Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
C+ +11 
METAPROGRAMMING 
A P P L IED 
TO 
SOF TWARE 
OBFUSCAT ION 
SEBAST IEN 
ANDRIVET 
Application Security Forum - 2014...
About me 
Senior Security Engineer 
a t SCRT (Swiss) 
Deve l o p e r 
a t ADVTOOLS (Swiss) 
Sebastien ANDRIVET 
Cyberfemin...
PROBLEM 
3
Reverse engineering 
• Reverse engineering of an application if often like 
following the “white rabbit” 
• i.e. following...
A SOLUTION 
OBFUSCATION 
5
What is Obfuscation? 
6
Obfuscator O 
O( ) = 
7
YES! It is also Katy Perry! 
• (almost) same 
semantics 
• obfuscated 
8
“Deliberate act of creating source or machine 
code difficult for humans to understand” 
–WIKIPEDIA, APRIL 2014 
Obfuscati...
C++ templates 
• Example: Stack of objects 
OBJECT2 
OBJECT1 
• Push 
• Pop 
10
Without templates 
c l a s s Stack 
{ 
v o i d p u s h (void* o b j e c t ) ; 
void* p o p ( ) ; 
} ; 
Stack singers; 
sin...
With C++ templates 
Stack<Singer> singers; 
singers.push(britney); 
Stack<Apple> apples; 
apples.push(macintosh); 
templat...
With C++ templates 
Stack<Singer> singers; 
singers.push(britney); 
Stack<Apple> apples; 
apples.push(macintosh); 
Stack<S...
C++ templates 
• Two instances of Stack class 
• One per type 
• Does not reuse code 
• By default 
• Permit optimisations...
Type safety 
• singers.push(apple); // compilation error 
• apples.push(U2); 
• may or may not work… 
15
Optimisation based on types 
• Generate different code based on types (template 
parameters) 
• Example: enable_if 
templa...
C++ metaprogramming 
• Programs that manipulate or produce programs 
• Subset of C++ 
• Turing-complete (~ full programmin...
Application 1 - Strings literals obfuscation 
• original string is source code 
• original string in DEBUG builds 
• devel...
1st implementation 
template<int... Indexes> 
struct MetaString1 { 
constexpr MetaString1(const char* str) 
: buffer_ {enc...
1st implementation - Usage 
#define OBFUSCATED1(str) (MetaString1<0, 1, 2, 3, 4, 5>(str).decrypt()) 
cout << OBFUSCATED1(“...
1st implementation - Problem 
• List of indexes is hard-coded 
• 0, 1, 2, 3, 4, 5 
• As a consequence, strings are truncat...
2nd implementation 
• Generate a list of indexes with metaprogramming 
• C++14 introduces std:index_sequence 
• With C++11...
2nd implementation 
• Instead of: 
MetaString1<0, 1, 2, 3, 4, 5>(str) 
• we have: 
MetaString2<Make_Indexes<sizeof(str)-1>...
2nd implementation - Usage 
cout << OBFUSCATED2(“Katy Perry”) << endl; 
• No more truncation 
24
3rd implementation 
• In previous implementations, key is hard-coded 
constexpr char encrypt(char c) const { return c ^ 0x...
Generating (pseudo-) random numbers 
• C++11 includes <random>, but for runtime, not compile time 
• MetaRandom<N, M> 
N: ...
Seed 
• template<> 
struct MetaRandomGenerator<0> { 
static const int value = seed; 
}; 
• How to choose an acceptable com...
3rd implementation 
• Different key for each string 
• thanks to __COUNTER__ 
• Different keys for each compilation 
• tha...
4th implementation 
• Different and random keys, great! 
• Why not go even further? 
• Choose a different encryption algor...
4th implementation 
• Template partial specialization 
• template<int A, int K, typename Indexes> 
struct MetaString4; 
• ...
Result 
• Without obfuscation 
cout << "Britney Spears” << endl; 
• With obfuscation 
cout << OBFUSCATED4("Britney Spears"...
Without obfuscation 
32
With obfuscation 
Encrypted 
characters 
(mixed with MOV) 
Decryption 
33
Application 2 - Obfuscate calls 
• How to obfuscate call such as: 
• function_to_protect(); 
• against static analysis (or...
Finite State Machine (simple example) 
35
Boost Meta State Machine (MSM) library 
types 
template parameter 
Compile time entity 
Generates code (FSM) at compile-ti...
Result 
• Without obfuscation 
function_to_protect(“did”, “again”); 
• With obfuscation 
OBFUSCATED_CALL(function_to_prote...
Without obfuscation 
38
With obfuscation 
39
Application 3: FSM + Debugger Detection 
• FSM 
• To fight against static analysis 
• Debugger detection 
• To fight again...
Finite State Machine 
• Follows a different path depending of a predicate 
(Debugged or not Debugged, that is the question...
More obfuscation 
• Obfuscate predicate result 
• Avoid simple “if”, too simple for reverse engineers 
• Make computation ...
More obfuscation 
• Obfuscate function address 
• Otherwise, IDA is smart enough to get it 
• Simply make some computation...
Predicate 
• Debugger detection is only an example 
• In the example, implemented only for Mac OS X / 
iOS 
• Virtual envi...
Compilers support 
Compiler Compatible Remark 
Apple LLVM 5.1 Yes Previous versions not tested 
Apple LLVM 6.0 Yes Xcode 6...
White paper 
46
Credits 
47 
• I take inspiration from 
many sources 
• In particular: 
• Samuel Neves & Filipe 
Araujo 
• LeFF (virus mak...
Infos 
• @AndrivetSeb sebastien@andrivet.com 
• All code presented here is available on GitHub 
• https://github.com/andri...
Thank you 
Questions? 
49
Prochain SlideShare
Chargement dans…5
×

