WO2016126206A1 - Procédé de brouillage de code utilisant la programmation orientée sur les retours - Google Patents

Procédé de brouillage de code utilisant la programmation orientée sur les retours Download PDF

Info

Publication number
WO2016126206A1
WO2016126206A1 PCT/SG2016/050052 SG2016050052W WO2016126206A1 WO 2016126206 A1 WO2016126206 A1 WO 2016126206A1 SG 2016050052 W SG2016050052 W SG 2016050052W WO 2016126206 A1 WO2016126206 A1 WO 2016126206A1
Authority
WO
WIPO (PCT)
Prior art keywords
rop
code
payload
guest
gadgets
Prior art date
Application number
PCT/SG2016/050052
Other languages
English (en)
Inventor
Debin GAO
Original Assignee
Huawei International Pte. Ltd.
Singapore Management University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei International Pte. Ltd., Singapore Management University filed Critical Huawei International Pte. Ltd.
Priority to CN201680009011.3A priority Critical patent/CN107209815B/zh
Publication of WO2016126206A1 publication Critical patent/WO2016126206A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs

Definitions

  • Embodiments of the invention relate to code protection and, more particularly, applying Return Oriented Programming (ROP) to obfuscate code and for non-malicious purpose.
  • ROP Return Oriented Programming
  • Obfuscation is an important technique to protect algorithms and code from disclosure. Application developers often use this technique to protect critical algorithms in a program so that the source code and machine code of the program are difficult to be understood.
  • One existing obfuscation technique involves increasing difficulty of disassembling program code so that only a small portion of the program code will be disassembled.
  • Another existing obfuscation technique involves applying encryption to selected instructions such that the encrypted instructions can be disclosed only with a key.
  • ROP Read Only Memory
  • code obfuscation code that is associated with a designated function of sensitive nature may be hidden by creating a ROP code that performs the designated function of the original (unobsfuscated) code and constructing a ROP payload that can be loaded to execute the ROP code.
  • the original code may be replaced by a spurious code unrelated to the designated function, and a control flow instruction is provided to load the ROP payload to execute the ROP code.
  • a method of executing obfuscated code comprises: in a mobile device having a ROP-embedded host program which includes a ROP code configured to perform a designated function associated with a guest code which is omitted from the ROP-embedded host program, in response to invoking the designated function, retrieving a ROP payload; and resetting a memory register of the mobile device with the ROP payload to execute the ROP code which performs the invoked function associated with the guest code.
  • retrieving a ROP payload includes sending a request from the mobile device to a remote server to obtain data associated with the invoked function, and receiving both the requested data and the ROP payload from the server.
  • retrieving a ROP payload includes retrieving the ROP payload from a memory device in the mobile device.
  • a code obfuscation method comprises: from a host program code having a guest code, identifying a plurality of gadgets related to the guest code and ascertaining a plurality of return addresses corresponding to the gadgets; creating a ROP code that connects the gadgets, by modifying the return addresses which are to be stored in a memory register, wherein the ROP code is to perform a designated function of the guest code; constructing a ROP payload which includes parameter data required by the guest code, the return addresses of the gadgets, and a data segment configured to reset the memory register to execute the ROP code; replacing the guest code in the host program code with a spurious code; providing a command code configured to reset the memory register with the ROP payload; and storing the ROP payload at a memory device, wherein the ROP payload is configured to be invoked at runtime to execute the ROP code to perform the designated function associated with the guest code.
  • the memory device is located at a server computer which is remote from a mobile device to be installed with a ROP- embedded host program which includes the ROP code.
  • the memory device is located at a mobile device to be installed with a ROP-embedded host program which includes the ROP code.
  • a mobile device comprises: a processor, and a memory device having a ROP-embedded host program which includes a ROP code configured to perform a designated function associated with a guest code which is omitted from the ROP- embedded host program, the processor is configured to:
  • the processor is configured to retrieve the ROP payload by sending a request to a remote server to obtain data associated with the invoked function, and receiving both the requested data and the ROP payload from the server.
  • the processor is configured to retrieve the ROP payload by retrieving the ROP payload from the memory device in the mobile device.
  • the processor is configured to perform authorization for retrieval of the ROP payload by verifying an external input prior to retrieving the ROP payload.
  • Figure 1 A shows a host program (e.g. music player);
  • Figure 1 B shows guest code (e.g. licence verification code) to be obfuscated;
  • Figure 1 C shows the guest code of Figure 1 B after code obfuscation;
  • Figure 2 illustrates a code obfuscation method according to one embodiment of the invention.
  • Figure 3 illustrates a method for executing an obfuscated guest code according to one embodiment of the invention.
  • Embodiments of the invention disclose a new obfuscation technique using Return Oriented Programming (ROP).
  • ROI Return Oriented Programming
  • ROP has become one of the most powerful runtime attack techniques recently.
  • An attacker using ROP typically, as a first step, identifies gadgets from valid code sequences. Gadgets may be referred to as small snippets of valid code sequences, and more particularly to instruction sequences starting potentially at the middle of an existing machine instruction and ending with a return instruction. The identified gadgets provide the basic units to form a ROP program.
  • control flow of the program is changed to the address of the first gadget in a ROP program. Since every gadget ends with a return instruction, when the first gadget returns, the program can "return" to the second gadget with such address being carefully prepared on the register.
  • ROP essentially gathers snippets of valid code from existing instructions in a program to form another program that performs a specific function and changes control flow of the original program.
  • ROP is traditionally used for malicious attacks on vulnerable programs.
