Code trolley: hardware-assisted control flow obfuscation

Many cybersecurity attacks rely on analyzing a binary executable to find exploitable sections of code. Code obfuscation is used to prevent attackers from reverse engineering these executables. In this work, we focus on control flow obfuscation - a technique that prevents attackers from statically determining which code segments are original, and which segments are added in to confuse attackers. We propose a RISC-V-based hardware-assisted deobfuscation technique that deobfuscates code at runtime based on a secret safely stored in hardware, along with an LLVM compiler extension for obfuscating binaries. Unlike conventional tools, our work does not rely on compiling hard-to-reverse-engineer code, but on securing a secret key. As such, it can be seen as a lightweight alternative to on-the-fly binary decryption.Published versio

CodeTrolley: Hardware-Assisted Control Flow Obfuscation

Many cybersecurity attacks rely on analyzing a binary executable to find exploitable sections of code. Code obfuscation is used to prevent attackers from reverse engineering these executables. In this work, we focus on control flow obfuscation - a technique that prevents attackers from statically determining which code segments are original, and which segments are added in to confuse attackers. We propose a RISC-V-based hardware-assisted deobfuscation technique that deobfuscates code at runtime based on a secret safely stored in hardware, along with an LLVM compiler extension for obfuscating binaries. Unlike conventional tools, our work does not rely on compiling hard-to-reverse-engineer code, but on securing a secret key. As such, it can be seen as a lightweight alternative to on-the-fly binary decryption.Comment: 2019 Boston Area Architecture Workshop (BARC'19

Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation

Software obfuscation plays a crucial role in protecting intellectual property in software from reverse engineering attempts. While some obfuscation techniques originate from the obfuscation-reverse engineering arms race, others stem from different research areas, such as binary software exploitation. Return-oriented programming (ROP) gained popularity as one of the most effective exploitation techniques for memory error vulnerabilities. ROP interferes with our natural perception of a process control flow, which naturally inspires us to repurpose ROP as a robust and effective form of software obfuscation. Although previous work already explores ROP's effectiveness as an obfuscation technique, evolving reverse engineering research raises the need for principled reasoning to understand the strengths and limitations of ROP-based mechanisms against man-at-the-end (MATE) attacks. To this end, we propose ROPFuscator, a fine-grained obfuscation framework for C/C++ programs using ROP. We incorporate opaque predicates and constants and a novel instruction hiding technique to withstand sophisticated MATE attacks. More importantly, we introduce a realistic and unified threat model to thoroughly evaluate ROPFuscator and provide principled reasoning on ROP-based obfuscation techniques that answer to code coverage, incurred overhead, correctness, robustness, and practicality challenges