基于浮点数类型转换和运算的不透明谓词构造方法

doi:10.11959/j.issn.2096-109x.2023068

摘要/Abstract

摘要：

随着软件功能的日趋复杂和网络攻击技术的不断演进，软件盗版、软件破解、数据泄露、软件恶意修改等恶意行为呈上升趋势，软件安全问题逐渐成为行业领域普遍关注的焦点和研究方向。代码混淆是一种典型的对抗逆向工程的软件保护技术，它能够在保持程序原有功能不变的条件下加大攻击者对程序进行分析和理解的难度，被广泛应用和深入研究。现有的代码混淆技术大多由于追求混淆效果而普遍存在性能损耗偏高、隐蔽性差等问题。控制结构混淆是代码混淆技术中应用较广泛的一种，它通过扰乱程序的控制流从而提高代码逆向工程难度，不透明谓词混淆是其一大分支。为了弥补现有代码混淆技术的缺陷，提出了基于浮点数类型转换和运算的不透明谓词构造方法，利用计算机浮点数类型转换和运算过程中伴随的精度损失现象使特定条件下产生与常理相悖的运算结果，通过选择若干个小数进行强制类型转换、加法运算和乘法运算，基于其运算结果统计可以构造一系列不透明谓词，实现代码混淆功能。相较于传统的不透明谓词，该构造方法具有隐蔽性高、通用性好、可逆性、开销低等优点。实验验证表明，该方法在大幅降低攻击者对软件进行逆向工程等工作速度的同时，对于符号执行等动态分析技术具有良好的抵御性能。

关键词: 代码混淆, 虚假控制流, 不透明谓词, 浮点数运算

Abstract:

With the increasing complexity of software functions and the evolving technologies of network attacks, malicious behaviors such as software piracy, software cracking, data leakage, and malicious software modification are on the rise.As a result, software security has become a focal point in industry research.Code obfuscation is a common software protection technique used to hinder reverse engineering.It aims to make program analyzing and understanding more difficult for attackers while preserving the original program functionality.However, many existing code obfuscation techniques suffer from performance loss and poor concealment in pursuit of obfuscation effectiveness.Control flow obfuscation, particularly opaque predicate obfuscation, is widely used to increase the difficulty of code reverse engineering by disrupting the program’s control flow.A method was proposed to address the limitations of existing code obfuscation techniques.It utilized the phenomenon of precision loss that occurred during type conversion and floating-point number operations in computers.Under certain conditions, this method produced operation results that contradict common sense.By performing forced type conversion, addition, and multiplication with selected decimal numbers, a series of opaque predicates can be constructed based on the statistical analysis of their operation results.This approach achieved code obfuscation with high concealment, good generality, reversibility, and low overhead compared to traditional opaque predicates.Experimental verification demonstrates that this method significantly slows down attackers’ reverse engineering efforts and exhibits good resistance to dynamic analysis techniques such as symbolic execution.

Key words: code obfuscation, bogus control flow, opaque predicates, floating point operations

中图分类号:

TP393

王庆丰, 梁浩, 王亚文, 谢根琳, 何本伟. 基于浮点数类型转换和运算的不透明谓词构造方法[J]. 网络与信息安全学报, 2023, 9(5): 48-58.

Qingfeng WANG, Hao LIANG, Yawen WANG, Genlin XIE, Benwei HE. Constructing method of opaque predicate based on type conversion and operation of floating point numbers[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 48-58.