  • embodiments of the invention employ ROP for a non-malicious purpose— to protect and hide program code, and by embedding ROP during application development.
  • Figures 1 A to 1 C illustrate a non-limiting example for which the invention may be applied.
  • Figure 1 A shows a host program (e.g. music player) having guest code (e.g. licence verification code) as shown in Figure 1 B.
  • the licence verification code is to be obfuscated so that an adversary is unable to, for example, forge a new licence file by reverse engineering.
  • Figure 1 C shows the guest code of Figure 1 B after code obfuscation.
  • FIG. 2 illustrates a code obfuscation method 200.
  • the method 200 will be described with reference to the example in Figures 1 A to 1 C, where the host program is Android-based and written using native code (C/C++).
  • a guest code within a host program is identified for code obfuscation.
  • the guest code is unobfuscated and the host program is in non- ROP form.
  • the host program code and native libraries are analysed to identify useful gadgets (ROP gadgets) related to the guest code. Return addresses corresponding to the identified gadgets are also ascertained.
  • ROI gadgets useful gadgets
  • a semi-automated tool that supports both .so files and apk files on ARM architecture may be developed.
  • the tool is configured to analyze the host program (e.g. Android application), native libraries in the Android system, as well as the libraries in Android packages, and ascertain return addresses corresponding to the identified gadgets.
  • the identified gadgets are chained or connected together to create a ROP code. This is achieved by modifying the return addresses (as ascertained in block 204) that are to be stored in a memory register.
  • the ROP code upon execution in due course, is to perform a designated function associated with the guest code.
  • a ROP payload is constructed which is configured to change control flow of the host program and thereby execute the obfuscated guest code (ROP code).
  • ROP code obfuscated guest code
  • the setjmpQ and longjmpQ subroutines as defined in the C standard library to provide non-local jumps, may be used.
  • SetjmpQ is to save the calling environment or contents of the memory registers, as defined by jmp_buf, so that longjmpQ can restore them. In this way, longjmpQ returns" to the state of the program when setjmpQ was called. Accordingly, jmp_buf holds the information required to restore a calling environment.
  • the ROP payload should contain (i) parameter data required by the guest code, (ii) return addresses of the identified gadgets (as ascertained earlier in block 204) and (iii) a data segment configured to reset the memory register to execute the ROP code.
  • the guest code is removed from the host program code.
  • a spurious code is provided or embedded to replace the guest code.
  • a command code configured to reset the memory register with the ROP payload is provided.
  • a longjmpQ subroutine is provided to reset the calling environment and provide a mechanism to change the return address of the host program.
  • the APK file containing the host program code including the spurious code and ROP code is repackaged and signed.
  • the APK file is accordingly distributed and installed as ROP-embedded host program in various mobile devices.
  • Such mobile devices are known in the art, and at least comprise a processor, and a memory device for containing instructions executable by the processor to result in the mobile device performing various operations.
  • the ROP payload is stored in a memory device to be invoked at runtime to execute the ROP code which would perform the designated function associated with the guest code.
  • the ROP payload is stored in a memory device at a remote server computer.
  • the ROP payload is stored in a memory device of the mobile device.
  • a mobile device installed with a ROP-embedded host program is provided.
  • pre-selected guest code has been obfuscated in the form of ROP code.
  • a designated function e.g. licence verification function as in Figure 1 A
  • the mobile device in response, sends a request to a remote server computer for data associated with the invoked function.
  • the mobile device also executes the spurious code which is generally unrelated to the invoked function.
  • the remote server responds with data normally associated with the invoked function.
  • the ROP payload is also retrieved from either the remote server or the mobile device installed with the ROP-embedded host program.
  • the remote server additionally responds with the ROP payload which was pre-stored in the remove server.
  • the ROP payload pre-stored in the mobile device is retrieved upon invoking the function.
  • invoking the obfuscated guest code may be either automatic (unconditional) or with an external input preconfigured to trigger execution of the obfuscated guest code (conditional).
  • authorization of ROP payload retrieval is performed by verifying an external input which may be received from a user of the mobile device.
  • the retrieved ROP payload is applied to reset the memory register of the mobile device. Accordingly, the original calling environment is restored and control flow returns to the host program to execute the ROP code to perform the designated function associated with the obfuscated guest code.
  • embodiments of the invention overcome the limitations of existing obfuscation techniques, and provide several advantages and distinctions, including but not limited to the following:
  • the code to be obfuscated is in ROP form when embedded in the host program.
  • the ROP-embeded host program can be fully and successivefully dissembled, and therefore no suspicion of code obfuscation will be raised.
  • a remote server is used to control behaviour after invoking a pre-selected program function. Particularly, the server sends
  • ROP payloads that contain return addresses of the ROP gadgets to the mobile device.
  • the payload is not accessible using static analysis of the host program.
  • the ROP payload controls the invoking of the obfuscated guest code at runtime.
  • ROP is now applied to a non-malicious purpose and in fact is to improve security.
  • the program is under full control of the developer who is also the ROP constructor. Therefore, the developer can modify any aspect of the program to make ROP embedding possible.
  • existing ROP techniques are applied to malicious attacks where the ROP constructor cannot change instructions in the program.
  • a semi-auto tool for analyzing gadgets in Android applications may be provided that supports apk files and libraries that would be used by the applications, including native libraries in Android system and the apk files.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)
  • Stored Programmes (AREA)

