Professional Documents
Culture Documents
PhD from
Currently Professor at
2 / 45
Professional Interests
Software Protection
(tigress.cs.arizona.edu)
Compilers
Programming Languages
Scientific Ethics
Secure Provenance
(haathi.cs.arizona.edu).
3 / 45
Personal Interests
Travel (35 countries so far. . . )
Photography:
www.cs.arizona.edu/collberg/#travel
Foreign Languages
Music:
4 / 45
Education
www.cs.arizona.edu/collberg
collberg@gmail.com
Office: Room 571
MSU, Sector B!
See me if you want to talk about
this course
studying in the US
computer security research
travel, Russia, music, languages . . .
. . . anything, really!
6 / 45
This Course
Overview
1
What is Software Protection?
2
When do you need Software
Protection?
3
Making programs hard to read
(obfuscation).
4
Making programs hard to
modify (anti-tamper).
8 / 45
When? Where? Why?
1
When?
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where?
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where? Auditorium 612
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where? Auditorium 612
3
Why?
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where? Auditorium 612
3
Why? It will be super cool!
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where? Auditorium 612
3
Why? It will be super cool!
4
WWW?
9 / 45
When? Where? Why?
1
When? Wednesday 18:00
2
Where? Auditorium 612
3
Why? It will be super cool!
4
WWW?
www.cs.arizona.edu/collberg/
Teaching/bsuir/2014
9 / 45
What we will learn
10 / 45
What we will do
I will lecture. . .
In-class exercises. . .
Homework exercises:
Hack this code!
Protect this code from hacking!
11 / 45
Prerequisites
An understanding of C programming.
Some assembly code knowledge is good.
Some Unix, like shell commands, editing
(emacs, vi), compiling (gcc), debugging
(gdb).
Its good if you know a little about
cryptography, compilers, and computer
security, but not necessary.
12 / 45
Class behavior
13 / 45
Todays lecture
1
Software Protection Scenarios
2
Software Protection Tools
3
Overview of Obfuscation
4
Overview of Tamperproofing
14 / 45
MATE Scenarios
Software piracy
Alice P
16 / 45
Software piracy
Alice P Bob
16 / 45
Software piracy
Alice P Bob
P
P
17 / 45
License check tampering
P
Alice ...... Bob
if (today()>"Aug 17")
abort()
17 / 45
License check tampering
P
Alice ...... Bob
if (today()>"Aug 17")
abort() P
......
if (false)
abort()
17 / 45
License check tampering
P
Alice ...... Bob
if (today()>"Aug 17")
abort() P
P
......
if (false)
abort()
Alice P
M
18 / 45
Malicious reverse engineering
Alice P Bob
M
Alice P Bob
M
Alice P Bob
M
Q
M
M
Alice
Alice Bob
Encrypted
media
Crypto keys
Alice Bob Software Player
Encrypted
media
Cleartext media
Crypto keys
Alice Bob Software Player
Encrypted
media
Cleartext media
Crypto keys
Alice Bob Software Player
Encrypted
media
Carol
Alice
P
20 / 45
Scenario: Protecting networked
computer games
Alice Bob
P
20 / 45
Scenario: Protecting networked
computer games
Alice Bob
P
20 / 45
Scenario: Protecting networked
computer games
Alice Bob
P
Cached data
20 / 45
Scenario: Protecting networked
computer games
Alice Bob
P
Cached data
20 / 45
Scenario: Protecting networked
computer games
Alice Bob
P
Cached data
20 / 45
Protocol discovery
Alice Bob
Call minutes
P
21 / 45
Protocol discovery
Alice Bob
Call minutes
P P
mySkype!
Alice Bob
22 / 45
Protecting military software
Alice Bob
Alice Bob
P
S
23 / 45
The Man-At-The-End Problem
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
Debugger Emulator
Tracer Disassembler
Slicer Decompiler
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
Debugger Emulator
Tracer Disassembler
Slicer Decompiler
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
1. Static/Dynamic Analysis
2. Modify
3. Test
4. Did it work?
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
1. Static/Dynamic Analysis
2. Modify
3. Test
4. Did it work?
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
1. Static/dynamic analysis
2. Select code
3. Select transformation
4. Apply transformation
5. Done?
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
1. Static/dynamic analysis
Code 2. Select code
Transformations 3. Select transformation
4. Apply transformation
5. Done?
S
P
S P
P P
23 / 45
The Man-At-The-End Problem
S
P
S P
P P
23 / 45
Tigress
24 / 45
Code
Obfuscation
Code obfuscation
To obfuscate a program means to
transform it into a form that is more
difficult for an adversary to
understand or change than the
original code.
