making advanced software protection tools …...2015/05/19 · techniques they proposed, and s....
TRANSCRIPT
Making Advanced Software Protection Tools Usable (for Non-Experts) Bjorn De Sutter Ghent University
1st Workshop on Software Protection (SPRO) Firenze, Italy
SPRO 18/05/2015
Disclaimer
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
2
¨ I do not represent the companies in ASPIRE!
Overview
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
3
¨ ASPIRE introduction
¨ Decision support
¨ Protection evaluation framework ¤ Modeling attacks
¤ Framework for measuring attack effort
¨ Practical implementation
in a nutshell 4
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Data Hiding Algorithm Hiding Anti-Tampering Remote Attestation Renewability
SafeNet use case
Gemalto use case
Nagravision use case
Protected SafeNet use case
Protected Gemalto use case
Protected Nagravision use case
Software
Protection
Tool Flow
Man-At-The-End (MATE) Attacks
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
5
Man-At-The-End (MATE) Attacks
FPGA sampler oscilloscope
developer boards JTAG debugger
software analysis tools 6
: Advanced Software Protection: Integration, Research and Exploitation SPRO 18/05/2015
screwdrivers
Scope
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
7
¨ Native code ¤ Android platform for validation & demonstration
¨ No vulnerabilities ¤ protection against end user, not of end user
¨ Use cases ¤ Digital Rights Management ¤ One-Time Password Generation ¤ Software License Management
Nov 2014 - Oct 2016 Budget: €4.58M EU funding: €2.95M
Assets to protect
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
8 Asset category Security
Requirements Examples of threats
Private data (keys, credentials, tokens, private info)
Confidentiality Privacy Integrity
Impersonation, illegitimate authorization Leaking sensitive data Forging licenses
Public data (keys, service info) Integrity Forging licenses
Unique data (tokens, keys, used IDs)
Confidentiality Integrity
Impersonation Service disruption, illegitimate access
Global data (crypto & app bootstrap keys)
Confidentiality Integrity
Build emulators Circumvent authentication verification
Traceable data/code (Watermarks, fingerprints, traceable keys)
Non-repudiation Make identification impossible
Code (algorithms, protocols, security libraries, protections)
Confidentiality Reverse engineering
Application execution (license checks & limitations, authentication & integrity verification, protocols)
Execution correctness Integrity
Circumvent security features (DRM) Out-of-context use, violating license terms
primary assets: original software & content secondary assets: protections wide range of lifetimes
Economics of MATE attacks
engineering a.k.a. identification
exploitation
prot
ectio
n
€/day
time
9
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Economics of MATE attacks
€/day
time engineering a.k.a. identification
exploitation
protection
diversity
10
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Economics of MATE attacks
€/day
time engineering a.k.a. identification
exploitation
protection
diversity
11
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
renewability
in a nutshell 12
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Data Hiding Algorithm Hiding Anti-Tampering Remote Attestation Renewability
SafeNet use case
Gemalto use case
Nagravision use case
Protected SafeNet use case
Protected Gemalto use case
Protected Nagravision use case
Software
Protection
Tool Flow
ASPIRE Framework
Decision Support System
Software Protection Tool Chain
Objectives 13
2. So&ware protec.on techniques and integrated, plugin-‐based tool flow
1. Protected mobile services
server (trusted)
wireless/mobile network (untrusted, MITM a.ack)
mobile device (untrusted, MATE a.ack)
client-‐side app
server-‐side logic
secure channel
ASPIRE protected program
remote verifier
bytecode provider renewability protec.on
engine
hidden data renewability-‐suppor.ng virtual machine hidden algorithms
an.-‐tampering mechanisms remote aFestator
annotated source code
ASPIRE source level
protec9on
data hiding
algorithm hiding
an.-‐tampering
par.ally protected source code
standard compiler
object code
ASPIRE binary level
protec9on
remote aFesta.on
renewability
data hiding
algorithm hiding
an.-‐tampering security libraries
ASPIRE protected program
client-‐side app server-‐side logic
Objectives 14
2. So&ware protec.on techniques and integrated, plugin-‐based tool flow
annotated source code
ASPIRE source level
protec9on
data hiding
algorithm hiding
an.-‐tampering
par.ally protected source code
standard compiler
object code
ASPIRE binary level
protec9on
remote aFesta.on
renewability
data hiding
algorithm hiding
an.-‐tampering security libraries
ASPIRE protected program
client-‐side app server-‐side logic
!input!provided!by!the!user!
pla2orm!descrip5on!
annota5ons!
assets!
