Developing a Deterministic Polymorphic Circuit Generator Using Random Boolean Logic Expansion

Securing applications on untrusted platforms can involve protection against legitimate endusers who act in the role of malicious reverse engineers and hackers. Such adversaries have access to the full execution environment of programs, whether the program comes in the form of software or hardware. In this thesis, we consider the nature of obfuscating algorithms that perform iterative, stepwise transformation of programs into more complex forms that are intended to increase the complexity (time, resources) for malicious reverse engineers. We consider simple Boolean logic programs as the domain of interest and examine a specific transformation technique known as Iterative Selection and Replacement (ISR), which represents a practical, syntactic approach for obfuscation. Specifically, we focus on improving the security of ISR by maximizing the flexibility and potential security of the replacement step of the algorithm which can be formulated in the following question: Given a selection of Boolean logic gates (i.e., a subcircuit), how can we produce a semantically equivalent (polymorphic) version of the subcircuit such that the distribution of potential replacements represents a random, uniform distribution from the set of all possible replacements? This practical question is related to the theoretic study of indistinguishability obfuscation, where a transformer for a class of circuits guarantees that given any two semantically equivalent circuits from the class, the distribution of variants from their obfuscation are computationally indistinguishable. Ideally, polymorphic circuits that follow a random, uniform distribution provide stronger protection against malicious analyzers that target identification of distinct patterns as a basis for deobfuscation and simplification. We introduce a novel approach for polymorphic circuit replacement called Random Boolean Logic Expansion (RBLE), which applies Boolean logic laws (of reduction) in reverse. We compare this approach against another proposed method of polymorphic replacement that relies on static circuit libraries. As a contribution, we show the strengths and weaknesses of each approach, examine initial results from empirical studies to estimate the uniformity of polymorphic distributions, and provide the argument for how such algorithms can be readily applied in software contexts. RBLE provides a unique method to generate polymorphic variants of arbitrary input, output, and gate size. We report initial findings for studying variants produced by this method and, from empirical evaluation, show that RBLE has promise for generating distributions of unique, uniform circuits when size is unconstrained, but for targeted size distributions, the approach requires adjustment for reaching potential circuit variant

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Largely known for attack scenarios, code reuse techniques at a closer look reveal properties that are appealing also for program obfuscation. We explore the popular return-oriented programming paradigm under this light, transforming program functions into ROP chains that coexist seamlessly with the surrounding software stack. We show how to build chains that can withstand popular static and dynamic deobfuscation approaches, evaluating the robustness and overheads of the design over common programs. The results suggest a significant amount of computational resources would be required to carry a deobfuscation attack for secret finding and code coverage goals.Comment: Published in the proceedings of DSN'21 (51st IEEE/IFIP Int. Conf. on Dependable Systems and Networks). Code and BibTeX entry available at https://github.com/pietroborrello/raindro

Code obfuscation against abstraction refinement attacks

Code protection technologies require anti reverse engineering transformations to obfuscate programs in such a way that tools and methods for program analysis become ineffective. We introduce the concept of model deformation inducing an effective code obfuscation against attacks performed by abstract model checking. This means complicating the model in such a way a high number of spurious traces are generated in any formal verification of the property to disclose about the system under attack.We transform the program model in order to make the removal of spurious counterexamples by abstraction refinement maximally inefficient. Because our approach is intended to defeat the fundamental abstraction refinement strategy, we are independent from the specific attack carried out by abstract model checking. A measure of the quality of the obfuscation obtained by model deformation is given together with a corresponding best obfuscation strategy for abstract model checking based on partition refinement

Partial (In)Completeness in Abstract Interpretation: Limiting the Imprecision in Program Analysis

