Obfuscation

Question 1

What is an informal definition of obfuscation?

Answer 1

To obfuscate a program P means to transform it into a executable program P’ from which it is harder to extract information than from P.

Question 2

What is an informal definition of reverse engineering?

Answer 2

The process of extracting data or a model of the system by inspecting its lower level description and/or behavior.

Question 3

Name 2 attack scenarios addressed by obfuscation

Answer 3

Stealing intellectual property, stealing secrets embedded in program

Question 4

Name the two main types of obfuscation and their respective properties

Answer 4

Static obfuscation:

• obfuscated program remains fixed at runtime
• raises bar against static analysis
• can be attacked through dynamic techniques

Dynamic obfuscation

• program keeps changing at runtime -> self modifying code
• raises the bar against static analysis

Question 5

What are different ‘Points of insertion’ for obfuscation?

Answer 5

Source code, Intermediate representation, machine code

Question 6

What are the different Transformation targets?

Answer 6

• layout -> scramble identifiers and code layout
• data -> obfuscate data embedded in code
• control flow -> obfuscate secret algorithms

Question 7

Name 9 different static obfuscation techniques

Answer 7

Confuse Code Reader:

• Scramble identifiers
• Instruction substitution
• Garbage code insertion
• Merging and splitting functions
• Control-flow flattening

Confuse Code Reader and Compiler:
- Opaque predicates

• Virtualization obfuscation
• Opaque expressions
• White-box cryptography

Question 8

What is Scrambling identifiers?

Answer 8

Identifier names are replaced with random strings

Question 9

What is instruction substitution?

Answer 9

Replace binary operation by functionally equivalent but more complicated computations

Question 10

What is garbage code insertion?

Answer 10

Dead code is added

Question 11

What are opaque predicates?

Answer 11

Opaque predicates are bogus branches in the control flow which always take the same branch, although hard to see for an attacker

Question 12

What is control-flow flattening?

Answer 12

1. Put each basic block in a case of a switch statement

2. Wrap the switch statement in an infinite loop

Question 13

What is a possible attack on control-flow flattening and how could it be countered?

Answer 13

1. Find next blocks of every basic block
2. Rebuild original CFG
   Mitigation: assign opaque expression to next

Question 14

What is an opaque expression?

Answer 14

An opaque expression is an expression that will always evaluate to the same value in a way not obvious for an attacker.

Question 15

How do opaque expressions from array aliasing work?

Answer 15

1. A statically initialized array with seemingly random values
2. The values are generated such that some invariant holds
3. Update array cells with values that respect invariants

Question 16

How does virtualization obfuscation work?

Answer 16

1. Generate random bytecode instruction set architecture (ISA) L covering all instructions of P
2. Translate P to L bytecode program
3. Generate emulator to interpret L bytecode on machine
   Output: P’ consisting of bytecode and emulator

Question 17

What is the goal and the idea behind White-Box cryptography?

Answer 17

Goal: Hide encryption/decryption key
Idea: Embed the key within the cipher

Question 18

What are some issues with software diversity?

Answer 18

• analysis of crash dumps
• incremental udpates
• digitally signing all versions

Question 19

Name two types of software diversity

Answer 19

• Pre-distribution Software Diversity

- Post-distribution Software Diversity

Question 20

In which phases does dynamic obfuscation run?

Answer 20

1. At compile time
   - initial program configuration is generated
   - runtime code-transformer is added
2. At runtime
   - interleave execution of the program with calls to the code-transfomer T
   - T changes the code at runtime
   - ideally a non-repeating series of configurations, in practice they repeat

Question 21

How does replacing instructions work?

Answer 21

1. Replace real instructions with bogus instructions
2. Just before execution replace bogus instructions with real instructions
3. After execution replace real instructions with bogus instructions

Question 22

How does dynamic code merging work?

Answer 22

1. Have two or more functions share the same location in memory
2. Create templates for functions that share the same location
3. Before function is called, patch memory using edit script to load it

Question 23

How does dynamic decryption and re-encryption work?

Answer 23

1. Execute current basic block
2. At some point the current block decrypts the next basic block
3. Decryption key could be hash of some other basic block
4. Jump to decrypted block
5. Encrypt the previously executed basic block
   goto 1

Question 24

What is a non-obvious but annoying problem with self-modifying code?

Answer 24

Virus scanners will complain

Question 25

Name 3 dynamic obfuscation techniques

Answer 25

replacing instructions, dynamic code merging, dynamic decryption and re-encryption

Question 26

What are the 4 dimensions of Collberg's obfuscation taxonomy?

Answer 26

Potency: comprehensibility of code by humans Stealth: identifiability of obfuscated code Resilience: resistance against automatic deobfuscation Cost: performance and resource overhead of obfuscation

Question 27

Describe methodological steps to characterize and predict the strength of obfuscation

Answer 27

1. Model MATE as attack-nets 2. Model transitions as search problems 3. Identify features to generate programs 4. Obfuscate programs 5. Attack obfuscated programs 6. Feature extraction 7. Predict average effort of attack