ASPIRE'Decision'Support'System'
ASPIRE!Knowledge!Base!
tool!chain!instruc5ons!
3. Decision Support System
-‐ aFack models & evalua.on methodology -‐ metrics to measure protec.on strength -‐ experiments on human subjects (students + researchers) -‐ public challenge
ADSS
ACTC
ADSS objectives
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
15
void decrypt_stream(Stream *s) { _Pragma("ASPIRE begin requirement(integrity)"); /* Code to decrypt data */ _Pragma("ASPIRE end"); } void decode_frame(Frame *f){ _Pragma("ASPIRE begin requirement(integrity)"); /* Code to decode a video frame */ _Pragma("ASPIRE end"); } void render_frame(Frame *f) { /* Code to render a frame */ }
From Requirements annotations… void decrypt_stream(Stream *s) { _Pragma("ASPIRE begin protection(guarded_region,label(decryption))"); /* Code to decrypt data */ _Pragma("ASPIRE end"); } void decode_frame(Frame *f){ _Pragma("ASPIRE begin protection(guard_attestator," "label(decryption_hash), regions(decryption))"); /* Code to decode a video frame */ _Pragma("ASPIRE end"); } void render_frame(Frame *f) { _Pragma("ASPIRE begin protection(guard_verifier," "attestator(decryption_hash))"); _Pragma("ASPIRE end"); /* Code to render a frame */ }
…to protection annotations
multi-objective optimization
problem
ADSS protection options
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
16
¨ Instruction set randomization & interpretation ¨ Self-debugging anti-debugging ¨ Client-server code splitting ¨ Control flow obfuscations ¨ White-box cryptography ¨ Remote attestation ¨ Data obfuscations ¨ Code mobility ¨ Code guards ¨ Diversity ¨ Renewal
which?
where?
how?
parameters? multi-objective optimization
problem
ADSS protection constraints
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
17
¨ Availability ¨ Portability
¨ Composability ¨ Rapid deployment
¨ Development cycle – integration – finalization ¨ Lifetime cycle – maintenance – backward compatibility
which?
where?
how?
parameters?
¨ Performance (multiple execution phases) ¨ Connectivity (permanent – occasional) ¨ Code size & file size (zipped?) ¨ Server bandwidth ¨ Memory footprint ¨ Server load ¨ Latency ¨ Privacy
Some remaining issues
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
18
¨ How to assess protection strenght of protections with regards to individual assets
¨ How to reduce search space of ADSS (only needed for automation!)
Evaluating the strength of software protection
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
19
¨ Four criteria (Collberg et al)
¤ Potency: confusion, complexity, manual effort
¤ Resilience: resistance against (automated) tools
¤ Stealth: identification of (components of) protections
¤ Cost
Attack Modeling: Petri Nets
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
20
¨ source code annotations describe assets & security requirements
¨ data flow analysis determines sensitive code & data
¨ Petri Net constructed from ¤ backward reasoning ¤ knowledge base ¤ user input ¤ applied protections
programs which were protected by software tamper resistant transformations they proposed is a NP-complete problem. S. Chow et al. [18] did a similar work.
B. Evaluation based on Attack Researches in this group measure or proof the effectiveness
of protection techniques from the view of attack.
M. Ceccato et al. [9] proposed two manual experiments to empirically measure the effectiveness of identifier renaming, which is an instance of layout obfuscation. I. Sutherland et al. [10] did a similar work, but focused on the reverse engineering process for binary code. Both M. Ceccato and I. Sutherland analyzed factors affecting attack process, for example, attacker’s ability, but none specific metric was proposed.
As well as manually assessment, several anti-protection technologies were used too. C. Linn and S. Debray[19] used three different disassemblers to evaluate the code obfuscation techniques they proposed, and S. Udupa[11] proposed deobfuscation approaches to evaluate control flow flattening obfuscation. J. Hamilton and S. Danicic [22] evaluated Java static watermarking algorithms by obfuscating, which can be treated as a technique for distortive attacks. Except theoretical analysis, C. Wang et al. [17] also proved the effectiveness of the transformation they proposed with a control-flow analysis tool.
Technically, the evaluation approach in this paper belongs to the second group, but acts differently: firstly, we believe all software (a program which is made up of a sequence of code) are the same to attackers, therefore, the approach we proposed does not aim at a specific protection technology; secondly, we propose a metric and a method for counting the metric; thirdly, rather than doing manual attacks or developing specific attack tools, we use an attack model to describe software attacks. Note that H. Goto et al. [21] applied parse tree to evaluate the difficulty of reading tamper-resistant software, however, instead of attacks, they used the model to describe software.
