Recon22 Next Gen LyqHkvB

emproof
Safeguard what counts
The Next Generation of Virtualization-based Obfuscators
Tim Blazytko Moritz Schloegel
Twitter @mr_phrazer Twitter @m_u00d8

HOME https://synthesis.to LINKEDIN moritz-schloegel
About Us
• Tim Blazytko
• co-founder of emproof
• designs software protections for embedded devices
• trainer
• Moritz Schloegel
• final-year PhD student at Ruhr-Universität Bochum
• working with bugs by day (mostly fuzzing)
• code deobfuscation by night
1
Setting the Scene
Question-Circle VM-based obfuscation
Paw Attacks on VMs
ARROW-RIGHT Next-Gen
2
Motivation
Prevent Complicate reverse engineering attempts.
• intellectual property
• malicious payloads
• Digital Rights Management
3
Virtualization-based Obfuscation
Virtual Machines
mov ecx, [esp+4]

xor eax, eax
mov ebx, 1
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov eax, ebx

ret
4
Virtual Machines
mov ecx, [esp+4]

xor eax, eax
mov ebx, 1
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov eax, ebx

ret
4
Virtual Machines
mov ecx, [esp+4]

xor eax, eax
mov ebx, 1
__secret_ip:
mov edx, eax
add edx, ebx
mov eax, ebx
mov ebx, edx
loop __secret_ip
mov eax, ebx

ret
4
Virtual Machines
mov ecx, [esp+4]

xor eax, eax made-up instruction set
mov ebx, 1
__bytecode: vld r1
__secret_ip: vld r0 vpop r2
mov edx, eax
➟
vpop r1 vldi #1
add edx, ebx vld r2 vld r3
mov eax, ebx vld r1 vsub r3
vadd r1 vld #0
mov ebx, edx vld r2 veq r3
loop __secret_ip vpop r0 vbr0 #-0E
mov eax, ebx

ret
4
Virtual Machines
mov ecx, [esp+4]

mov ebx, 1
__secret_ip: __bytecode:
push __bytecode db 54 68 69 73 20 64 6f
➟
db 65 73 6e 27 74 20 6c
call vm_entry db 6f 6f 6b 20 6c 69 6b
db 65 20 61 6e 79 74 68
db 69 6e 67 20 74 6f 20
db 6d 65 2e de ad be ef
mov eax, ebx

ret
4
Virtual Machines
mov ecx, [esp+4]

mov ebx, 1
__secret_ip: __bytecode:
push __bytecode db 54 68 69 73 20 64 6f
➟
db 65 73 6e 27 74 20 6c
call vm_entry db 6f 6f 6b 20 6c 69 6b
db 65 20 61 6e 79 74 68
db 69 6e 67 20 74 6f 20
mov eax, ebx

?db 6d 65 2e de ad be ef
ret
4
Virtual Machines
Core Components
VM Entry/Exit Context Switch: native context ⇔ virtual context
VM Dispatcher Fetch–Decode–Execute loop
Handler Table Individual VM ISA instruction semantics
• Entry Copy native context (registers, flags) to VM context.

• Exit Copy VM context back to native context.
• Mapping from native to virtual registers is often 1:1.
5
Virtual Machines
Core Components
1. Fetch and decode instruction handle_vpush

handle_vpush
handle_vadd
handle_vadd
look up
2. Forward virtual instruction pointer handle_vxor
FDE
handle_vxor
handle_vexit
handle_vexit
3. Look up handler for opcode in handler table handle_vpop
handle_vpop
…
4. Invoke handler
5
Virtual Machines
Core Components
• Table of function pointers indexed by opcode handle_vpush

handle_vpush
handle_vadd
handle_vadd
look up
• One handler per virtual instruction handle_vxor
FDE
handle_vxor
handle_vexit
handle_vexit
• Each handler decodes operands and handle_vpop
handle_vpop
…
updates VM context
5
Virtual Machines
6
Virtual Machines
handle_vpush
handle_vpush
}
handle_vadd
handle_vadd
handle_vxor
handle_vxor
handle_vexit
handle_vexit
handle_vpop
handle_vpop
…
VM Entry
}
look up
FDE VM Dispatcher (FDE)
Individual Handlers VM Exit

