Mariusz H Jakubowski Prasad Naldurg Chit Wei Nick Saw Ramarathnam Venkatesan Microsoft Research Matthias Jacob Nokia International Workshop on Security IWSEC 08 Kagawa Japan November 2527 ID: 693824
Download Presentation The PPT/PDF document "The Superdiversifier: Peephole Individua..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The Superdiversifier:Peephole Individualization for Software Protection
Mariusz H. JakubowskiPrasad NaldurgChit Wei (Nick) SawRamarathnam VenkatesanMicrosoft Research
Matthias JacobNokia
International Workshop on Security: IWSEC ’08
Kagawa, Japan
November 25-27,
2008Slide2
Introduction
Software individualization“Different-looking” but functionally equivalent codeDiversity as a defense against attacksImportant role in both biological and man-made systemsSuperoptimizationBrute-force search for shortest code sequences that implement a given functionCompiler optimization introduced by Massalin ‘87Goals of our work:Leverage and extend superoptimization to individualize instruction sequencesStudy superdiversification in the context of more comprehensive protecton frameworksSlide3
What Does This Do?
unsigned __int64 nInput = _atoi64(argv[1]);__int64 n;n = nInput - ((nInput >> 1) & 033333333333333333333LL);n = n - ((nInput >> 2) & 011111111111111111111LL);n = n + (n >> 3);n = n & 07070707070707070707LL;n = n % 077;printf("%d\n", n);Slide4
Overview
IntroductionBackgroundIndividualizationSuperoptimizationSuperdiversificationExperimental resultsApplicationsConclusionInstruction-level diversity via guided searchSlide5
Software IndividualizationElement of software security
Defends against BORE attacks (Break Once/Run Everywhere)Forces duplication of effort to break systemsAlleviates “software monoculture” problemMany practical uses:ASLR (Address Space Layout Randomization)Secure DRM clientsSelf-mutating malware…Slide6
Individualization SchemesStatic
: Individualization of program codeAlgorithmicBubble sort quicksortRed-black trees splay treesSyntacticMOV EAX,0 XOR EAX,EAXMOV EAX,5; MOV EBX,1 MOV EBX,1; MOV EAX,5Dynamic: Individualization of runtime behaviorVarying paths at runtimeVariable data encodingSelf-modifying codeByte-codes with variable semantics…Slide7
SuperoptimizationBrute-force search for shortest equivalent instruction sequence
[Massalin ‘87]:“Startling programs have been generated, many of them engaging in convoluted bit fiddling bearing little resemblance to the source programs which defined the functions.”“… like a typical superoptimized program, the logic is really convoluted.”Slide8
SuperoptimizationInput: Instruction sequence implementing a function
Algorithm outline:Enumerate all possible sequences up to a given length (e.g., 10 instructions).Check for equivalence to input sequence:Quick test: Test candidate sequence on several random inputs.Slow test: Check Boolean equivalence of sequences (if quick test passes).Skip sequences longer than current shortest sequence.Quick test takes most of the computation time.Slow test guarantees equivalence to input sequence.Slide9
Overview
IntroductionBackgroundIndividualizationSuperoptimizationSuperdiversificationExperimental resultsApplicationsConclusionInstruction-level diversity via guided searchSlide10
The Superdiversifier
Adapt and extend superoptimization to diversify code:Restrict set of instructions and operands allowed in search.Guide search based on instruction frequencies occurring in real-life programs.Use pruning techniques to cut down search time.Accept a secret key to control the above operations.Output any equivalent sequences, not necessarily only the shortest.Secret key determines order of search.Different keys may yield dramatically different equivalent sequences.Slide11
Equivalence Test Using a SAT Solver
Input: Two Boolean functions, F(x) and G(x).Goal: Determine whether F(x) ≡ G(x).F(x) ≡ G(x) iff x, F(x) = G(x).F(x) ≡ G(x) iff x│F(x) ≠ G(x).Thus, simply run a SAT solver on F(x) ≠ G(x) represented as a Boolean (CNF) formula.F(x) ≡ G(x) iff F(x) ≠ G(x) is unsatisfiable.Slide12
Overview
IntroductionBackgroundIndividualizationSuperoptimizationSuperdiversificationExperimental resultsApplicationsConclusionInstruction-level diversity via guided searchSlide13
Experimental Results
Function: Swap registersInput codeSample equivalent
versionsSlide14
Experimental Results
Function: Swap registersInput code
Sample equivalent versionsO
nly
arithmetic and logical instructions
allowed in search.Slide15
Experimental Results
Function: Fragment of compiler-generated codeInput codeSample equivalent versions
Small set of constants allowed in search
(may
be harvested from real-life programs).Slide16
Empirical TaxonomySlide17
Overview
IntroductionBackgroundIndividualizationSuperoptimizationSuperdiversificationExperimental resultsApplicationsConclusionInstruction-level diversity via guided searchSlide18
Some Applications
Defense against signature-based attacksPatch obfuscationPatches reveal location of vulnerabilities.“Patch Tuesdays” often followed by exploits.Diffing tools locate vulnerable code quickly.Superdiversification helps to hide patches.Maximize size of diff between unpatched and patched applications.For best results, diversify large sections of the patched binary, not just the patch code.An element of comprehensive individualization systemsSlide19
Conclusion
Main contribution: Guided search for instruction sequences to individualize binaries.Future workExtend range of superdiversified code.Other types of instructionsControl-flow constructsOptimize for better speed.Adapt to custom byte-codes.Modern instructions sets are geared towards generality and performance.Custom byte-codes may be designed for individualization and obfuscation.Instructions may perform arbitrary operations, not just serve as elementary building blocks.