Post on 23-Jul-2020
transcript
An overview of
control flow graph flattening
Jan Cappaert, Bart Preneel
K.U.Leuven / ESAT / SCD-COSIC
Jan Cappaert - An overview of CFG flattening 3/23RE-TRUST workshop
Overview
• Introduction and related research
• CFG flattening
• Experiments and ideas
• Conclusions and future work
Jan Cappaert - An overview of CFG flattening 4/23RE-TRUST workshop
Introduction
• Software protection against
– Analysis
– Tampering
– Plagiarism
• In a “white-box attack context”
– Attacker has full privileges to the system
– System behaves as a white box (vs. black box)
Jan Cappaert - An overview of CFG flattening 5/23RE-TRUST workshop
Introduction
• Software analysis
– Static
• No code execution
• E.g.: disassembling, decompiling, …
– Dynamic
• Code executed
• E.g.: debugging, tracing, emulation, …
Jan Cappaert - An overview of CFG flattening 6/23RE-TRUST workshop
against tamperingagainst analysis
Introduction
confidentiality data authenticity
|
secrecy
|
integrity
software
guards
code encryptioncode signing
static
�
dynamicobfuscation
obfuscation
crypto
guards
CFG flattening
Jan Cappaert - An overview of CFG flattening 7/23RE-TRUST workshop
Introduction
• Control flow graph (CFG)
– Nodes: basic blocks
– Edges: control transfers
• Basic blocks
– Group of statements always executed sequentially
• Control transfers
– Transfer control from one block to another
Jan Cappaert - An overview of CFG flattening 8/23RE-TRUST workshop
Introduction
Jan Cappaert - An overview of CFG flattening 9/23RE-TRUST workshop
Introduction
• Why performing CFG analysis?
– Data usage depending on control flow
– Static analysis:
• Flow-insensitive: incomplete, on 1 basic block
• Flow-sensitive: more complete, over CFG
Jan Cappaert - An overview of CFG flattening 10/23RE-TRUST workshop
Related research
• Intra-procedural
– CFG flattening
• Inter-procedural
– Function pointers
– Branch functions
[Linn and Debray, 2003]
main
func1 func2
call/return
Jan Cappaert - An overview of CFG flattening 11/23RE-TRUST workshop
CFG transformations
• CFG flattening [Wang, 2000]
– “degeneration of static program control flow”
• Control flow transformations [Collberg et
al., 1997]
– Opaque predicates
– Loop/branch transformations
Jan Cappaert - An overview of CFG flattening 12/23RE-TRUST workshop
A control flow graph
Jan Cappaert - An overview of CFG flattening 13/23RE-TRUST workshop
A control flow graph - flattened
Jan Cappaert - An overview of CFG flattening 14/23RE-TRUST workshop
CFG flattening - steps
[Wang, 2001]
1. High-level constructs →if-then-goto
2. goto targets → dynamically determined
� common flattened form
3. Further hindrance of data flow analysis
• Index computation (hard)
• Aliasing (NP-complete …)
Jan Cappaert - An overview of CFG flattening 15/23RE-TRUST workshop
Experiments and ideas
for (i = 0; i < 9; i ++) {
for (j = 0; j < 9 - i; j ++) {
if (a [j] > a [j + 1]) {
t = a [j];
a [j] = a [j + 1];
a [j + 1] = t;
}
}
}
Jan Cappaert - An overview of CFG flattening 16/23RE-TRUST workshop
Experiments and ideas
int swVar = 1;
case 1 :
i = 0;
swVar = 2;
break;
case 2 :
if (i < 9) swVar = 3;
else swVar = 4;
break;
case 9 :
j ++;
swVar = 5;
break;
while (swVar) switch (swVar)
…case 8 :
t = a [j];
a [j] = a [j + 1];
a [j + 1] = t;
swVar = 9;
break;
Jan Cappaert - An overview of CFG flattening 17/23RE-TRUST workshop
A flattened CFG - attacks
• Use-def analysis: 1↔2↔[3,4]↔…
• Forward? Backward? What if
swVar = swVar + constant;
swVar = swVar + condition * constant
• Constant propagation: 1→2→[3,4]→…
• Backward?
Jan Cappaert - An overview of CFG flattening 18/23RE-TRUST workshop
A flattened CFG - attacks
• Solution: one-way function
e.g.: x → gx mod pswitch(ow(swVar)) or
swVar = ow(swVar) …
• What if g changes at
runtime? …
case 1 :
i = 0;
swVar = swVar + 1;
break;
switch (swVar)
swVar ==1
swVar ==2
Jan Cappaert - An overview of CFG flattening 19/23RE-TRUST workshop
Additional ideas
• Relative updates of swVar
– Conditions versus opaque predicates
• One-way functions, lookup tables, hash chains, …
• Aliasing + pointer permutation blocks
• Equivalent / almost equivalent blocks
– Random / targeted conditions
• Block refactoring (splitting, merging, …)
Jan Cappaert - An overview of CFG flattening 20/23RE-TRUST workshop
Additional ideas
• Almost equivalent
block
– Under certain
conditionscase 9 :
j = j + 1;
swVar = 5;
break;
case 10 :
j = j ^ 1;
swVar = 5;
break;
j odd j even
Jan Cappaert - An overview of CFG flattening 21/23RE-TRUST workshop
Additional ideas
• Block
refactoring
– Swap pointers
– Swap data
case 7 :
i ++;
swVar = …
break;
case 9 :
j ++;
swVar = …
break;
case 7 :
i ^= j;
j ^= i;
i ^= j;
swVar = …
break;
case 9 :
j ++;
swVar = …
break;
…
…
Jan Cappaert - An overview of CFG flattening 22/23RE-TRUST workshop
Conclusions
• Static CFG flattening
– Common form; no explicit control flow
– Control flow analysis requires data flow
analysis
– Data flow analysis can be hard (NP-complete)
under certain conditions (e.g. general pointers)
Jan Cappaert - An overview of CFG flattening 23/23RE-TRUST workshop
Further work
• Formalization of ideas
– One way function versus backward analysis
– Hash chains and related
– Basic block refactoring
• Implementation and performance overhead
• Interested?
talk to me
jan.cappaert@esat.kuleuven.be