图/表 9

图1

图2

图3

表1

表2

图4

表3

表4

表5

参考文献 27

[1]	奇安信代码安全实验室. 2022 中国软件供应链安全分析报告[EB].
	Qi An Xin Code Security Lab. 2022 China software supply chain security analysis report[EB].
[2]	BSA Global Software Survey. Software management:security imperative,business opportunity[EB].
[3]	张汉宁 . 基于精简指令集的软件保护虚拟机技术研究[D]. 西安:西北大学, 2010.
	ZHANG H N . Research on software protection virtual machine technology based on reduced instruction set[D]. Xi'an:Northwest University, 2010.
[4]	SHERIDAN B , SHERR M . On manufacturing resilient opaque constructs against static analysis[J]. Springer International Publishing, 2016.
[5]	COLLBERG C , THOMBORSON C , LOW D . A taxonomy of obfuscating transformations[J]. Technical Report, 1997.
[6]	李成扬, 黄天波, 陈夏润 ,等. LLVM 中间语言的控制流混淆方案[J]. 计算机工程与应用, 2023,(4): 1-8.
	LI C Y , HUANG T B , CHEN X R ,et al. Control flow obfuscation scheme for LLVM intermediate languages[J]. Computer Engineering and Applications, 2023,(4): 1-8.
[7]	LáSZLó T , KISS A . Obfuscating C++ programs via control flow flattening[R]. 2009.
[8]	ROLLES R . Unpacking virtualization obfuscators[C]// Proceedings of the 3rd USENIX Conference on Offensive Technologies. 2009.
[9]	KUANG K , TANG Z , GONG X ,et al. Exploiting dynamic scheduling for VM-based code obfuscation[C]// 2017 IEEE Trustcom/BigDataSE/I SPA. 2017.
[10]	陈耀阳 . 基于代码混淆的软件保护技术研究与实现[D]. 南京:南京邮电大学, 2021.
	CHEN Y Y . Research and implementation of software protection technology based on code obfuscation[D]. Nanjing:Nanjing University of Posts and Telecommunications, 2021.
[11]	房鼎益, 张恒, 汤战勇 ,等. 一种抗语义攻击的虚拟化软件保护方法[J]. 工程科学与技术, 2017,49(1): 159-168.
	FANG D Y , ZHANG H , TANG Z Y ,et al. DAS-VMP:a virtual machine-based software protection method for defending against semantic attacks[J]. Advanced Engineering Sciences, 2017,49(1): 159-168.
[12]	汤战勇, 李光辉, 房鼎益 ,等. 一种具有指令集随机化的代码虚拟化保护系统[J]. 华中科技大学学报(自然科学版), 2016,44(3): 28-33.
	TANG Z Y , LI G H , FANG D Y ,et al. Code virtualized protection system with instruction set randomization[J]. Journal of Huazhong University of Science and Technology(Natural Science Edition), 2016,44(3): 28-33.
[13]	COLLBERG C , THOMBORSON C , LOW D . Manufacturing cheap,resilient,and stealthy opaque constructs[C]// Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’98). 1998: 184-196.
[14]	袁征, 冯雁, 温巧燕 ,等. 构造一种新的混淆 Java 程序的不透明谓词[J]. 北京邮电大学学报, 2007,30(6): 103-106.
	YUAN Z , FENG Y , WEN Q Y ,et al. Manufacture of a new opaque predicate for java programs[J]. Journal of Beijing University of Posts and Telecom, 2007,30(6): 103-106.
[15]	MOSER A , KRUEGEL C , KIRDA E . Limits of static analysis for malware detection[C]// Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007). 2007.
[16]	TIELLA R , CECCATO M . Automatic generation of opaque constants based on the k-clique problem for resilient data obfuscation[C]// 2017 IEEE 24th International Conference on Software Analysis,Evolution and Reengineering (SANER). 2017: 182-192.
[17]	SHARIF M , LANZI A , GIFFIN J ,et al. Impeding malware analysis using conditional code obfuscation[C]// Proceedings of the Network and Distributed System Security Symposium (NDSS 2008). 2008.
[18]	ZHU W , THOMBORSON C . A provable scheme for homomorphic obfuscations in software security[R]. ACTA Press, 2005.
[19]	ARBOIT G . A method for watermarking Java programs via opaque predicates[C]// Proc Int Conf Electronic Commerce Research, 2002.
[20]	WANG Z , MING J , JIA C ,et al. Linear obfuscation to combat symbolic execution[C]// European Symposium on Research in Computer Security. 2011.
[21]	付蒙 . 抵抗符号执行的不透明谓词混淆技术研究[D]. 西安:西安电子科技大学, 2019.
	FU M . Research on opaque predicate-based obfuscations against symbolic execution[D]. Xi’an:Xidian University, 2019.
[22]	KING J C . Symbolic execution and program testing[J]. Communications of the ACM, 1976,19(7): 385-394.
[23]	MING J , XU D , WANG L ,et al. LOOP:logic-oriented opaque predicate detection in obfuscated binary code[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 757-768.
[24]	YADEGARI B , JOHANNESMEYER B , WHITELY B ,et al. A generic approach to automatic deobfuscation of executable code[C]// 2015 IEEE Symposium on Security and Privacy. 2015: 674-691.
[25]	BARDIN S , DAVID R , MARION J Y . Backward-bounded DSE:targeting infeasibility questions on obfuscated codes[C]// 2017 IEEE Symposium on Security and Privacy (SP). 2017: 633-651.
[26]	BANESCU S , COLLBERG C , GANESH V ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 189-200.
[27]	王国俊 . 有理数、无理数与实数[J]. 数学的实践与认识, 1998(3): 258-266.
	WANG G J . Rational,irrational and numbers[J]. Mathematics in Practice and Theory, 1998(3): 258-266.