Abstract

Des modes de réalisation de l'invention concernent l'utilisation de la programmation orientée sur les retours (ROP) pour un objectif non malveillant, à savoir le brouillage de code en vue de l'amélioration de la sécurité. Un code de programme, qui est associé à une fonction désignée de nature sensible, peut être caché par création d'un code ROP qui exécute la fonction désignée du code original (non brouillé) et par construction d'une charge utile ROP qui peut être chargée pour l'exécution du code ROP. Le code d'origine peut être remplacé par un code simulé sans rapport avec la fonction désignée, et une instruction de flux de commande est fournie pour charger la charge utile ROP pour l'exécution du code ROP.
PCT/SG2016/050052 2015-02-06 2016-02-02 Procédé de brouillage de code utilisant la programmation orientée sur les retours WO2016126206A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201680009011.3A CN107209815B (zh) 2015-02-06 2016-02-02 用于使用返回导向编程的代码混淆的方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10201500921Q 2015-02-06
SG10201500921QA SG10201500921QA (en) 2015-02-06 2015-02-06 Method for obfuscation of code using return oriented programming

Publications (1)

Publication Number Publication Date
WO2016126206A1 true WO2016126206A1 (fr) 2016-08-11

Family

ID=55411723

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2016/050052 WO2016126206A1 (fr) 2015-02-06 2016-02-02 Procédé de brouillage de code utilisant la programmation orientée sur les retours

Country Status (3)