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obfuscation

954 vues

Publié le

C+ +11
METAPROGRAMMING APPLIED TO SOFTWARE OBFUSCATION

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci

App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obfuscation

  1. 1. C+ +11 METAPROGRAMMING A P P L IED TO SOF TWARE OBFUSCAT ION SEBAST IEN ANDRIVET Application Security Forum - 2014 Western Switzerland 05-06 November 2014 Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch 1
  2. 2. About me Senior Security Engineer a t SCRT (Swiss) Deve l o p e r a t ADVTOOLS (Swiss) Sebastien ANDRIVET Cyberfeminist & hack t i v i s t Reverse engineer Intel & ARM C + + , C , O b j - C , C # d e ve l o p e r Trainer ( iOS & Android appsec) 2
  3. 3. PROBLEM 3
  4. 4. Reverse engineering • Reverse engineering of an application if often like following the “white rabbit” • i.e. following string literals • Live demo • Reverse engineering of an application using IDA • Well-known MDM (Mobile Device Management) for iOS 4
  5. 5. A SOLUTION OBFUSCATION 5
  6. 6. What is Obfuscation? 6
  7. 7. Obfuscator O O( ) = 7
  8. 8. YES! It is also Katy Perry! • (almost) same semantics • obfuscated 8
  9. 9. “Deliberate act of creating source or machine code difficult for humans to understand” –WIKIPEDIA, APRIL 2014 Obfuscation 9
  10. 10. C++ templates • Example: Stack of objects OBJECT2 OBJECT1 • Push • Pop 10
  11. 11. Without templates c l a s s Stack { v o i d p u s h (void* o b j e c t ) ; void* p o p ( ) ; } ; Stack singers; singers.push(britney); Stack apples; apples.push(macintosh); s i n g e r s apples • Reuse the same code (binary) • Only 1 instance of Stack class 11
  12. 12. With C++ templates Stack<Singer> singers; singers.push(britney); Stack<Apple> apples; apples.push(macintosh); template<typename T> c l a s s Stack { Stack<Singers> Stack<Apples*> v o i d p u s h ( T o b j e c t ) ; T p o p ( ) ; s i n g e r s apples } ; 12
  13. 13. With C++ templates Stack<Singer> singers; singers.push(britney); Stack<Apple> apples; apples.push(macintosh); Stack<Singers> Stack<Apples*> s i n g e r s apples 13
  14. 14. C++ templates • Two instances of Stack class • One per type • Does not reuse code • By default • Permit optimisations based on types • For ex. reuse code for all pointers to objects • Type safety, verified at compile time 14
  15. 15. Type safety • singers.push(apple); // compilation error • apples.push(U2); • may or may not work… 15
  16. 16. Optimisation based on types • Generate different code based on types (template parameters) • Example: enable_if template<typename T> class MyClass { ... enable_if_t<is_pointer<T>::value, T> member_function(T t) { ... }; ... }; • member_function is only defined if T is a pointer type • (warning: C++14 code, not C++11) 16
  17. 17. C++ metaprogramming • Programs that manipulate or produce programs • Subset of C++ • Turing-complete (~ full programming language) • Close to Functional programming • Part of C++ standards • Major enhancements in C++11 et C++14 17
  18. 18. Application 1 - Strings literals obfuscation • original string is source code • original string in DEBUG builds • developer-friendly syntax • no trace of original string in compiled code in RELEASE builds 18
  19. 19. 1st implementation template<int... Indexes> struct MetaString1 { constexpr MetaString1(const char* str) : buffer_ {encrypt(str[Indexes])...} { } const char* decrypt(); RUNTIME private: constexpr char encrypt(char c) const { return c ^ 0x55; } constexpr char decrypt(char c) const { return encrypt(c); } private: char buffer_[sizeof...(Indexes) + 1]; }; 19
  20. 20. 1st implementation - Usage #define OBFUSCATED1(str) (MetaString1<0, 1, 2, 3, 4, 5>(str).decrypt()) cout << OBFUSCATED1(“Britney Spears”) << endl; 20
  21. 21. 1st implementation - Problem • List of indexes is hard-coded • 0, 1, 2, 3, 4, 5 • As a consequence, strings are truncated! 21
  22. 22. 2nd implementation • Generate a list of indexes with metaprogramming • C++14 introduces std:index_sequence • With C++11, we have to implement our own version • Very simplified • MakeIndex<N>::type generates: • Indexes<0, 1, 2, 3, …, N> 22
  23. 23. 2nd implementation • Instead of: MetaString1<0, 1, 2, 3, 4, 5>(str) • we have: MetaString2<Make_Indexes<sizeof(str)-1>::type>(str) 23