(as handler)
6
Virtual Machines
__vm_dispatcher:
mov bl, [rsi]
inc rsi
movzx rax, bl
jmp __handler_table[rax * 8]
VM Dispatcher
rsi – virtual instruction pointer

rbp – VM context
7
Virtual Machines
__handle_vnor:
__vm_dispatcher: mov rcx, [rbp]
mov bl, [rsi] mov rbx, [rbp + 4]
inc rsi not rcx
movzx rax, bl not rbx
jmp __handler_table[rax * 8] and rcx, rbx
mov [rbp + 4], rcx
pushf
VM Dispatcher pop [rbp]
jmp __vm_dispatcher
rsi – virtual instruction pointer

rbp – VM context Handler performing nor
(with flag side-effects)
7
Breaking Virtual Machine Obfuscation I
How to reconstruct the original code?
8
Breaking Virtual Machine Obfuscation I
How to reconstruct the original code?
1. understand VM architecture/context
2. reverse engineer handler semantics
3. write a disassembler for the bytecode
4. reconstruct VM control flow
5. reconstruct high-level code
8
Writing a VM Disassembler
opcode register register
9
0a 01 02 0b 01 05
9
0a 01 02 0b 01 05
add
9
0a 01 02 0b 01 05
add r1
9
0a 01 02 0b 01 05
add r1, r2
9
0a 01 02 0b 01 05
add r1, r2
mul
9
0a 01 02 0b 01 05
add r1, r2
mul r1
9
0a 01 02 0b 01 05
add r1, r2
mul r1, r5
9
0a 01 02 0b 01 05
add r1, r2
mul r1, r5
9
0a 01 02 0b 01 05
add r1, r2
mul r1, r5
VM computes (r1 + r2) * r5.
9
Virtual Machine Hardening
Virtual Machines
Hardening Technique #1 – Obfuscating individual VM components.
• Handlers are conceptually simple.
11
Virtual Machines
Hardening Technique #1 – Obfuscating individual VM components.
mov eax, dword [rbp]

• Handlers are conceptually simple. mov ecx, dword [rbp+4]
cmp r11w, r13w
• Apply traditional code obfuscation transformations:
sub rbp, 4
• Substitution (mov rax, rbx ß push rbx; pop rax) not eax
clc
• Opaque Predicates
cmc
• Junk Code cmp rdx, 0x28b105fa
• … not ecx
cmp r12b, r9b
11
Virtual Machines
Hardening Technique #2 – Duplicating VM handlers.
• Handler table is typically indexed using one byte (= 256 entries).
12
Virtual Machines
Hardening Technique #2 – Duplicating VM handlers.
• Handler table is typically indexed using one byte (= 256 entries).
• Idea: Duplicate existing handlers to populate full table.

• Use traditional obfuscation techniques to impede code similarity analyses.
Goal: Increase workload of reverse engineer.
12
handle_vpush
handle_vadd
handle_vnor
handle_vpop
handle_vpush
handle_vadd
handle_vpush
handle_vnor''
➟
handle_vadd
handle_vpop
handle_vnor
handle_vadd'
handle_vpop
handle_vnor
handle_vnor'
handle_vadd''
Virtual Machines
Hardening Technique #3 – No central VM dispatcher.
• A central VM dispatcher allows attacker to easily observe VM execution.

