DEV 344.NET Obfuscation – Raising the Security Bar Gabriel Torok – President Bill Leach - CTO...
-
Upload
edmund-wilkerson -
Category
Documents
-
view
215 -
download
0
Transcript of DEV 344.NET Obfuscation – Raising the Security Bar Gabriel Torok – President Bill Leach - CTO...
DEV 344
.NET Obfuscation – Raising the Security Bar
Gabriel Torok – President
Bill Leach - CTO
PreEmptive Solutions
PreEmptive Solutions
7 year-old technology firmApplication Code Security Products, Consulting and TrainingPreEmptive’s Dotfuscator™ Community Edition is integrated into Microsoft’s Visual Studio®.NET™ 2003
The Issue
.NET Framework programs compile to intermediate languageUnder native compilation, symbols are left outNot so with .NET Framework Apps!
Decompilers already exist to recreate source code from compiled programs
Disassemble/Decompile
ILDASMDisassembler - comes with the .NET Framework SDK
AnakrinoStandalone Decompiler
http://www.saurik.com/net/exemplar
Example: Vexed.NET
A game by Roey Ben-amotz
The game and source are freely available from
http://vexeddotnet.benamotz.com
Show Game
Example
Original Source: public void undo() { if (numOfMoves>0) { numOfMoves--; if (_UserMoves.Length>=2) _UserMoves = _UserMoves.Substring(0,_UserMoves.Length-2); this.loadBoard(this.moveHistory[numOfMoves - (numOfMoves/50) * 50]); this.drawBoard(this.gr); }}
Disassemble with ILDASM…
.method public hidebysig instance void undo() cil managed { .maxstack 5 IL_0000: ldarg.0 IL_0001: ldfld int32 vexed.net.board::numOfMoves IL_0006: ldc.i4.0 IL_0007: ble.s IL_0070 IL_0009: ldarg.0 IL_000a: dup IL_000b: ldfld int32 vexed.net.board::numOfMoves IL_0010: ldc.i4.1 IL_0011: sub IL_0012: stfld int32 vexed.net.board::numOfMoves IL_0017: ldarg.0 IL_0018: ldfld string vexed.net.board::_UserMoves IL_001d: callvirt instance int32 [mscorlib]System.String::get_Length() IL_0022: ldc.i4.2 ...
Symbols are preserved
Decompile with Anakrino:public void undo() { if (this.numOfMoves > 0) { this.numOfMoves = this.numOfMoves - 1;
if (this._UserMoves.Length >= 2) this._UserMoves =
this._UserMoves.Substring(0, this._UserMoves.Length - 2); this.loadBoard(
this.moveHistory[this.numOfMoves - this.numOfMoves / 50 * 50]); this.drawBoard(this.gr);}
}
Essentially identical to original source
The Vision…
There is a solution to help thwart reverse engineering
Microsoft isn’t passively watching this become an issue
What is Obfuscation?
Technology of shrouding the facts
Hide what’s required, remove the rest
Confuse observers, but give CLR the same delivery
Why Not Just Encrypt?
Encryption is like putting your application in a lockbox
To execute, the runtime needs the key
If the runtime can get it, so can crackers
Obfuscation hides your IP, even if encryption is broken
How do Encryption, Hashing, and Obfuscation Compare? Reversible?
(not lossy)One-to-
one?Acceptable for Active
Data?
Can be reversed?
Encryption Y Y N Y
One-Way Hashing
N Y N N
Obfuscation N N Y N
General Obfuscation Transforms
Symbol renaming Removal of unnecessary metadataModification of control flow String encryptionCompaction
Renaming
The first line of defense
Replace meaningful names with non-meaningful onesConfuses human readers of decompiled output
What Can Be Renamed?
Types, Interfaces, Methods, Fields, etc.
Common ScenariosPreserve public API to assembly
Obfuscate “private API” across assemblies
Obfuscate all names in standalone assembly
Renaming Constraints
Preserve method override relationships and interface contracts
Names must be consistent throughout class hierarchies
Renaming Algorithms
Hashing (1:1)A new name for each original name
Overload InductionGenerate names optimally. Use as few unique names as possible within any given scope.
