DEV 344

.NET Obfuscation – Raising the Security Bar

Gabriel Torok – President

Bill Leach - CTO

PreEmptive Solutions

PreEmptive Solutions

7 year-old technology firmApplication Code Security Products, Consulting and TrainingPreEmptive’s Dotfuscator™ Community Edition is integrated into Microsoft’s Visual Studio®.NET™ 2003

The Issue

.NET Framework programs compile to intermediate languageUnder native compilation, symbols are left outNot so with .NET Framework Apps!

Decompilers already exist to recreate source code from compiled programs

Disassemble/Decompile

ILDASMDisassembler - comes with the .NET Framework SDK

AnakrinoStandalone Decompiler

http://www.saurik.com/net/exemplar

Example: Vexed.NET

A game by Roey Ben-amotz

The game and source are freely available from

http://vexeddotnet.benamotz.com

Show Game

Example

Original Source: public void undo() { if (numOfMoves>0) { numOfMoves--; if (_UserMoves.Length>=2) _UserMoves = _UserMoves.Substring(0,_UserMoves.Length-2); this.loadBoard(this.moveHistory[numOfMoves - (numOfMoves/50) * 50]); this.drawBoard(this.gr); }}

Using ILDASMUsing ILDASM

demodemo

Disassemble with ILDASM…

.method public hidebysig instance void undo() cil managed { .maxstack 5 IL_0000: ldarg.0 IL_0001: ldfld int32 vexed.net.board::numOfMoves IL_0006: ldc.i4.0 IL_0007: ble.s IL_0070 IL_0009: ldarg.0 IL_000a: dup IL_000b: ldfld int32 vexed.net.board::numOfMoves IL_0010: ldc.i4.1 IL_0011: sub IL_0012: stfld int32 vexed.net.board::numOfMoves IL_0017: ldarg.0 IL_0018: ldfld string vexed.net.board::_UserMoves IL_001d: callvirt instance int32 [mscorlib]System.String::get_Length() IL_0022: ldc.i4.2 ...

Symbols are preserved

Using AnakrinoUsing Anakrino

demodemo

Decompile with Anakrino:public void undo() { if (this.numOfMoves > 0) { this.numOfMoves = this.numOfMoves - 1;

if (this._UserMoves.Length >= 2) this._UserMoves =

this._UserMoves.Substring(0, this._UserMoves.Length - 2); this.loadBoard(

this.moveHistory[this.numOfMoves - this.numOfMoves / 50 * 50]); this.drawBoard(this.gr);}

}

Essentially identical to original source

The Vision…

There is a solution to help thwart reverse engineering

Microsoft isn’t passively watching this become an issue

What is Obfuscation?

Technology of shrouding the facts

Hide what’s required, remove the rest

Confuse observers, but give CLR the same delivery

Why Not Just Encrypt?

Encryption is like putting your application in a lockbox

To execute, the runtime needs the key

If the runtime can get it, so can crackers

Obfuscation hides your IP, even if encryption is broken

How do Encryption, Hashing, and Obfuscation Compare?   Reversible?

(not lossy)One-to-

one?Acceptable for Active

Data?

Can be reversed?

Encryption Y Y N Y

One-Way Hashing

N Y N N

Obfuscation N N Y N

Simple Addition to the Build Process

General Obfuscation Transforms

Symbol renaming Removal of unnecessary metadataModification of control flow String encryptionCompaction

Renaming

The first line of defense

Replace meaningful names with non-meaningful onesConfuses human readers of decompiled output

What Can Be Renamed?

Types, Interfaces, Methods, Fields, etc.

Common ScenariosPreserve public API to assembly

Obfuscate “private API” across assemblies

Obfuscate all names in standalone assembly

Renaming Constraints

Preserve method override relationships and interface contracts

Names must be consistent throughout class hierarchies

Renaming Algorithms

Hashing (1:1)A new name for each original name

Overload InductionGenerate names optimally. Use as few unique names as possible within any given scope.

