LLVM中间语言的控制流混淆方案

doi:10.3778/j.issn.1002-8331.2112-0035

摘要/Abstract

摘要： 软件安全问题在后疫情时代越发突出，代码混淆作为一种成熟的保护方案，借助于LLVM提供了跨平台使用的可能性，但基于LLVM的控制流混淆算法在保护力度上有所局限，一方面是现有的算法模式固定，缺乏结构上的创新性，另一方面是混淆处理时，未考虑到攻击者可以根据基本块的入度进行虚假块的预先判断，存在容易被识别的风险，因此提出两种算法：首先是嵌套switch混淆，打破固有的扁平化处理模式，通过在内部重新构造switch结构，增强对跳转变量的隐藏；其次是入度混淆，在虚假控制流中添加防入度分析策略，通过改变虚假块的入度规避虚假块的识别问题。在LLVM10上实现了方案原型并进行实验，结果表明：混淆方法在1.5倍内的时空开销内，相较于已有的控制流混淆方案，可以进一步降低58.67%的程序基本块相似度，增加64.44%的跳转指令。

关键词: 软件保护, 代码混淆, 控制流混淆

Abstract: Software security issues are becoming more prominent in the post-epidemic era, and code obfuscation as a mature protection scheme provides the possibility of cross-platform use with the help of LLVM. However, LLVM-based control flow obfuscation algorithms are limited in terms of protection strength, on the one hand, the existing algorithm model is immutable and lacks structural innovation. On the other hand, the obfuscation processing does not take into account the fact that attackers can base on the basic block. Therefore, two algorithms are proposed：firstly, nested switch obfuscation, which breaks the inherent flat processing model and enhances the hiding of the hopping amount by reconstructing the switch structure internally; secondly, indegree obfuscation, which adds an anti-entry degree analysis strategy to the false control flow to circumvent the false block by changing the indegree of the false block. The results show that the obfuscation method can further reduce 58.67% of the basic block similarity and increase 64.44% of the jump instructions compared to the existing control-flow obfuscation scheme within 1.5 times the temporal overhead.

Key words: software protection, code obfuscation, control flow obfuscation

李成扬, 黄天波, 陈夏润, 文伟平. LLVM中间语言的控制流混淆方案[J]. 计算机工程与应用, 2023, 59(8): 263-269.

LI Chengyang, HUANG Tianbo, CHEN Xiarun, WEN Weiping. Control Flow Obfuscation Scheme for LLVM Intermediate Languages[J]. Computer Engineering and Applications, 2023, 59(8): 263-269.