数字	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9
0.1	=	=	=	=	=	>	=	>	=
0.2	=	=	=	=	=	=	=	=	=
0.3	=	=	=	>	=	>	=	=	=
0.4	=	=	>	=	=	=	=	=	=
0.5	=	=	=	=	=	=	=	=	=
0.6	>	=	>	=	=	=	=	>	=
0.7	=	=	=	=	=	=	=	=	<
0.8	>	=	=	=	=	>	=	=	=
0.9	=	=	=	=	=	=	<	=	=

数字	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9
0.1	>	>	>	>	=	>	=	>	<
0.2	>	>	>	>	=	>	=	>	<
0.3	>	>	=	>	=	=	>	>	=
0.4	>	>	>	>	=	>	=	>	<
0.5	=	=	=	=	=	=	=	=	=
0.6	>	>	=	>	=	=	>	>	=
0.7	=	=	>	=	=	>	<	=	=
0.8	>	>	>	>	=	>	=	>	<
0.9	<	<	=	<	=	=	=	<	<

文件类型	基准测试程序	程序运行时间/s
文件类型	基准测试程序	实际	用户态	系统
	bzip2	2.699	2.687	0.002
	mcf	470.588	470.255	0.246
origin	gobmk	0.153	0.136	0.011
	sjeng	5.042	4.954	0.078
	lbm	2.351	2.245	0.098
	sphinx3	0.352	0.332	0.015
	bzip2	14.213	14.199	0.002
	mcf	1400.885	1400.324	0.273
origin+bcf1	gobmk	0.941	0.929	0.008
	sjeng	44.066	43.973	0.077
	lbm	3.919	3.828	0.082
	sphinx3	1.022	0.992	0.023
	bzip2	13.721	13.707	0.002
	mcf	1427.152	1426.625	0.231
origin+bcf2	gobmk	0.855	0.846	0.005
	sjeng	34.516	34.428	0.07
	lbm	4.024	3.943	0.076
	sphinx3	0.98	0.957	0.018
	bzip2	13.51	13.494	0.002
	mcf	1160.316	1159.864	0.239
origin+bcf3	gobmk	0.517	0.506	0.004
	sjeng	22.4	22.322	0.067
	lbm	3.616	3.526	0.087
	sphinx3	0.719	0.696	0.018

文件类型	可执行文件大小/bit
文件类型	bzip2	mcf	gobmk	sjeng	lbm	sphinx3
origin	134 080	30 560	4 228 400	206 328	38 616	280 272
origin+bcf1	1 915 344	305 744	20 450 280	3 149 064	173 984	3 703 776
origin+bcf2	1 231 808	206 688	14 157 104	1 971 704	132 824	2 397 904
origin+bcf3	936 896	161 632	11 552 048	1 471 992	116 440	1 840 848

文件类型	可执行文件相似度
文件类型	bzip2	mcf	gobmk	sjeng	lbm	sphinx3
origin VS origin+bcf1	0.18	0.21	0.17	0.12	0.31	0.18
origin VS origin+bcf2	0.15	0.22	0.14	0.12	0.32	0.13
origin VS origin+bcf3	0.16	0.22	0.14	0.10	0.32	0.12