• Idea: Instead of branching to the central dispatcher, inline it into each handler.
Goal: No “single point of failure”.
(Themida, VMProtect Demo)
14
FDE
handle_vnor handle_…
handle_vnor handle_…
FDE FDE
Virtual Machines
Hardening Technique #4 – No explicit handler table.
• An explicit handler table easily reveals all VM handlers.
17
Virtual Machines

• Idea: Instead of querying an explicit handler table,
encode the next handler address in the VM instruction itself.
Goal: Hide location of handlers that have not been executed yet.
(VMProtect Full, SolidShield)
17
Virtual Machines

opcode op 0 op 1
17
Virtual Machines

opcode op 0 op 1 next handler addr
17
Virtual Machines
Hardening Technique #5 – Blinding VM bytecode.
• Global analyses on the bytecode possible, easy to patch instructions.
19
Virtual Machines
Hardening Technique #5 – Blinding VM bytecode.
• Global analyses on the bytecode possible, easy to patch instructions.

• Idea:
• Flow-sensitive instruction decoding (“decryption” based on key register).
• Custom decryption routine per handler, diversification.
• Patching requires re-encryption of subsequent bytecode.
Goal: Hinder global analyses of bytecode and patching.
19
operand ← [vIP + 0]
context ← semantics(context, operand)

next_handler ← [vIP + 4]
vIP ← vIP + 8
jmp next_handler
20
operand ← [vIP + 0]
Key operand ← unmangle(operand, key)

Key key ← unmangle0 (key, operand)
context ← semantics(context, operand)

next_handler ← [vIP + 4]
Key next_handler ← unmangle00 (next_handler, key)

Key key ← unmangle000 (key, next_handler)
vIP ← vIP + 8
jmp next_handler
20
Breaking Virtual Machine Obfuscation II
How to deal with hardened VMs?
• locate VM entry and bytecode
• simplify handlers with program analyses techniques
• write a control-flow sensitive disassembler1 and reconstruct high-level code
1 https://synthesis.to/2021/10/21/vm_based_obfuscation.html
21
Automated Attacks on VMs
Instruction Removal
Compiler Optimizations
mov eax, 0xdead

mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
mov ecx, ecx
add eax, 0x1111
add ecx, 0x0
mov edx, eax
pop eax
not eax
ret
23
mov eax, 0xdead

mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
mov ecx, ecx
add eax, 0x1111
add ecx, 0x0
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
×
add eax, 0x1111
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
Dead Code
×
0x1111Elimination
add eax,
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
×
add eax, 0x1111
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
mov eax, 0x5678
×
add eax, 0x1111
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
mov eax, 0x6789
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
Constant Folding
×
mov eax, 0x6789
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
mov eax, 0x6789
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
mov eax, 0x6789
×
mov edx, eax
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
×
×
mov edx, 0x6789
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
Constant Propagation
×
×
×
mov edx, 0x6789
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
×
×
mov edx, 0x6789
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
push eax
×
×
×
×
mov edx, 0x6789
pop eax
not eax
ret
23
×
mov eax, 0x1234
not eax
×
×
×
×
×
mov edx, 0x6789
×
not eax
ret
23
×
mov eax, 0x1234
not eax
×
×
×
×
×
mov edx, 0x6789
×
not eax
ret
23
×
mov eax, 0x1234
×
×
×
×
×
×
mov edx, 0x6789
×
×
ret
23
×
mov eax, 0x1234
×
×
×
Peephole Optimization
×
×
×
mov edx, 0x6789
×
×
ret
23
×
mov eax, 0x1234
×
×
×
×
×
×
mov edx, 0x6789
×
×
ret
23
Decoding
Blinding
Semantics
Dispatcher
Symbolic Execution
Symbolic Execution: A Syntactic Approach
__handle_vnor:
mov rcx, [rbp]
mov rbx, [rbp + 4]
not rcx
not rbx
and rcx, rbx
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher
Handler performing nor

