Generalized Dynamic Opaque Predicates: A New Control Flow Obfuscation Method

Opaque predicate obfuscation, a low-cost and stealthy control flow obfuscation method to introduce superfluous branches, has been demonstrated to be effective to impede reverse engineering efforts and broadly used in various areas of software security. Conventional opaque predicates typically rely on the invariant property of well-known number theoretic theorems, making them easy to be detected by the dynamic testing and formal semantics techniques. To address this limitation, previous work has introduced the idea of dynamic opaque predicates, whose values may vary in different runs. However, the systematical design and evaluation of dynamic opaque predicates are far from mature. In this paper, we generalize the concept and systematically develop a new control flow obfuscation scheme called generalized dynamic opaque predicates. Compared to the previous work, our approach has two distinct advantages: (1) We extend the application scope by automatically transforming more common program structures (e.g., straight-line code, branch, and loop) into dynamic opaque predicates; (2) Our system design does not require that dynamic opaque predicates to be strictly adjacent, which is more resilient to the deobfuscation techniques. We have developed a prototype tool based on LLVM IR and evaluated it by obfuscating the GNU core utilities. Our experimental results show the efficacy and generality of our method. In addition, the comparative evaluation demonstrates that our method is resilient to the latest formal program semantics-based opaque predicate detection method.

[1]  Genevieve Arboit,et al.  A Method for Watermarking Java Programs via Opaque Predicates , 2002 .

[2]  Haibo Chen,et al.  Control flow obfuscation with information flow tracking , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[3]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[4]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[5]  Koen De Bosschere,et al.  Opaque Predicates Detection by Abstract Interpretation , 2006, AMAST.

[6]  Li Wang,et al.  LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code , 2015, CCS.

[7]  Barton P. Miller,et al.  Binary-code obfuscations in prevalent packer tools , 2013, CSUR.

[8]  Christian S. Collberg,et al.  Software watermarking via opaque predicates: Implementation, analysis, and attacks , 2006, Electron. Commer. Res..

[9]  Bart Coppens,et al.  Feedback-driven binary code diversification , 2013, TACO.

[10]  Mattia Monga,et al.  Code Normalization for Self-Mutating Malware , 2007, IEEE Security & Privacy.

[11]  Jens Palsberg,et al.  Experience with software watermarking , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[12]  Matias Madou Application security through program obfuscation , 2006 .

[13]  Saumya K. Debray,et al.  Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[14]  H. E. Dunsmore,et al.  Software engineering metrics and models , 1986 .

[15]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[16]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[17]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[18]  Aleksandrina Kovacheva,et al.  Efficient Code Obfuscation for Android , 2013, IAIT.

[19]  Stephen Drape,et al.  Intellectual Property Protection using Obfuscation , 2010 .

[20]  Bart Preneel,et al.  A general model for hiding control flow , 2010, DRM '10.

[21]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[22]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[23]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2001, 2001 International Conference on Dependable Systems and Networks.

[24]  Pascal Junod,et al.  Obfuscator-LLVM -- Software Protection for the Masses , 2015, 2015 IEEE/ACM 1st International Workshop on Software Protection.

[25]  Koen De Bosschere,et al.  LOCO: an interactive code (De)obfuscation tool , 2006, PEPM '06.

[26]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.