III. ATTACK MODELING BASED ON PETRI NET Attack model has been widely used in information security.
Most time it focuses on how to document attacks in a structured and reusable form [12]. J. Steffan and M. Schumacher [13] compared attack models with programming guidelines, pattern languages, evaluation criteria, and vulnerability databases, and proved that attack model to be the most suitable way to support discovery and avoidance of security vulnerabilities.
In this section, we make a list of the key information included in one software attack process, define the attack model based on Marked Petri Net, and instantiate Token in it.
A. Key Information in Software Attack [13] listed six types of information contained in an informal
attack description. Based on this list, we made a new list for software attack description. (Fig. 1, Table I).
Software Attack
Goal
Method 1
Method 2……
State 1State 2
……
Technique
Sub-goal
ActionPrecondition
Influence
Figure 1. Key information and their relationship
TABLE I. KEY INFORMATION IN ONE SOFTWARE ATTACK PROCESS
Name Meaning
Goal Goal is the purpose of one software attack process, and normally stands for getting or modifying assets contained in software.
Method A Method stands for one possible way to achieve Goal. Usually, more than one Method will be included in one software attack process.
State The sequence of States stands for the detailed process of software attack. Sometimes, State can be treated as step in software attack process.
Technique Technique stands for the attack technique which may be used in the software attack process.
Sub-goal A Sub-goal stands for the goal of a attack technique.
Action Action is the dynamic information in software attack, and stands for performing an attack technique.
Precondition Precondition is the condition of performing an attack technique.
Influence Influence is the consequence of performing an attack technique.
“What’s the condition of attack?”, “If attack can be executed or not?”, and “What will happen after the execution?” are some of the essential questions in the effectiveness evaluation of software protection. Thus, precondition, action, and influence are important elements needing to be described.
One of the most popular attack models is Attack Tree [14]. It is a tree structure to describe the security of systems, with the Goal as the root node and different Methods as leaf nodes. State and Sub-goal are the other nodes in the tree, and there are two kinds of interdependencies of States: AND node and OR node [14]. But Attack Tree cannot describe Precondition, Action, and Influence precisely.
In this paper, we prefer Petri Net (C. A. Petri, 1962), which is a net-like graph and carries more information than Attack Tree.
B. Software Attack Model based on Marked Petri Net Petri Net describes four aspects of a system: states, events,
conditions, and the relationships among them. When condition was satisfied, related event would occur; the occurrence of event would change the states in the system and cause some other conditions to be satisfied [15]. A basic Petri Net is a tuple PN= (P, T, F) where:
x P is a finite set of states, represented by circles.
x T is a finite set of events, represented by rectangles.
x F⊆ {T×P}∪{P×T} , is a multiset of directed arcs.
x P∪T≠Ø, P∩T=Ø.
Fig. 2 is an example of Petri Net. P={p0, p1, p2, p3, p4}is a set of states, T={t0, t1, t2, t3, t4, t5} is a set of events, p0 is input of t0, and p1 is output of t0; at the same time, t0 is the output of p0, and the input of p1. Besides, p0’s next Place is p1.