rcx ← [rbp]
__handle_vnor:
• mov rcx, [rbp]
mov rbx, [rbp + 4]
not rcx
not rbx
and rcx, rbx
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
• mov rbx, [rbp + 4]
not rcx
not rbx
and rcx, rbx
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
rcx ← ¬ rcx = ¬ [rbp]
mov rbx, [rbp + 4]
• not rcx
not rbx
and rcx, rbx
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
not rcx rbx ← ¬ rbx = ¬ [rbp + 4]
• not rbx
and rcx, rbx
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
not rbx rcx ← rcx ∧ rbx
• and rcx, rbx = (¬ [rbp]) ∧ (¬ [rbp + 4])
mov [rbp + 4], rcx
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
• and rcx, rbx = (¬ [rbp]) ∧ (¬ [rbp + 4])
mov [rbp + 4], rcx = [rbp] ↓ [rbp + 4]
pushf
pop [rbp]
jmp __vm_dispatcher

rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
and rcx, rbx = (¬ [rbp]) ∧ (¬ [rbp + 4])
• mov [rbp + 4], rcx = [rbp] ↓ [rbp + 4]
pushf [rbp + 4] ← rcx = [rbp] ↓ [rbp + 4]
pop [rbp]
jmp __vm_dispatcher

27
rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
• pushf [rbp + 4] ← rcx = [rbp] ↓ [rbp + 4]
pop [rbp]
jmp __vm_dispatcher
rsp ← rsp − 4
[rsp] ← flags

27
rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
• pop [rbp]
jmp __vm_dispatcher
rsp ← rsp − 4
[rsp] ← flags
[rbp] ← [rsp] = flags
rsp ← rsp + 4
27
rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
pop [rbp]
• jmp __vm_dispatcher
rsp ← rsp − 4
[rsp] ← flags
rsp ← rsp + 4
27
rcx ← [rbp]
__handle_vnor:
rbx ← [rbp + 4]
mov rcx, [rbp]
mov rbx, [rbp + 4]
[rbp + 4] ← ([rbp] ↓ [rbp + 4])

pop [rbp]
jmp __vm_dispatcher
rsp ← rsp − 4
[rsp] ← flags
rsp ← rsp + 4
27
Program Synthesis
Program Synthesis: A Semantic Approach
We use f as a black-box:
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1,1,1)
? 3
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(1,1,1)
? 3
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(2,3,1)
? 6
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(2,3,1)
? 6 (2, 3, 1) → 6
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(0,7,2)
? 9 (2, 3, 1) → 6
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(0,7,2)
? 9 (2, 3, 1) → 6
(0, 7, 2) → 9
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
(1, 1, 1) → 3
(2, 3, 1) → 6
(0, 7, 2) → 9
We learn a function h that has the same I/O behavior.
29
f (x, y, z) := (((x ⊕ y) + ((x ∧ y) · 2)) ∨ z) + (((x ⊕ y) + ((x ∧ y) · 2)) ∧ z)
h(x, y, z) := x + y (1,+1, 1)z→ 3

(2, 3, 1) → 6
(0, 7, 2) → 9
We learn a function h that has the same I/O behavior.
29
Synthesis Light: Code Book Attacks
30
VM ISA
• x+y
• x−y
• x∧y
• x∨y
• x⊕y
• predictable set of handler semantics
30
VM ISA
Lookup Table
• x+y
(5, 3) → 8: x+y
• x−y (5, 3) → 2: x−y
• x∧y (5, 3) → 1: x∧y
• x∨y (5, 3) → 7: x∨y
(5, 3) → 6: x⊕y
• x⊕y
• pre-computed lookup tables of I/O samples
30
VM ISA
Lookup Table
• x+y
(5, 3) → 8: x+y
• x−y (5, 3) → 2: x−y
• x∧y (5, 3) → 1: x∧y
• x∨y (5, 3) → 7: x∨y
(5, 3) → 6: x⊕y
• x⊕y
• pre-computed lookup tables of I/O samples
• SMT solvers to prove semantic equivalence
30
Attack Surface
Shortcomings of VMs
• predictable instruction semantics with meaningful mnemonics
• vulnerable to synthesis-based attacks
• facilitates writing disassemblers
32
Shortcomings of VMs
• predictable instruction semantics with meaningful mnemonics
• vulnerable to synthesis-based attacks
• facilitates writing disassemblers
• VM components are independent of each other
• isolated analysis possible
• obfuscation limited to local constructs (e.g., handler level)
32
VM Attack Landscape
Attack Vectors
Instruction Removal Symbolic Execution Progam Synthesis
Static Dynamic Static Dynamic Static Dynamic
7 7 7 7 7 7
33
VM Attack Landscape
Attack Vectors
7 7 7 7 7 7
33
VM Attack Landscape
Attack Vectors
7 7 7 7 7 7
33
Next-Gen VM-based Obfuscators
Design Goals
Attack Vectors
SHIELD-ALT SHIELD-ALT SHIELD-ALT SHIELD-ALT SHIELD-ALT SHIELD-ALT