  24. 24. 2nd implementation - Usage cout << OBFUSCATED2(“Katy Perry”) << endl; • No more truncation 24
  25. 25. 3rd implementation • In previous implementations, key is hard-coded constexpr char encrypt(char c) const { return c ^ 0x55; } • New template parameter for Key template<int... I, int K> struct MetaString3<Indexes<I...>, K> 25
  26. 26. Generating (pseudo-) random numbers • C++11 includes <random>, but for runtime, not compile time • MetaRandom<N, M> N: Nth generated number M: Maximum value (excluded) • Linear congruential engine • Park-Miller (1988), “minimal standard” • Not exactly a uniform distribution (modulo operation) • Recursive 26
  27. 27. Seed • template<> struct MetaRandomGenerator<0> { static const int value = seed; }; • How to choose an acceptable compile-time seed? • Macros (C & C++): • __TIME__: compilation time (standard) • __COUNTER__: incremented each time it is used (non-standard but well supported by compilers) 27
  28. 28. 3rd implementation • Different key for each string • thanks to __COUNTER__ • Different keys for each compilation • thanks to __TIME__ • Sometimes not desirable: can give hints to attackers (differences between versions) 28
  29. 29. 4th implementation • Different and random keys, great! • Why not go even further? • Choose a different encryption algorithm, randomly! 29
  30. 30. 4th implementation • Template partial specialization • template<int A, int K, typename Indexes> struct MetaString4; • template<int K, int... I> struct MetaString4<0, K, Indexes<I...>> { … c ^ K … }; • template<int K, int... I> struct MetaString4<1, K, Indexes<I...>> { … c + K … }; • #define DEF_OBFUSCATED4(str) MetaString4<MetaRandom<__COUNTER__, 2>::value, … 30
  31. 31. Result • Without obfuscation cout << "Britney Spears” << endl; • With obfuscation cout << OBFUSCATED4("Britney Spears") << endl; 31
  32. 32. Without obfuscation 32
  33. 33. With obfuscation Encrypted characters (mixed with MOV) Decryption 33
  34. 34. Application 2 - Obfuscate calls • How to obfuscate call such as: • function_to_protect(); • against static analysis (or even dynamic analysis)? 34
  35. 35. Finite State Machine (simple example) 35
  36. 36. Boost Meta State Machine (MSM) library types template parameter Compile time entity Generates code (FSM) at compile-time 36
  37. 37. Result • Without obfuscation function_to_protect(“did”, “again”); • With obfuscation OBFUSCATED_CALL(function_to_protect, “did”, “again”); • Even better OBFUSCATED_CALL(function_to_protect, OBFUSCATED(“did”), OBFUSCATED(“again”)); 37
  38. 38. Without obfuscation 38
  39. 39. With obfuscation 39
  40. 40. Application 3: FSM + Debugger Detection • FSM • To fight against static analysis • Debugger detection • To fight against dynamic analysis 40
  41. 41. Finite State Machine • Follows a different path depending of a predicate (Debugged or not Debugged, that is the question) 41
  42. 42. More obfuscation • Obfuscate predicate result • Avoid simple “if”, too simple for reverse engineers • Make computation instead • If the example, counter is odd if predicate is false 42
  43. 43. More obfuscation • Obfuscate function address • Otherwise, IDA is smart enough to get it • Simply make some computation on address • Using MetaRandom (like for strings obfuscation) 43
  44. 44. Predicate • Debugger detection is only an example • In the example, implemented only for Mac OS X / iOS • Virtual environment detection • Jailbreak detection • Etc 44
  45. 45. Compilers support Compiler Compatible Remark Apple LLVM 5.1 Yes Previous versions not tested Apple LLVM 6.0 Yes Xcode 6, 6.1 beta LLVM 3.4, 3.5 Yes Previous versions not tested GCC 4.8.2 or higher Yes Previous versions not tested Compile with -std=c++11 Intel C++ 2013 Yes Version 14.0.3 (2013 SP1 Update 3) Visual Studio 2013 No Lack of constexpr support Visual Studio 14 Almost Not far, lack init of arrays CTP3 tested 45
  46. 46. White paper 46
  47. 47. Credits 47 • I take inspiration from many sources • In particular: • Samuel Neves & Filipe Araujo • LeFF (virus maker)
  48. 48. Infos • @AndrivetSeb sebastien@andrivet.com • All code presented here is available on GitHub • https://github.com/andrivet/ADVobfuscator • Contains • obfuscator (in source) • examples • Whitepaper • BSD 3-clauses license 48
  49. 49. Thank you Questions? 49

×