计算机工程与应用 ›› 2023, Vol. 59 ›› Issue (8): 263-269.DOI: 10.3778/j.issn.1002-8331.2112-0035

• 网络、通信与安全 • 上一篇    下一篇

LLVM中间语言的控制流混淆方案

李成扬,黄天波,陈夏润,文伟平   

  1. 北京大学 软件与微电子学院,北京 102600
  • 出版日期:2023-04-15 发布日期:2023-04-15

Control Flow Obfuscation Scheme for LLVM Intermediate Languages

LI Chengyang, HUANG Tianbo, CHEN Xiarun, WEN Weiping   

  1. School of Software and Microelectronics, Peking University, Beijing 102600, China
  • Online:2023-04-15 Published:2023-04-15

摘要: 软件安全问题在后疫情时代越发突出,代码混淆作为一种成熟的保护方案,借助于LLVM提供了跨平台使用的可能性,但基于LLVM的控制流混淆算法在保护力度上有所局限,一方面是现有的算法模式固定,缺乏结构上的创新性,另一方面是混淆处理时,未考虑到攻击者可以根据基本块的入度进行虚假块的预先判断,存在容易被识别的风险,因此提出两种算法:首先是嵌套switch混淆,打破固有的扁平化处理模式,通过在内部重新构造switch结构,增强对跳转变量的隐藏;其次是入度混淆,在虚假控制流中添加防入度分析策略,通过改变虚假块的入度规避虚假块的识别问题。在LLVM10上实现了方案原型并进行实验,结果表明:混淆方法在1.5倍内的时空开销内,相较于已有的控制流混淆方案,可以进一步降低58.67%的程序基本块相似度,增加64.44%的跳转指令。

关键词: 软件保护, 代码混淆, 控制流混淆

Abstract: Software security issues are becoming more prominent in the post-epidemic era, and code obfuscation as a mature protection scheme provides the possibility of cross-platform use with the help of LLVM. However, LLVM-based control flow obfuscation algorithms are limited in terms of protection strength, on the one hand, the existing algorithm model is immutable and lacks structural innovation. On the other hand, the obfuscation processing does not take into account the fact that attackers can base on the basic block. Therefore, two algorithms are proposed:firstly, nested switch obfuscation, which breaks the inherent flat processing model and enhances the hiding of the hopping amount by reconstructing the switch structure internally; secondly, indegree obfuscation, which adds an anti-entry degree analysis strategy to the false control flow to circumvent the false block by changing the indegree of the false block. The results show that the obfuscation method can further reduce 58.67% of the basic block similarity and increase 64.44% of the jump instructions compared to the existing control-flow obfuscation scheme within 1.5 times the temporal overhead.

Key words: software protection, code obfuscation, control flow obfuscation