34
Design Principles
Design Principles
Design Principle #1 – Complex and target-specific instruction sets.
36
Design Principles
• handler semantics are based on instruction sequences from the target program
36
Design Principles
• complex handler semantics
• introduce diversity
• provide resilience against syntesis-based attacks
36
Design Principles
• complex handler semantics
• can be data-flow dependent
36
Design Principles
No meaningful
• complex instruction mnemonics for VM disassemblers
handler semantics
• can be data-flow dependent
36
Design Principles
Design Principle #2 – Intertwining VM components.
37
Design Principles
• interlocking of handlers & semantics to enforce a cross-handler analysis
• mixed Boolean-Arithmetic encodings across handlers
• dataflow-dependent or multi-threaded opaque predicates
• merged handler semantics
37
Design Principles
• analysis effort rises enormously
37
Design Principles
Analysis tools reach their limits

• analysis effort rises enormously
37
Loki
Loki
• industry shifts towards novel VM designs
• academic prototype of next-gen VM
• “Loki: Hardening Code Obfuscation Against Automated Attacks” by Schloegel et al.

https://synthesis.to/papers/arxiv21-loki.pdf
39
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 add r1, r2 f (x, y) := x + y

0b 01 05 mul r1, r5 g(x, y) := x ∗ y
a2 03 ?? shl r3, 0xff h(x, y, c) := x << c
• handler can be represented as (mathematical) functions
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 add r1, r2 f (x, y) := x + y

0b 01 05 mul r1, r5 g(x, y) := x ∗ y
a2 03 ?? shl r3, 0xff h(x, y, c) := x << c
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 add r1, r2 f (x, y) := x + y

0b 01 05 mul r1, r5 g(x, y) := x ∗ y
a2 03 ?? shl r3, 0xff h(x, y, c) := x << c
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 add r1, r2 f (x, y) := x + y

0b 01 05 mul r1, r5 g(x, y) := x ∗ y
a2 03 ?? shl r3, 0xff h(x, y, c) := x << c
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 00 add r1, r2 f (x, y) := x + y

0b 01 05 00 mul r1, r5 g(x, y) := x ∗ y
a2 03 ?? ff shl r3, 0xff h(x, y, c) := x << c
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 00 add r1, r2 f (x, y, c) := x + y

0b 01 05 00 mul r1, r5 g(x, y, c) := x ∗ y
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 00 add r1, r2 f (x, y, c) := x + y

0b 01 05 00 mul r1, r5 g(x, y, c) := x ∗ y
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 00 add r1, r2 f (x, y, c) := x + y

0b 01 05 00 mul r1, r5 g(x, y, c) := x ∗ y
41
Current VM Handlers
opcode
opcode
register
register
register
register
constant
0a 01 02 00 add r1, r2 f (x, y, c) := x + y