Overload Induction™

Patented algorithm to induce method overloadingRename as many methods as possible to the same name

Provably irreversible

GetPayroll() becomes a()MakeDeposit(float amount)becomes a(float a)SendPayment(String dest) becomes a(String a)

Enhanced Overload Induction

Use method’s return type as a criterion in determining method uniqueness

Allows up to 15 percent more name redundancy

Typically not allowed in high level source languages

Further hinders decompilers

Renaming Summary

Foils human readers

Overload Induction destroys original method overload relationships

Decreases size of application

Does not hurt performance

Metadata Removal

Not all metadata is required to execute an application

Properties, Events, Parameter names

This information can be stripped out

Decreases size of the application

Does not hurt performance

Control-Flow Obfuscation

Makes program logic harder to follow

Equivalent to original logic

Thwarts humans and decompilers

Decompilers look for clues to reproduce high level statements (e.g. for loops)

Control-Flow Algorithms

Block Re-OrderingJumbles blocks of instructions

Destroys clues used by decompilers

“goto considered beneficial”

“Opaque Predicates”Adds dummy “if” statements that are runtime deterministic (e.g. always evaluate to “true”)

Does not confuse decompilers

Control-Flow Summary

Foils humans and decompilers

Increases the size of methods

Can hurt performance (<1%)

String Encryption

String literals are compiled into the applicationString Encryption raises the bar against cracking attacksHide sensitive informationHide clues about what code is doing

String Encryption Summary

Strings decrypted at runtime, on demand

Same limitations as application encryption

Foils string based cracker attacks

Increases application size

Can hurt performance

Compaction

Not obfuscation, but possible for an obfuscator to perform

Analyze the set of input assemblies

Remove unused elements

Configurable to allow for dynamic applications

Compaction

A smaller app transfers, loads and runs faster

Microsoft .NET Framework Compact Framework apps

Distributed apps

Dotfuscator™ Community Edition

A lite version that performs overload induction renaming

Integrated in Visual Studio®.NET™ 2003

Full configurability and renaming protection

Dotfuscator™ Community Edition

The Solution…

Dotfuscator has:The strongest renaming algorithm in the industry — patentedMetadata removal

Use command line interface or GUI

Configuration File

Stores obfuscation settings

XML format

Create and maintain from GUI or Command line

Using Dotfuscator

Minimum information necessary to configure Dotfuscator:

Input AssemblyMap File LocationOutput Directory

We will configure Dotfuscator for the Vexed.NET game

Configure and Run Configure and Run DotfuscatorDotfuscatorSee results in ILDASMSee results in ILDASMand Anakrinoand Anakrino

demodemo

Examining the Options

SetupOptionsTriggerRenameBuildOutput

Dotfuscator Dotfuscator Configuration DetailsConfiguration DetailsExamine the “map” fileExamine the “map” file

demodemo

The Map File

Specify location on the “Renaming Options Tab” An XML formatted file

Links original to obfuscated names Keep this file in a secure place

From the Command Line

Run with or without a config fileOverride options in a template configCreate a new config file Launch the GUI with options and/or a config file

Running Dotfuscator on Running Dotfuscator on the Command Linethe Command Line

demodemo

When Should I Obfuscate?

After I ship?

The day before I need to ship?

Integrated in the build process right from the start?

Where should obfuscation occur in the build process?

During Design?After testing (regression, etc.)?Before testing?I don’t do testing…

Strong Named Assemblies

Obfuscation modifies the assembly

Use delay signing

Complete signing after obfuscation

Effect on Debugging

Stack Traces are Less Informative

System.Exception: You have an error

at cv.c()

at cv..ctor(Hashtable A_0)

at ar.j(di A_0)

at ae.Main(String[] A_0)

Use the Map File to recover original names

Dotfuscate

It’s easy

It gives you added protection and piece of mind

You can integrate it in your build process

Ask The ExpertsAsk The ExpertsGet Your Questions AnsweredGet Your Questions Answered

We will be available in the

“Ask The Experts” area from noon to 2pm on 2 July 2003.

We will also be generally available at the PreEmptive/SoleaCom booth #A16

ILDASM tutorialhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptutorials/html/il_dasm_tutorial.asp

Anakrino home page http://www.saurik.com/net/exemplar

Vexed.net home page http://vexeddotnet.benamotz.com

Dotfuscator home page http://www.preemptive.com/dotfuscator

Dotfuscator FAQhttp://www.preemptive.com/dotfuscator/DotfuscatorFAQ.html

Resources…Resources…

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

TodayTodayInside Microsoft .NET IL Inside Microsoft .NET IL Assembler by Serge Lidin Assembler by Serge Lidin

(Microsoft Press, 2002)(Microsoft Press, 2002)

Writing Secure Code by Writing Secure Code by Michael Howard and David Michael Howard and David LeBlancLeBlanc

(Microsoft Press, 2003)(Microsoft Press, 2003)

TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.