Country Link
CN (1) CN107209815B (fr)
SG (1) SG10201500921QA (fr)
WO (1) WO2016126206A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3522006A1 (fr) * 2018-02-01 2019-08-07 Gemalto Sa Procédé de protection d'un code exécutable

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110321727A (zh) * 2018-03-29 2019-10-11 阿里巴巴集团控股有限公司 应用程序信息的存储、处理方法及装置
CN109829313B (zh) * 2019-02-28 2020-11-24 中国人民解放军战略支援部队信息工程大学 一种基于代码复用编程防御sgx侧信道攻击的方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070039048A1 (en) * 2005-08-12 2007-02-15 Microsoft Corporation Obfuscating computer code to prevent an attack
US20120030758A1 (en) * 2010-01-27 2012-02-02 Telcordia Technologies, Inc. Automated Diversity Using Return Oriented Programming
EP2942727A1 (fr) * 2014-05-06 2015-11-11 Nxp B.V. Programmation orientée retour comme technique d'obscurcissement

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839429B2 (en) * 2011-11-07 2014-09-16 Qualcomm Incorporated Methods, devices, and systems for detecting return-oriented programming exploits
CN103440457B (zh) * 2013-08-20 2015-12-09 上海交通大学 基于进程模拟的二进制程序分析系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070039048A1 (en) * 2005-08-12 2007-02-15 Microsoft Corporation Obfuscating computer code to prevent an attack
US20120030758A1 (en) * 2010-01-27 2012-02-02 Telcordia Technologies, Inc. Automated Diversity Using Return Oriented Programming
EP2942727A1 (fr) * 2014-05-06 2015-11-11 Nxp B.V. Programmation orientée retour comme technique d'obscurcissement

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3522006A1 (fr) * 2018-02-01 2019-08-07 Gemalto Sa Procédé de protection d'un code exécutable
WO2019149630A1 (fr) * 2018-02-01 2019-08-08 Gemalto Sa Procédé de protection d'un code exécutable

Also Published As

Publication number Publication date
SG10201500921QA (en) 2016-09-29
CN107209815B (zh) 2020-08-14
CN107209815A (zh) 2017-09-26

Similar Documents

Publication Publication Date Title
US9805188B2 (en) Control flow integrity system and method
Checkoway et al. Return-oriented programming without returns
Roundy et al. Binary-code obfuscations in prevalent packer tools
US11822654B2 (en) System and method for runtime detection, analysis and signature determination of obfuscated malicious code
Volckaert et al. Cloning your gadgets: Complete ROP attack immunity with multi-variant execution
Bojinov et al. Address space randomization for mobile devices
Peles et al. One class to rule them all: 0-day deserialization vulnerabilities in android
JP2019502197A (ja) ランタイム生成コードにおける悪意のあるコードの検出のためのシステムおよび方法
Ahmad et al. CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs.
Kawakoya et al. Stealth loader: Trace-free program loading for API obfuscation
US20160171213A1 (en) Apparatus and method for controlling instruction execution to prevent illegal accesses to a computer
Otsuki et al. Building stack traces from memory dump of Windows x64
CN107209815B (zh) 用于使用返回导向编程的代码混淆的方法
WO2009144602A1 (fr) Fourniture d’une protection et d’une sécurité au moyen de la virtualisation instantanée
US20190102279A1 (en) Generating an instrumented software package and executing an instance thereof
de Assumpção et al. Forensic method for decrypting TPM-protected BitLocker volumes using Intel DCI
Thabet Stuxnet malware analysis paper
EP3769247B1 (fr) Systeme et procede pour empecher l'installation d'un paquet de logiciels non souhaites
Wan et al. Defending application cache integrity of android runtime
Bonfante et al. Analysis and diversion of Duqu's driver
US11816211B2 (en) Active signaling in response to attacks on a transformed binary
Pappas Defending against return-oriented programming
US11556645B2 (en) Monitoring control-flow integrity
Bouffard et al. Heap Hop! Heap Is Also Vulnerable
Johannesmeyer et al. Practical {Data-Only} Attack Generation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16706268

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 30/11/2017)

122 Ep: pct application non-entry in european phase

Ref document number: 16706268

Country of ref document: EP

Kind code of ref document: A1