0b 01 05 00 mul r1, r5 g(x, y, c) := x ∗ y

• instruction semantics refer to the handler’s actual computation
41
Can we do better?
Merging Instruction Semantics
f (x, y, c) := x + y g(x, y, c) := x − y << c

x + y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
43
f (x, y, c) := x + y g(x, y, c) := x − y << c

x + y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
43
f (x, y, c) := x + y g(x, y, c) := x − y << c

x + y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
43
f (x, y, c) := x + y g(x, y, c) := x − y << c
Key-dependent instruction semantics


x + y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
43
Polynomial Encodings and Branch-free Code
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
equal
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
equal
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
equal
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
equal
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
equal
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
( a
x+y if k == 0
f (x, y, c, k) :=
x − y << c if k == 1
b c
Interlockingequal
of instruction semantics
f (x, y, c, k) := (k == 0) · x + y
a’
+ (k == 1) · x − y << c
44
Polynomial Encodings
Attack Vectors
SHIELD-ALT SHIELD-ALT SHIELD-ALT 7 7 7

45
Hardening Key Selection
Factorization
f (x, y, c, k) := (k == 0) · x + y
+ (k == 1) · x − y << c
Quadratic Residues
46
Factorization
f (x, y, c, k) := (n mod k == 0) · x + y
+ (k2 == q mod m) · x − y << c
Quadratic Residues
46
Factorization
f (x, y, c, k) := (n mod k == 0) · x + y
+ (k2 == q mod m) · x − y << c
Quadratic Residues
46
Factorization
f (x, y, c, k) := (n mod k == 0) · x + y
+ (k2 == q mod m) · x − y << c
Quadratic Residues
46
Factorization
SMT-hard
f (x, y,encodings
c, k) := forkinstruction
(n mod == 0) · x + y selection
+ (k2 == q mod m) · x − y << c
Quadratic Residues
46
Point Functions
Partial point functions for key selection
f (x, y, c, k) := (n mod k == 0) · x+y

+ (k2 == q mod m) · x − y << c
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf(k) := ((0xff ∧ k) ⊕ 0xcd) · 0x28cbfbeb9a020a33
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1336) = 1
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1336) = 1
3
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1336) = 1 pf (0xabcd) = 0
3
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1336) = 1 pf (0xabcd) = 0
3 7
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1000) = 0x20ab58bbaa53a22ad7
pf (0x1336) = 1 pf (0xabcd) = 0
3 7 ?
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
pf (0x1000) = 0x20ab58bbaa53a22ad7
pf (0x1336) = 1 pf (0xabcd) = 0
pf (0xdead) = 0xf4c7e7859c0c3d320
3 7 ??
47
Point Functions
f (x, y, c, k) := (n mod k == 0) · x+y

+ pf(k) · x − y << c
:= ((0xff ∧ k) ⊕ 0xcd) · 0x28cbfbeb9a020a33

Pointpf(k)
functions subvert I/O sampling
pf (0x1000) = 0x20ab58bbaa53a22ad7
pf (0x1336) = 1 pf (0xabcd) = 0
pf (0xdead) = 0xf4c7e7859c0c3d320
3 7 ??
47
SMT-hard Key Encodings and Point Functions
Attack Vectors
SHIELD-ALT SHIELD-ALT SHIELD-ALT 7 SHIELD-ALT 7

48
Thwarting Program Synthesis
f (x, y, c, k) := (n1 mod k == 0) · x + y

+ pf (k) · x − y << c
49
f (x, y, c, k) := (n1 mod k == 0) · x + y +(x + x)

+ pf (k) · x − y << c
49
f (x, y, c, k) := (n1 mod k == 0) · x + y +(x + x)

+ pf (k) · x − y · (x + y)
49
f (x, y, c, k) := (n1 mod k == 0) · x + y +(x + x)