26 / 45
Code obfuscation
To obfuscate a program means to
transform it into a form that is more
difficult for an adversary to
understand or change than the
original code.
1 Abstraction transformations
Destroy module structure, classes, functions,
etc.!
29 / 45
Types of obfuscation
1 Abstraction transformations
Destroy module structure, classes, functions,
etc.!
2 Data transformations
Replace data structures with new
representations!
29 / 45
Types of obfuscation
1 Abstraction transformations
Destroy module structure, classes, functions,
etc.!
2 Data transformations
Replace data structures with new
representations!
3 Control transformations
Destroy if-, while-, repeat-, etc.!
29 / 45
Types of obfuscation
1 Abstraction transformations
Destroy module structure, classes, functions,
etc.!
2 Data transformations
Replace data structures with new
representations!
3 Control transformations
Destroy if-, while-, repeat-, etc.!
4 Dynamic transformations
Make the program change at runtime!
29 / 45
Obfuscation example: original
program
int main() {
int y = 6; int foo(int x) {
y = foo(y); return x*7;
bar(y,42); }
}
void bar(int x, int z) {
if (x==z)
printf("%i\n",x);
}
30 / 45
After abstraction transformation
int main() {
int y = 6;
y = foobar(y,99,1);
foobar(y,42,2);
}
int foobar(int x, int z, int s) {
if (s==1)
return x*7;
else if (s==2)
if (x==z)
printf("%i\n",x);
}
35 / 45
Two phases of tamperproofing
36 / 45
Two phases of tamperproofing
36 / 45
Two phases of tamperproofing
Detection:
1 has the code been changed?
2 are variables in an OK state?
37 / 45
Two phases of tamperproofing
Detection:
1 has the code been changed?
2 are variables in an OK state?
Response:
1 refuse to run,
2 crash randomly,
3 phone home, . . .
37 / 45
Algorithm Chang & Atallah: Checker
network
foo(){
...
}
check(){
if (hash(foo)!=42)
abort()
}
38 / 45
Hash functions
uint32 hash1 (addr_t addr,int words) {
uint32 h = *addr;
int i;
for(i=1; i<words; i++) {
addr++;
h = *addr;
}
return h;
}
39 / 45
Hash functions
void important_function () {
...
}
int main () {
int v = hash (important_function,1000);
if (v != 0x4C49F346) {
crash the program
}
important_function(...)
}
40 / 45
Algorithm Chang & Atallah: Checker
network
foo(){
...
}
check(){
if (hash(foo)!=42)
abort()
}
41 / 45
Algorithm Chang & Atallah: Checker
network
foo(){
...
}
41 / 45
Algorithm Chang & Atallah: Checker
network
foo(){ foo(){
... ...
} }
41 / 45
Algorithm Chang & Atallah: Checker
network
foo(){ foo(){
... ...
} }
check(){
if (hash(foo)!=42)
foo(){ foo(){
cp}
...
}
...
}
41 / 45
Algorithm Chang & Atallah: Checker
network
foo(){ foo(){
... ...
} }
check(){
if (hash(...)!=42)
cp
}
check(){
if (hash(foo)!=42)
foo(){ foo(){
cp}
...
}
...
}
41 / 45
Repairing Hacked Functions
void copy_of_important_function () {
...
}
void important_function () {
...
}
int main () {
int v = hash (important_function,1000);
if (v != 0x4C49F346) {
memcpy(important_function,
copy_of_important_function,
1000)
}
important_function(...)
}
42 / 45
Checker network
main
r1 c1
c0
play
decode r3
r2 decrypt c2
c3 getkey
44 / 45
Next weeks lecture
1
Software Hacking Techniques
2
Bring a Linux/MacOS laptop, if
you have. Make sure gcc and
gdb have been installed.
3
Look at Exercise 1 files on the
website.
45 / 45