0p 1p
2p
3p 4p0t
1t
2t 5t
4t
Figure 2. Example of Petri Net
P, T, F are static properties of Petri Net, and fit well with Goal, State, Technique, Sub-goal, and Method in Table I. If we treat Fig. 2 as a process of software attack, then the key
final goal
sub-goal
attack steps
start of the attack
to evaluate protection strength ~ to determine required effort per attack step
(Δ) ATTACK STEP COMPLEXITY
Attack Effort
ACTIONS composition
global vs local
SUBJECT experience capabilities
learning effect
SUB-GOAL assets & threats
attack path
OBJECT form (traces, graphs)
instantiation level of abstraction applied protections
relevant code
MEANS tools, techniques,
abstract vs concrete sound vs unsound static vs dynamic
21
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Unified Evaluation Framework
Wi Mi∑
22
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
ACTIONS composition
global vs local
SUBJECT experience capabilities
learning effect
SUB-GOAL assets & threats
attack path
OBJECT form (traces, graphs)
instantiation level of abstraction applied protections
relevant code
MEANS tools, techniques,
abstract vs concrete sound vs unsound static vs dynamic
Cyclomatic number (McCabe, 1976)
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
23
310 IEEE TRANSACTIONS ON SOFTWARE EN(
NTCT= (NCHARS+ 7 ) "NWORDSLTOT= (NCHARS+ 5) *NWORDS
******:* BLOCK NO. 1 ********************IF(LTOT,GT,2048) GO TO 900
****** BLOCK NO. 2 ***************************CALL READB(ICHANT,EMORY,LTOT,NREAD,$99 0,$9S0).LIN=OLU= NCHARS *NWORDS+ LMLV=NWORDS+ LULW=NWORDS+ LVLX=NWORDS+ LWLY-NWORDS+ LXLQ=NWORDS+ LYLWEX=NWORDS+LQ
BLOCK NO. 3700 I=,NWORD0************************** 2 V(G) =2
MEMORY(LWEX+I)=(MEMORY(LW+I),OR,(MEMORY(LW+I)*2))700 CONTINUE
******** BLOCK NO. 4 *************************CALL EXTEXT(ITRANS)STOP
********BLOCK NO. 5 ***************************900 TYPE 3,LTOT3 FORNAT(STRUCTURE TOO LARGE FOR CORE; ',18,' WORDS'
t SEE COOPER /)STOP
********BLOCK NO. 6 ************************** 2990 TYPE $4 FORMAT(' READ ERROR, OR STRUCTURE FILE- ERROR; J
' SEE COOPER I)STOPEND
V(G)=3
CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 011 0 0 0 0
2 O O O O O 1 O032 O 1 0 0 0
4 0 0 0 1 1 0 0
5 0 0 0 0 016 0 0 0 0 0 0 1
7 0 000000 1 6 5
.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL CYCLOMATIC COMPLEXITY = V(G) =
CLOSURE OF CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 0 1 1 1 1 1 1
2 0 0 0 0 0 1 1
3 0 0 0 1 1 1 1
4 0 0 0 1 1 1 1 7
5 0 0 0 0 0 1 1
6 0 0 0 0 0 0 1
7 0000000 8
,END
V(G)=6
At this point a few of the control graphs that were found inlive programs will be presented. The actual control graphsfrom FLOW appear on a DATA DISK CRT but they are handdrawn here for purposes of illustration. The graphs are pre-sented in increasing order of complexity in order to suggestthe correlation between the complexity numbers and our in-tuitive notion of control flow complexity.
GINEERING, DECEMBER 1976
310 IEEE TRANSACTIONS ON SOFTWARE EN(
NTCT= (NCHARS+ 7 ) "NWORDSLTOT= (NCHARS+ 5) *NWORDS
******:* BLOCK NO. 1 ********************IF(LTOT,GT,2048) GO TO 900
****** BLOCK NO. 2 ***************************CALL READB(ICHANT,EMORY,LTOT,NREAD,$99 0,$9S0).LIN=OLU= NCHARS *NWORDS+ LMLV=NWORDS+ LULW=NWORDS+ LVLX=NWORDS+ LWLY-NWORDS+ LXLQ=NWORDS+ LYLWEX=NWORDS+LQ
BLOCK NO. 3700 I=,NWORD0************************** 2 V(G) =2
MEMORY(LWEX+I)=(MEMORY(LW+I),OR,(MEMORY(LW+I)*2))700 CONTINUE
******** BLOCK NO. 4 *************************CALL EXTEXT(ITRANS)STOP
********BLOCK NO. 5 ***************************900 TYPE 3,LTOT3 FORNAT(STRUCTURE TOO LARGE FOR CORE; ',18,' WORDS'
t SEE COOPER /)STOP
********BLOCK NO. 6 ************************** 2990 TYPE $4 FORMAT(' READ ERROR, OR STRUCTURE FILE- ERROR; J
' SEE COOPER I)STOPEND
V(G)=3
CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 011 0 0 0 0
2 O O O O O 1 O032 O 1 0 0 0
4 0 0 0 1 1 0 0
5 0 0 0 0 016 0 0 0 0 0 0 1
7 0 000000 1 6 5
.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL CYCLOMATIC COMPLEXITY = V(G) =
CLOSURE OF CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 0 1 1 1 1 1 1
2 0 0 0 0 0 1 1
3 0 0 0 1 1 1 1
4 0 0 0 1 1 1 1 7
5 0 0 0 0 0 1 1
6 0 0 0 0 0 0 1
7 0000000 8
,END
V(G)=6
At this point a few of the control graphs that were found inlive programs will be presented. The actual control graphsfrom FLOW appear on a DATA DISK CRT but they are handdrawn here for purposes of illustration. The graphs are pre-sented in increasing order of complexity in order to suggestthe correlation between the complexity numbers and our in-tuitive notion of control flow complexity.