Semantically complex arithmetic operations
+ pf (k) · x − y · (x + y)
49
How to Build Semantically Complex Operations
mov edx, eax edx.1 := eax

mov ecx, 0x20 ecx.1 := 0x20
add edx, ecx edx.2 := edx.1 + ecx.1
imul edx, 0x10 edx.3 := edx.2 * 0x10
Recursively replace uses by their definitions
edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10
50

edx.3 := edx.2 * 0x10 = (edx.1 + ecx.1) * 0x10
50

f (x, y, c) := (x edx.3
imul edx, 0x10 + y):=∗edx.2
c * 0x10
edx.3 := edx.2 * 0x10 = (edx.1 + ecx.1) * 0x10
50
Semantically Complex Operations
Attack Vectors

51
Thwarting Symbolic Execution
f (x, y, c, k) := (n1 mod k == 0) · x + y + (x + x)

+ pf (k) · x − y · (x + y)
52
f (x, y, c, k) := (n1 mod k == 0) · ((x ⊕ y) + 2 · (x ∧ y)) + (x 1)

+ pf (k) · x − y · (x + y)
52
f (x, y, c, k) := (n1 mod k == 0) · ((x ⊕ y) + 2 · (x ∧ y)) + (x 1)

+ pf (k) · (x + ¬y + 1) · ((x ⊕ y) + 2 · (x ∧ y))
52
f (x, y, c, k) :=
(n mod k == 0) · ((x ⊕ y) + 2 · (x ∧ y)) + (x 1)
Syntactically
+ pf (k)complex
1
expressions
· (x + ¬y + 1) · ((x ⊕ y) + 2 · (x ∧ y))
52
Mixed Boolean Arithmetic Expressions
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Traditional Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
47) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
Lookup equal
table w/ *all* identities ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
Recursive Approach
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
equal ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
x − y x· (((x
−y∨ xy)−⊕
· ((x −y y) ++y))
· (x∧
(x 2 y)
· (x
+∧ 2 ·y))
(x ∧ y))
Rewriting rules:
1) x + y → (x ⊕ y) + 2 · (x ∧ y)
2) x ⊕ y → (x ∨ y) − (x ∧ y)
Recursive
equal
Rewriting ...
847,000) x ∧ y → (¬x ∨ y) − ¬x
x − yx ·−(((x
y x· ∨
−y)y∨
(((x y)
·−((x − y)
⊕
((¬x ∨∧
(x y)y))
+ 2−· ¬x))
+∧
(x 2 ·y))
+(x2∧· (x
y))∧ y))
final expression
53
Polynomial MBAs
x − y · (x + y)
Rewrite as:
expr ≡ h−1 (h(expr))
x − y · (h−1 (h(x + y)))
equal
x − y · (h−1 (39 · (x + y) + 23))
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
x − y · (h−1 (39 · (x + y) + 23))
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
x − y · (h−1 (39 · (x + y) + 23))
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
Invertible function on 1 byte:
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
=⇒ expr ≡ h−1 (h(expr)) mod 28
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Polynomial MBAs
x − y · (x + y)
Rewrite as:
x − y · (h−1 (h(x + y)))
equal
h : a 7→ 39a + 23
x − y · (h−1 (39 · (x + y) + 23)) h : a 7→ 151a + 111
−1
x − y · (151 · (39 · (x + y) + 23) + 111)
54
Syntactically Complex Operations
Attack Vectors

56
Taking it all together
Loki: Academic Next-Gen VM Prototype

58

• merged semantics to encforce cross-handler analysis
58

• polynomial encodings to interlock instruction semantics
58

• point functions to subvert I/O sampling
58

• complex, data-flow dependent instruction semantics to thwart program synthesis
58