参考文献

[1] GABRIELSSON J，BUGEJA J，VOGEL B.Hacking a commercial drone with open-source software：exploring data privacy violations[C]//2021 10th Mediterranean Conference on Embedded Computing，2021.
[2] MACHADO R C S，BOCCARDO D R，Sá V G P，et al.Software control and intellectual property protection in cyber-physical systems[J].Eurasip Journal on Information Security，2016（1）：1-14.
[3] XU H，ZHOU Y，KANG Y，et al.On secure and usable program obfuscation：a survey[J].arXiv：1710.01139，2017.
[4] COLLBERG C，THOMBORSON C，LOW D.A taxonomy of obfuscating transformations[R].1997.
[5] LATTNER C，ADVE V.LLVM：a compilation framework for lifelong program analysis & transformation[C]//2nd International Symposium on Code Generation and Optimization，2003：75-86.
[6] SHY O，THISSE J F.A strategic approach to software protection[J].Journal of Economics & Management Strategy，1999，8（2）：163-190.
[7] COLLBERG C S，THOMBORSON C.Watermarking，tamper-proofing，and obfuscation-tools for software protection[J].IEEE Transactions on Software Engineering，2002，28（8）：735-746.
[8] BERLATO S，CECCATO M.A large-scale study on the adoption of anti-debugging and anti-tampering protections in android apps[J].Journal of Information Security and Applications，2020，52：28.
[9] MERLO A，RUGGIA A，SCIOLLA L，et al.ARMAND：anti-repackaging through multi-pattern anti-tampering based on native detection[J].Pervasive and Mobile Computing，2021，76：101443.
[10] TEMIZKAN O，PARK S，SAYDAM C.Software diversity for improved network security：optimal distribution of software-based shared vulnerabilities[J].Information Systems Research，2017，28（4）：828-849.
[11] LARSEN P，HOMESCU A，BRUNTHALER S，et al.SoK：automated software diversity[C]//35th IEEE Symposium on Security and Privacy（SP），2014：276-291.
[12] BANIK S，BOGDANOV A，ISOBE T，et al.Analysis of software countermeasures for whitebox encryption[J].IACR Transactions on Symmetric Cryptology，2017，2017（1）：307-328.
[13] CHOW S，EISEN P，JOHNSON H，et al.White-box cryptography and an AES implementation[C]//Selected Areas in Cryptography.Berlin：Springer-Verlag，2003：250-270.
[14] HAN S，SHIN W，PARK J H，et al.A bad dream：subverting trusted platform module while you are sleeping[C]//Proceedings of the 27th USENIX Security Symposium，2018：1229-1246.
[15] YU Z L，ZHANG W P，DAI H J.A trusted architecture for virtual machines on cloud servers with trusted platform module and certificate authority[J].Journal of Signal Processing Systems for Signal Image and Video Technology，2017，86（2/3）：327-336.
[16] MA H Y，JIA C F，LI S J，et al.Xmark：dynamic software watermarking using collatz conjecture[J].IEEE Transactions on Information Forensics and Security，2019，14（11）：2859-2874.
[17] COHEN F B.Operating system protection through program evolution[J].Computers and Security，1993，12（6）：565-584.
[18] COLLBERG C，THOMBORSON C，LOW D.Manufacturing cheap，resilient，and stealthy opaque constructs[C]//Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages，1998：184-196.
[19] ANCKAERT B，MADOU M，DE SUTTER B，et al.Program obfuscation：a quantitative approach[C]//3rd Workshop on Quality of Protection/14th ACM Computer and Communications Security Conference，2009：15-20.
[20] BARAK B，GOLDREICH O，IMPAGLIAZZO R，et al.On the （im）possibility of obfuscating programs[J].Journal of the ACM，2012，59（2）：1-48.
[21] KUZURIN N，SHOKUROV A，VARNOVSKY N，et al.On the concept of software obfuscation in computer security[C]//10th International Conference on Information Security，2007.
[22] JUNOD P，RINALDINI J，WEHRLI J，et al.Obfuscator-LLVM-software protection for the masses[C]//IEEE/ACM 1st International Workshop on Software Protection（SPRO），2015：3-9.
[23] 陈耀阳，陈伟.采用隐式跳转的控制流混淆技术[J].计算机工程与应用，2021，57（20）：125-132.
CHEN Y Y，CHEN W.Control flow obfuscation technology based on implicit jump[J].Computer Engineering and Applications，2021，57（20）：125-132.
[24] LIN Y.Novel techniques in recovering，embedding，and enforcing policies for control-flow integrity[M].Berlin：Springer，2021：1-95.
[25] PHU T N，THO N D，HOANG L H，et al.An efficient algorithm to extract control flow-based features for IoT malware detection[J].Computer Journal，2021，64（4）：599-609.
[26] MING J，XU D P，WANG L，et al.LOOP：logic-oriented opaque predicate detection in obfuscated binary code[C]//22nd ACM SIGSAC Conference on Computer and Communications Security（CCS），2015：757-768.
[27] XU D P，MING J，WU D H.Generalized dynamic opaque predicates：a new control flow obfuscation method[C]//19th Annual International Conference on Information Security（ISC），2016：323-342.
[28] MAJUMDAR A，THOMBORSON C.On the use of opaque predicates in mobile agent code obfuscation[C]//Intelligence and Security Informatics.Berlin：Springer-Verlag，2005：648-649.
[29] MAJUMDAR A，THOMBORSON C，DRAPE S.A survey of control-flow obfuscations[C]//2nd International Conference on Information Systems Security，2006.
[30] CECCATO M，DI PENTA M，NAGRA J，et al.Towards experimental evaluation of code obfuscation techniques[C]//Proceedings of the ACM Conference on Computer and Communications Security，2008：39-45.
[31] BLAZY S，TRIEU A.Formal verification of control-flow graph flattening[C]//5th ACM SIGPLAN Conference on Certified Programs and Proofs（CPP），2016：176-187.
[32] KANZAKI Y，MONDEN A，COLLBERG C，et al.Code artificiality：a metric for the code stealth based on an N-gram model[C]//IEEE/ACM 1st International Workshop on Software Protection（SPRO），2015：31-37.
[33] JOHANSSON B，LANTZ P，LILJENSTAM M，et al.Lightweight dispatcher constructions for control flow flattening[C]//7th Software Security，Protection，and Reverse Engineering Workshop（SSPREW），2017.
[34] 田大江，李成扬，黄天波，等.基于底层虚拟机的标识符混淆方法[J].计算机应用，2022，42（8）：2540-2547.
TIAN D J，LI C Y，HUANG T B，et al.Identifier obfuscation method based on low level virtual machine[J].Journal of Computer Applications，2022，42（8）：2540-2547.
[35] SHOSHITAISHVILI Y，WANG R Y，SALLS C，et al.（State of） the art of war：offensive techniques in binary analysis[C]//IEEE Symposium on Security and Privacy（SP），2016：138-157.