GINEERING, DECEMBER 1976
310 IEEE TRANSACTIONS ON SOFTWARE EN(
NTCT= (NCHARS+ 7 ) "NWORDSLTOT= (NCHARS+ 5) *NWORDS
******:* BLOCK NO. 1 ********************IF(LTOT,GT,2048) GO TO 900
****** BLOCK NO. 2 ***************************CALL READB(ICHANT,EMORY,LTOT,NREAD,$99 0,$9S0).LIN=OLU= NCHARS *NWORDS+ LMLV=NWORDS+ LULW=NWORDS+ LVLX=NWORDS+ LWLY-NWORDS+ LXLQ=NWORDS+ LYLWEX=NWORDS+LQ
BLOCK NO. 3700 I=,NWORD0************************** 2 V(G) =2
MEMORY(LWEX+I)=(MEMORY(LW+I),OR,(MEMORY(LW+I)*2))700 CONTINUE
******** BLOCK NO. 4 *************************CALL EXTEXT(ITRANS)STOP
********BLOCK NO. 5 ***************************900 TYPE 3,LTOT3 FORNAT(STRUCTURE TOO LARGE FOR CORE; ',18,' WORDS'
t SEE COOPER /)STOP
********BLOCK NO. 6 ************************** 2990 TYPE $4 FORMAT(' READ ERROR, OR STRUCTURE FILE- ERROR; J
' SEE COOPER I)STOPEND
V(G)=3
CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 011 0 0 0 0
2 O O O O O 1 O032 O 1 0 0 0
4 0 0 0 1 1 0 0
5 0 0 0 0 016 0 0 0 0 0 0 1
7 0 000000 1 6 5
.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL CYCLOMATIC COMPLEXITY = V(G) =
CLOSURE OF CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 0 1 1 1 1 1 1
2 0 0 0 0 0 1 1
3 0 0 0 1 1 1 1
4 0 0 0 1 1 1 1 7
5 0 0 0 0 0 1 1
6 0 0 0 0 0 0 1
7 0000000 8
,END
V(G)=6
At this point a few of the control graphs that were found inlive programs will be presented. The actual control graphsfrom FLOW appear on a DATA DISK CRT but they are handdrawn here for purposes of illustration. The graphs are pre-sented in increasing order of complexity in order to suggestthe correlation between the complexity numbers and our in-tuitive notion of control flow complexity.
GINEERING, DECEMBER 1976
V(cfg) = #edges − #nodes + 2
Unified Evaluation Framework
Wi Mi∑
24
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
ACTIONS composition
global vs local
SUBJECT experience capabilities
learning effect
SUB-GOAL assets & threats
attack path
OBJECT form (traces, graphs)
instantiation level of abstraction applied protections
relevant code
MEANS tools, techniques,
abstract vs concrete sound vs unsound static vs dynamic
Mi = cj∑
310 IEEE TRANSACTIONS ON SOFTWARE EN(
NTCT= (NCHARS+ 7 ) "NWORDSLTOT= (NCHARS+ 5) *NWORDS
******:* BLOCK NO. 1 ********************IF(LTOT,GT,2048) GO TO 900
****** BLOCK NO. 2 ***************************CALL READB(ICHANT,EMORY,LTOT,NREAD,$99 0,$9S0).LIN=OLU= NCHARS *NWORDS+ LMLV=NWORDS+ LULW=NWORDS+ LVLX=NWORDS+ LWLY-NWORDS+ LXLQ=NWORDS+ LYLWEX=NWORDS+LQ
BLOCK NO. 3700 I=,NWORD0************************** 2 V(G) =2
MEMORY(LWEX+I)=(MEMORY(LW+I),OR,(MEMORY(LW+I)*2))700 CONTINUE
******** BLOCK NO. 4 *************************CALL EXTEXT(ITRANS)STOP
********BLOCK NO. 5 ***************************900 TYPE 3,LTOT3 FORNAT(STRUCTURE TOO LARGE FOR CORE; ',18,' WORDS'
t SEE COOPER /)STOP
********BLOCK NO. 6 ************************** 2990 TYPE $4 FORMAT(' READ ERROR, OR STRUCTURE FILE- ERROR; J
' SEE COOPER I)STOPEND
V(G)=3
CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 011 0 0 0 0
2 O O O O O 1 O032 O 1 0 0 0
4 0 0 0 1 1 0 0
5 0 0 0 0 016 0 0 0 0 0 0 1
7 0 000000 1 6 5
.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL.DL CYCLOMATIC COMPLEXITY = V(G) =
CLOSURE OF CONNECTIVITY MATRIX
1 2 3 4 5 6 7
1 0 1 1 1 1 1 1
2 0 0 0 0 0 1 1
3 0 0 0 1 1 1 1
4 0 0 0 1 1 1 1 7
5 0 0 0 0 0 1 1
6 0 0 0 0 0 0 1
7 0000000 8
,END
V(G)=6
At this point a few of the control graphs that were found inlive programs will be presented. The actual control graphsfrom FLOW appear on a DATA DISK CRT but they are handdrawn here for purposes of illustration. The graphs are pre-sented in increasing order of complexity in order to suggestthe correlation between the complexity numbers and our in-tuitive notion of control flow complexity.