Imprecision is inherent in any decidable (sound) approximation of undecidable program properties. In abstract interpretation this corresponds to the release of false alarms, e.g., when it is used for program analysis and program verification. As all alarming systems, a program analysis tool is credible when few false alarms are reported. As a consequence, we have to live together with false alarms, but also we need methods to control them. As for all approximation methods, also for abstract interpretation we need to estimate the accumulated imprecision during program analysis. In this paper we introduce a theory for estimating the error propagation in abstract interpretation, and hence in program analysis. We enrich abstract domains with a weakening of a metric distance. This enriched structure keeps coherence between the standard partial order relating approximated objects by their relative precision and the effective error made in this approximation. An abstract interpretation is precise when it is complete. We introduce the notion of partial completeness as a weakening of precision. In partial completeness the abstract interpreter may produce a bounded number of false alarms. We prove the key recursive properties of the class of programs for which an abstract interpreter is partially complete with a given bound of imprecision. Then, we introduce a proof system for estimating an upper bound of the error accumulated by the abstract interpreter during program analysis. Our framework is general enough to be instantiated to most known metrics for abstract domains

AppIS:Protect Android Apps Against Runtime Repackaging Attacks

Apps repackaged through reverse engineering pose a significant security threat to the Android smart phone ecosystem. Previous solutions have mostly focused on the detection and identification of repackaged apps. Nevertheless, current app anti-repackaging services can only protect applications at a coarse level and have significant performance overhead. These approaches can neither meet the performance requirements of Android nor achieve fine-grained protection against cumulative attack at the same time. Specifically, these solutions rely on a fix-structure detecting engine and then will execute the same path at different times, which lead to the whole protection performs poorly when faced with dynamic cumulative attack, which is typical in real-world attack. This paper introduces the AppIS, a reinforced antirepackaging immune system, that is robust to app-repackaging attack scenarios. Unlike past work, which mostly focuses on simple protection only from just one respect, our design exploits an interlocking guarding net with time diversity for the tamperproofing of Android applications. The intuition underlying our design is that a dynamic and static combining method can provide a multi-level protection for the codes, core algorithm and sensitive data. We analyze and classify the existing threats on Android platform and furthermore abstract then model the repackaging attack scenarios. We then adapt a random controller used by the dispatcher to randomly construct guarding net with different structure every time. We have built a prototype of our design using Java Native Interface cross-layer calling mechanism for performance requirement. Results from a deployment of AppIS on three kinds of popular apps demonstrate that the new design can prevent our apps from cumulative attack without extra performance cost

Securely Handling Inter-Application Connection Credentials

The utilization of application-to-application (A2A) credentials within interpretive language scripts and application code has long been a security risk. The quandaries being how to protect and secure the credentials handled in the main body of code and avoid exploitation from rogue programmers, system administrators and other users with authorized high levels of privilege. Researchers report that A2A credentials cannot be protected and that there is no way to reduce the risk of the inevitable successful attack and subsequent exploit. Therefore, research efforts to date have primarily been focused on mitigating the impact of the attack rather than finding ways to reduce the attack surface. The work contained herein successfully addresses this serious cross-cutting concern and proves that it is in fact possible to significantly reduce the risk of attack. This reduction of risk was accomplished through implementing a method of credential obfuscation which applied advice with concerns utilizing a composition filter. The filter modified messages containing the credentials as they were sent from the interpretive language script to the remote data store. The modification extracted credentials from a secure password vault and inserted them into the message being sent to the remote data store. This modification moved the handling of the credentials from the main body of code to a secure library and out of the reach of attackers with authorized high levels of privilege. The relocation of the credential handling code lines significantly reduced the attack surface and the overall risk of attack

Toward Digital Asset Protection

The goal of software protection (SP) research is to make software safe from malicious attacks by preventing adversaries from tampering, reverse engineering, and illegally redistributing software. The Digital Asset Protection Association (DAPA) was launched in July 2011 to address the challenges of such attacks and SP research in general. As DAPA activities and efforts get underway, the ultimate goal is to establish standards and baseline definitions for SP research and to promote coordinated, open efforts among academia and industry