TOOL
![Page 65: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/65.jpg)
| 65Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
TEST PROGRAM
![Page 66: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/66.jpg)
| 66Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: Opaque expressions
![Page 67: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/67.jpg)
| 67Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: flattening
![Page 68: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/68.jpg)
| 68Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: flattening (2)
![Page 69: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/69.jpg)
| 69Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: virtualization
![Page 70: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/70.jpg)
| 70Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: virtualization (2)
![Page 71: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/71.jpg)
| 71Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: arithmetic encoding
![Page 72: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/72.jpg)
| 72Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: dynamic encoding
![Page 73: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/73.jpg)
| 73Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
![Page 74: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/74.jpg)
| 74Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CONCLUSION
• Code protection is crucial
• IP protection, avoid bypassing security
• Can be argued to improve security as well (anti-hacking technique)
• Existing tools and techniques
• Yet still many open questions
• Proper formalization (goal of attacker, probabilistic setting?, stealth?)
• Distinguish between legit and illegit contexts?
• Strength, correctness
• Next: very powerful deobfuscation technique
![Page 75: Code-level Cyber-Security: MATE, attack & defensesebastien.bardin.free.fr/cours-cyber-ensta-02.pdf · Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack | 1 Code-level Cyber-Security:](https://reader034.vdocument.in/reader034/viewer/2022050113/5f49f6e60b576571d57ae861/html5/thumbnails/75.jpg)
Commissariat à l’énergie atomique et aux énergies alternatives
Institut List | CEA SACLAY NANO-INNOV | BAT. 861 – PC142
91191 Gif-sur-Yvette Cedex - FRANCE
www-list.cea.fr
Établissement public à caractère industriel et commercial | RCS Paris B 775 685 019