GINEERING, DECEMBER 1976
Unified Evaluation Framework
Wi Mi∑
25
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
Mi = wj cj∑
depend on - semantic relevance - (dynamic) variability - security relevance - state in Petri Net
depend on - protections - static variability - stealth
V(cfg) = #edges − #nodes + 2
Understanding programs that don't want to be understood (Debray et al, 2014)
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
26
unpa
ck
unpa
ck
output
output
input
input
instructions “tainted” as propagating values from input to output
execution trace input-to-output computation (further simplified)
used
to c
onst
ruct
con
trol f
low
gra
ph
Modelling Resilience in a Petri Net
original obfuscated deobfuscated
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
27
Debray et al
- trace collected - quasi-invariants exploited - semantic relevance exploited
General Applicability
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
28
¨ Obfuscations ¤ no change to program semantics ¤ only (local) changes to syntax (seemingly more complex) ¤ some hide relation syntax – semantics ¤ attackers try to remove additional syntactical complexity
¨ Anti-debugging, anti-tampering, remote attestation
¤ aditional semantics: n depends on syntax and environment n more input/output
¤ attackers try to get rid of additional semantics
ADSS Implementation
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
29
Generate combinations
Evaluate combinations
Identify the best one
instruct the ACTC
Practical implementation?
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
30
¨ Instruction set randomization & interpretation ¨ Self-debugging anti-debugging ¨ Client-server code splitting ¨ Control flow obfuscations ¨ White-box cryptography ¨ Remote attestation ¨ Data obfuscations ¨ Code mobility ¨ Code guards ¨ Diversity ¨ Renewal
which?
where?
how?
parameters? multi-objective optimization
problem
ADSS Implementation
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
31
Generate combinations
Evaluate combinations
Identify the best one
instruct the ACTC
ACTC
source-level tool 1
source-level tool 2
source-level tool 3
llvm / gcc / ld
binary-level tool 1
binary-level tool 2
binary-level tool 3
ADSS Implementation
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
32
Generate combinations
Evaluate combinations
Identify the best one
instruct the ACTC
source-level tool 1
source-level tool 2
source-level tool 3
binary-level tool 1
binary-level tool 2
binary-level tool 3
ADSS Implementation
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
33
Generate combinations
Evaluate combinations
Identify the best one
instruct the ACTC
source-level tool 1
¨ Level 0: ¤ Region 1:
n M1=1010 n M2=934 n M3=24
¨ Level 1: ¤ Region 1:
n M1=1600 n M2=934 n M3=25
¨ Level 2: ¤ Region 1:
n M1=1800 n M2=934 n M3=28
Status – Open problems
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
34
¨ ADSS ¤ components are being implemented
¨ ACTC ¤ continuous integration
¨ Open problems ¤ computing the metrics is not simple (traces) ¤ how to measure missing code"?
Grant Agreement No 609734
SPRO 18/05/2015 : Advanced Software Protection: Integration, Research and Exploitation
35
The project has received funding from the European Union Seventh Framework Programme
(FP7/2007-2013) under grant agreement number 609734.
If you need further information, please contact the coordinator: Bjorn De Sutter, Ghent University
Sint-Pietersnieuwstraat 41, 9000 Gent, Belgium Tel: +32 9 264 33 67 Fax: +32 9 264 35 94
Email: [email protected] Website: https://www.aspire-fp7.eu
The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.