An overview of

control flow graph flattening

Jan Cappaert, Bart Preneel

K.U.Leuven / ESAT / SCD-COSIC

Jan Cappaert - An overview of CFG flattening 3/23RE-TRUST workshop

Overview

• Introduction and related research

• CFG flattening

• Experiments and ideas

• Conclusions and future work

Jan Cappaert - An overview of CFG flattening 4/23RE-TRUST workshop

Introduction

• Software protection against

– Analysis

– Tampering

– Plagiarism

• In a “white-box attack context”

– Attacker has full privileges to the system

– System behaves as a white box (vs. black box)

Jan Cappaert - An overview of CFG flattening 5/23RE-TRUST workshop

Introduction

• Software analysis

– Static

• No code execution

• E.g.: disassembling, decompiling, …

– Dynamic

• Code executed

• E.g.: debugging, tracing, emulation, …

Jan Cappaert - An overview of CFG flattening 6/23RE-TRUST workshop

against tamperingagainst analysis

Introduction

confidentiality data authenticity

|

secrecy

|

integrity

software

guards

code encryptioncode signing

static

�

dynamicobfuscation

obfuscation

crypto

guards

CFG flattening

Jan Cappaert - An overview of CFG flattening 7/23RE-TRUST workshop

Introduction

• Control flow graph (CFG)

– Nodes: basic blocks

– Edges: control transfers

• Basic blocks

– Group of statements always executed sequentially

• Control transfers

– Transfer control from one block to another

Jan Cappaert - An overview of CFG flattening 8/23RE-TRUST workshop

Introduction

Jan Cappaert - An overview of CFG flattening 9/23RE-TRUST workshop

Introduction

• Why performing CFG analysis?

– Data usage depending on control flow

– Static analysis:

• Flow-insensitive: incomplete, on 1 basic block

• Flow-sensitive: more complete, over CFG

Jan Cappaert - An overview of CFG flattening 10/23RE-TRUST workshop

Related research

• Intra-procedural

– CFG flattening

• Inter-procedural

– Function pointers

– Branch functions

[Linn and Debray, 2003]

main

func1 func2

call/return

Jan Cappaert - An overview of CFG flattening 11/23RE-TRUST workshop

CFG transformations

• CFG flattening [Wang, 2000]

– “degeneration of static program control flow”

• Control flow transformations [Collberg et

al., 1997]

– Opaque predicates

– Loop/branch transformations

Jan Cappaert - An overview of CFG flattening 12/23RE-TRUST workshop

A control flow graph

Jan Cappaert - An overview of CFG flattening 13/23RE-TRUST workshop

A control flow graph - flattened

Jan Cappaert - An overview of CFG flattening 14/23RE-TRUST workshop

CFG flattening - steps

[Wang, 2001]

1. High-level constructs →if-then-goto

2. goto targets → dynamically determined

� common flattened form

3. Further hindrance of data flow analysis

• Index computation (hard)

• Aliasing (NP-complete …)

Jan Cappaert - An overview of CFG flattening 15/23RE-TRUST workshop

Experiments and ideas

for (i = 0; i < 9; i ++) {

for (j = 0; j < 9 - i; j ++) {

if (a [j] > a [j + 1]) {

t = a [j];

a [j] = a [j + 1];

a [j + 1] = t;

}

}

}

Jan Cappaert - An overview of CFG flattening 16/23RE-TRUST workshop

Experiments and ideas

int swVar = 1;

case 1 :

i = 0;

swVar = 2;

break;

case 2 :

if (i < 9) swVar = 3;

else swVar = 4;

break;

case 9 :

j ++;

swVar = 5;

break;

while (swVar) switch (swVar)

…case 8 :

t = a [j];

a [j] = a [j + 1];

a [j + 1] = t;

swVar = 9;

break;

Jan Cappaert - An overview of CFG flattening 17/23RE-TRUST workshop

A flattened CFG - attacks

• Use-def analysis: 1↔2↔[3,4]↔…

• Forward? Backward? What if

swVar = swVar + constant;

swVar = swVar + condition * constant

• Constant propagation: 1→2→[3,4]→…

• Backward?

Jan Cappaert - An overview of CFG flattening 18/23RE-TRUST workshop

A flattened CFG - attacks

• Solution: one-way function

e.g.: x → gx mod pswitch(ow(swVar)) or

swVar = ow(swVar) …

• What if g changes at

runtime? …

case 1 :

i = 0;

swVar = swVar + 1;

break;

switch (swVar)

swVar ==1

swVar ==2

Jan Cappaert - An overview of CFG flattening 19/23RE-TRUST workshop

Additional ideas

• Relative updates of swVar

– Conditions versus opaque predicates

• One-way functions, lookup tables, hash chains, …

• Aliasing + pointer permutation blocks

• Equivalent / almost equivalent blocks

– Random / targeted conditions

• Block refactoring (splitting, merging, …)

Jan Cappaert - An overview of CFG flattening 20/23RE-TRUST workshop

Additional ideas

• Almost equivalent

block

– Under certain

conditionscase 9 :

j = j + 1;

swVar = 5;

break;

case 10 :

j = j ^ 1;

swVar = 5;

break;

j odd j even

Jan Cappaert - An overview of CFG flattening 21/23RE-TRUST workshop

Additional ideas

• Block

refactoring

– Swap pointers

– Swap data

case 7 :

i ++;

swVar = …

break;

case 9 :

j ++;

swVar = …

break;

case 7 :

i ^= j;

j ^= i;

i ^= j;

swVar = …

break;

case 9 :

j ++;

swVar = …

break;

…

…

Jan Cappaert - An overview of CFG flattening 22/23RE-TRUST workshop

Conclusions

• Static CFG flattening

– Common form; no explicit control flow

– Control flow analysis requires data flow

analysis

– Data flow analysis can be hard (NP-complete)

under certain conditions (e.g. general pointers)

Jan Cappaert - An overview of CFG flattening 23/23RE-TRUST workshop

Further work

• Formalization of ideas

– One way function versus backward analysis

– Hash chains and related

– Basic block refactoring

• Implementation and performance overhead

• Interested?

talk to me

jan.cappaert@esat.kuleuven.be