Overload Induction™
Patented algorithm to induce method overloadingRename as many methods as possible to the same name
Provably irreversible
GetPayroll() becomes a()MakeDeposit(float amount)becomes a(float a)SendPayment(String dest) becomes a(String a)
Enhanced Overload Induction
Use method’s return type as a criterion in determining method uniqueness
Allows up to 15 percent more name redundancy
Typically not allowed in high level source languages
Further hinders decompilers
Renaming Summary
Foils human readers
Overload Induction destroys original method overload relationships
Decreases size of application
Does not hurt performance
Metadata Removal
Not all metadata is required to execute an application
Properties, Events, Parameter names
This information can be stripped out
Decreases size of the application
Does not hurt performance
Control-Flow Obfuscation
Makes program logic harder to follow
Equivalent to original logic
Thwarts humans and decompilers
Decompilers look for clues to reproduce high level statements (e.g. for loops)
Control-Flow Algorithms
Block Re-OrderingJumbles blocks of instructions
Destroys clues used by decompilers
“goto considered beneficial”
“Opaque Predicates”Adds dummy “if” statements that are runtime deterministic (e.g. always evaluate to “true”)
Does not confuse decompilers
Control-Flow Summary
Foils humans and decompilers
Increases the size of methods
Can hurt performance (<1%)
String Encryption
String literals are compiled into the applicationString Encryption raises the bar against cracking attacksHide sensitive informationHide clues about what code is doing
String Encryption Summary
Strings decrypted at runtime, on demand
Same limitations as application encryption
Foils string based cracker attacks
Increases application size
Can hurt performance
Compaction
Not obfuscation, but possible for an obfuscator to perform
Analyze the set of input assemblies
Remove unused elements
Configurable to allow for dynamic applications
Compaction
A smaller app transfers, loads and runs faster
Microsoft .NET Framework Compact Framework apps
Distributed apps
Dotfuscator™ Community Edition
A lite version that performs overload induction renaming
Integrated in Visual Studio®.NET™ 2003
Full configurability and renaming protection
The Solution…
Dotfuscator has:The strongest renaming algorithm in the industry — patentedMetadata removal
Use command line interface or GUI
Configuration File
Stores obfuscation settings
XML format
Create and maintain from GUI or Command line
Using Dotfuscator
Minimum information necessary to configure Dotfuscator:
Input AssemblyMap File LocationOutput Directory
We will configure Dotfuscator for the Vexed.NET game
Configure and Run Configure and Run DotfuscatorDotfuscatorSee results in ILDASMSee results in ILDASMand Anakrinoand Anakrino
demodemo
Dotfuscator Dotfuscator Configuration DetailsConfiguration DetailsExamine the “map” fileExamine the “map” file
demodemo
The Map File
Specify location on the “Renaming Options Tab” An XML formatted file
Links original to obfuscated names Keep this file in a secure place
From the Command Line
Run with or without a config fileOverride options in a template configCreate a new config file Launch the GUI with options and/or a config file
When Should I Obfuscate?
After I ship?
The day before I need to ship?
Integrated in the build process right from the start?
Where should obfuscation occur in the build process?
During Design?After testing (regression, etc.)?Before testing?I don’t do testing…
Strong Named Assemblies
Obfuscation modifies the assembly
Use delay signing
Complete signing after obfuscation
Effect on Debugging
Stack Traces are Less Informative
System.Exception: You have an error
at cv.c()
at cv..ctor(Hashtable A_0)
at ar.j(di A_0)
at ae.Main(String[] A_0)
Use the Map File to recover original names
Dotfuscate
It’s easy
It gives you added protection and piece of mind
You can integrate it in your build process
Ask The ExpertsAsk The ExpertsGet Your Questions AnsweredGet Your Questions Answered
We will be available in the
“Ask The Experts” area from noon to 2pm on 2 July 2003.
We will also be generally available at the PreEmptive/SoleaCom booth #A16
ILDASM tutorialhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptutorials/html/il_dasm_tutorial.asp
Anakrino home page http://www.saurik.com/net/exemplar
Vexed.net home page http://vexeddotnet.benamotz.com
Dotfuscator home page http://www.preemptive.com/dotfuscator
Dotfuscator FAQhttp://www.preemptive.com/dotfuscator/DotfuscatorFAQ.html
Resources…Resources…
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
TodayTodayInside Microsoft .NET IL Inside Microsoft .NET IL Assembler by Serge Lidin Assembler by Serge Lidin
(Microsoft Press, 2002)(Microsoft Press, 2002)
Writing Secure Code by Writing Secure Code by Michael Howard and David Michael Howard and David LeBlancLeBlanc
(Microsoft Press, 2003)(Microsoft Press, 2003)
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.