| 1Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Code-level Cyber-Security:
MATE, attack & defense
Sébastien Bardin (CEA LIST)
Richard Bonichon (CEA LIST)
(heavily inspired from C. Collberg and B. de Sutter)
| 2Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 3Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Scenario
• Examples
• Ideas for defense
• What matters
| 4Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (1)
MITM: Man-In-The-Middle
Attacker is on the network
• Observe messages
• Forge messages
Realm of cryptos
| 5Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (2)
« Man-Beyond-The-Door »
Attacker has limited access
• Try to escalate
• Forge specially crafted files/queries
Realm of program analysis
| 6Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CLASSIFICATION OF ATTACKS (3) *** topic of the day ***
MATE: Man-At-The-End
Attacker is on the computer
• R/W the code
• Execute step by step
• Patch on-the-fly
Realm of program analysis?
White-box crypto?
| 7Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
MAN AT THE END
| 8Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Examples
| 9Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
WHAT FOR?
| 10Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
FACT: SOFTWARE IS JUST DATA
• You can execute it
• But you may prefer to:
• Read it <reverse legacy code, or …………….. steal crypto keys>
• Modify it <patch a bug, or ………………………. bypass a security check>
Code & Data protection
(obfuscation)
Code & Data attack
(MATE)
| 11Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
NOT SO HARD FOR EXPERTS
| 12Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
HOW TO? Look at the code
| 13Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
HOW TO? Trick (tamper) the code
| 14Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CODE TAMPERING
char[4] buff,secret;
buff = getInput();
secret = getPassword();
for (i=0 to 3) do
if(buff[i] != secret[i]) then
return false;
endif
endFor
return true;
| 15Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
About the attacker
• Malicious user
• Malicious insider
• Malicious outsider, got in through exploit
• Malware
| 16Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Question
| 17Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
(Tools vs counter-tools)*
• Attacker
• Static: control-flow graph, disassembly, decompilation, tainting, slicing, etc.
• Dynamic: debuging, emulation
• Defender
• Obfuscation // vs static
• Anti-tampering // vs dynamic
• Attacker
• Better static / dynamic, hybrid, semantic
• Defender
• Better anti-better …
Raise the bar
| 18Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
What matters?
| 19Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Perfs? Depend on context
| 20Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Perfs for math-proven obfuscation. Not yet …
| 21Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Time to crack!
Context matters
How long for cracking?
• 5 min (VOD)
• 2 weeks (video game)
• 1 year
• No limit
How much overhead is affordable?
| 22Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OBFUSCATION
Transform P into P’ such that
• P’ behaves like P
• P’ roughly as efficient as P
• P’ is very hard to understand
State of the art
• No usable math-proven solution
• Useful ad hoc solutions (strength?)
| 23Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
DEOBFUSCATION
• Ideally, get P back from P’
• Or, get close enough
• Or, help understand P
| 24Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
WHY WORKING ON DEOBFUSCATION? <in an ethical manner>
• Software protection
• Assess the power of current obfuscation schemes
• Special case: white-box crypto <hide keys>
• Malware analysis
• Comprehension: help to understand the malware <goal, functions, weaknesses>
• Detection: remove the protection layer
| 25Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (1)
| 26Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (2)
| 27Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (3)
| 28Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (4)
| 29Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of obfuscation (5)
| 30Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Example of tamper-proofing
| 31Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Question
• Tamper-proof and obfuscation
• Link?
• Use both or not?
| 32Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 33Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Static vs dynamic
| 34Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Static
| 35Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Control-flow analysis
| 36Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Control-flow analysis (2)
| 37Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Disassembly
Hard task – basic methods:
• Linear sweep
• Recursive traversal
• + heuristics
| 38Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Disassembly
| 39Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Dynamic
| 40Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 41Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Basic defense
• Obfuscation
• Anti-tampering
| 42Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
• Obfuscation
• Opaque expressions
• Opaque predicates
• Stack tampering
• Strange asm code
• CFG flattening
• Virtualization
• Anti-tampering
• Redundant check, hash functions
• Anti-debug, anti-emulation
OVERVIEW
| 43Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION
| 44Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (2)
| 45Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (3)
| 46Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE EXPRESSION (4)
| 47Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: Control-flow flattening
| 48Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: OPAQUE PREDICATE
Constant-value predicates
(always true, always false)
• dead branch points to spurious code
• goal = waste reverser time & efforts
| 49Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: STACK TAMPERING
Alter the standard compilation scheme:
ret do not go back to call
• hide the real target
• return site is spurious code
| 50Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: VIRTUALIZATION
Turns code P into
• a proprietary bytecode program
• + a homemade VM (runtime)
• Easy to recover the VM structure
• But does not say anything about P
long secret(long x) {
……
return x;
}
Bytecodes - Custom ISA
Fetching
Decoding
Dispatcher
Operator 2
Terminator
Operator 3Operator 1
| 51Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: arithmetic encoding
| 52Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXAMPLE: dynamic obfuscation
• unpacking
• Self-modification
| 53Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 54Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
BETTER ATTACKS & DEFENSE
• Attacks (both static or dynamic)
• Combine static & dynamic!
• Tainting what is user-dependent! (remove all non user dependent protections)
• Slicing what affects the output (remove junk)
• Code simplification remove undully complex code (duplicate, etc.)
• Defense: attacks the attack (prog. analysis indecidable : always flaws)
• Diffuse dependecies (fake relations: memory, branches, etc.)
• Hide dependencies (through physical relationship)
| 55Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
THE ARM RACE
• No protection static disassembly
• Dynamic protection dynamic analysis
• User/env-dependent dynamic protection semantic analysis
• …
| 56Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 57Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (theoretic)
Barak formalization of obfuscation
• P’ behaves like P
• P’ at most polynomial slowdown
• Blackbox obfuscation: cannot get more information
from P’ than through a BB access to P
• Impossible to get in general
• More recent : indistinguishability obfuscation
• Two equivalent programs P and P’
• Game = you got O(P) or O(P’). Try to guess which one it is
• IO: (polynomial) attacker cannot do better than 50% guess
• POSSIBLE !!!
• QUESTIONS• Is it the good notion?
• Current overhead huge in practice
| 58Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic)
| 59Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (2)
| 60Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
| 61Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
| 62Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
Properties of obfuscation? (pragmatic) (3)
| 63Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 64Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
TIGRESS TOOL
| 65Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
TEST PROGRAM
| 66Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: Opaque expressions
| 67Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: flattening
| 68Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: flattening (2)
| 69Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: virtualization
| 70Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: virtualization (2)
| 71Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: arithmetic encoding
| 72Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
EXO: dynamic encoding
| 73Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
OUTLINE
• Context: MATE attacks
• Basic attacks
• Basic defense
• Better attacks & better defense
• Step back: what matters?
• Tool: Tigress
• Conclusion
| 74Sébastien Bardin -- ENSTA Course 2017-2018 -- MATE attack
CONCLUSION
• Code protection is crucial
• IP protection, avoid bypassing security
• Can be argued to improve security as well (anti-hacking technique)
• Existing tools and techniques
• Yet still many open questions
• Proper formalization (goal of attacker, probabilistic setting?, stealth?)
• Distinguish between legit and illegit contexts?
• Strength, correctness
• Next: very powerful deobfuscation technique
Commissariat à l’énergie atomique et aux énergies alternatives
Institut List | CEA SACLAY NANO-INNOV | BAT. 861 – PC142
91191 Gif-sur-Yvette Cedex - FRANCE
www-list.cea.fr
Établissement public à caractère industriel et commercial | RCS Paris B 775 685 019