• complex, data-flow dependent instruction semantics to thwart program synthesis
• MBAs to thwart symbolic execution
58
Impact on Deobfuscation
Verging on the Limits
Challenges in Code Deobfuscation
• synthesis-based attacks are no longer feasible
• no meaningful instruction mnemonics for disassemblers
vadd vs. vneg_vadd_vmul_vxor_vpush
60
Challenges in Code Deobfuscation
• shift towards global analysis; larger analysis scope required
• analysis effort rises enormously: limitations of binary analysis techniques & tools
61
What needs to be done?
Better Analysis Tools
• better support for interprocedural & multi-threaded analysis
• improve tooling for large instruction sequences (performance and memory footprint)
• advances in binary lifting
Yes, these are hard problems.
63
Selection of Analysis Windows
• identification of relevant sources and sinks
• strategies to isolate and simplify (partial) data flows
• automated exploration of control and data flows (CFG/DFG construction)
64
Advances in MBA Deobfuscation
• simplification of large polynomial MBAs
• improvements on synthesis-based approaches to reach higher semantic depths
• strategies to synthesize constants
(x ⊕ 0xf 5692443e29a24c2) · 0x3886553866f 35c17
65
Conclusion
Takeaways
1. current VMs can be broken in a (semi-)automated fashion

2. industry shifts to novel VM designs
3. code deobfuscation research has to catch up
67
Takeaways
1. current VMs can be broken in a (semi-)automated fashion

2. industry shifts to novel VM designs
3. code deobfuscation research has to catch up
Next-gen VMs will shape the landscape of modern obfuscation in the next years.
67
Summary
• virtualization-based obfuscation
• attacks on VMs (instruction removal, symbolic execution, program synthesis)
• next-gen VMs and their impact on deobfuscation
Tim Blazytko Moritz Schloegel

Twitter @mr_phrazer Twitter @m_u00d8
HOME https://synthesis.to LINKEDIN moritz-schloegel
68

Recon22 Next Gen LyqHkvB

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Recon22 Next Gen LyqHkvB

Uploaded by

Copyright:

Available Formats

emproof

Safeguard what counts

The Next Generation of Virtualization-based Obfuscators

Tim Blazytko Moritz Schloegel

Twitter @mr_phrazer Twitter @m_u00d8

• designs software protections for embedded devices

• final-year PhD student at Ruhr-Universität Bochum

• working with bugs by day (mostly fuzzing)

• code deobfuscation by night

Question-Circle VM-based obfuscation

Paw Attacks on VMs

Prevent Complicate reverse engineering attempts.

mov ecx, [esp+4]

mov eax, ebx

mov ecx, [esp+4]

mov eax, ebx

mov ecx, [esp+4]

mov eax, ebx

mov ecx, [esp+4]

mov eax, ebx

mov ecx, [esp+4]

mov eax, ebx

mov ecx, [esp+4]

mov eax, ebx

• Entry Copy native context (registers, flags) to VM context.

• Mapping from native to virtual registers is often 1:1.

1. Fetch and decode instruction handle_vpush

• Table of function pointers indexed by opcode handle_vpush

FDE VM Dispatcher (FDE)

Individual Handlers VM Exit

rsi – virtual instruction pointer

rsi – virtual instruction pointer

How to reconstruct the original code?

How to reconstruct the original code?

2. reverse engineer handler semantics

3. write a disassembler for the bytecode

4. reconstruct VM control flow

5. reconstruct high-level code

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

opcode register register

VM computes (r1 + r2) * r5.

Hardening Technique #1 – Obfuscating individual VM components.

• Handlers are conceptually simple.

Hardening Technique #1 – Obfuscating individual VM components.

mov eax, dword [rbp]

Hardening Technique #2 – Duplicating VM handlers.

• Handler table is typically indexed using one byte (= 256 entries).

Hardening Technique #2 – Duplicating VM handlers.

• Handler table is typically indexed using one byte (= 256 entries).

• Idea: Duplicate existing handlers to populate full table.

Goal: Increase workload of reverse engineer.

Hardening Technique #3 – No central VM dispatcher.

• A central VM dispatcher allows attacker to easily observe VM execution.

Goal: No “single point of failure”.

(Themida, VMProtect Demo)