TUM Logo

Combating Control Flow Linearization

Piracy is a persistent headache for software companies that try to protect their assets by investing both time and money. Program code obfuscation as a sub-field of software protection is a mechanism widely used toward this direction. However, effectively protecting a program against reverse-engineering and tampering turned out to be a highly non-trivial task that still is subject to ongoing research. Recently, a novel obfuscation technique called Control Flow Linearization (CFL) is gaining ground. While existing approaches try to complicate analysis by artificially increasing the control flow of a protected program, CFL takes the exact opposite direction: instead of increasing the complexity of the corresponding Control Flow Graph (CFG), the discussed obfuscation technique decreases the amount of nodes and edges in the CFG. In an extreme case, this means that the obfuscated program degenerates to one singular basic block, while still preserving its original semantics. In this paper, we present the DeMovfuscator, a system that is able to accurately break CFL obfuscation. DeMovfuscator can reconstruct the control flow, making only marginal assumptions about the execution environment of the obfuscated code. We evaluate both the performance and size overhead of CFL as well as the feasibility of our approach to deobfuscation. Overall, we show that even though CFL sounds like an ideal solution that can evade the state of the art deobfuscation approaches, it comes with its own limitations.

Combating Control Flow Linearization

32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC)

Authors: Julian Kirsch, Clemens Jonischkeit, Thomas Kittel, Apostolis Zarras, and Claudia Eckert
Year/month: 2017/5
Booktitle: 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC)
Fulltext: CFL.pdf

Abstract

Piracy is a persistent headache for software companies that try to protect their assets by investing both time and money. Program code obfuscation as a sub-field of software protection is a mechanism widely used toward this direction. However, effectively protecting a program against reverse-engineering and tampering turned out to be a highly non-trivial task that still is subject to ongoing research. Recently, a novel obfuscation technique called Control Flow Linearization (CFL) is gaining ground. While existing approaches try to complicate analysis by artificially increasing the control flow of a protected program, CFL takes the exact opposite direction: instead of increasing the complexity of the corresponding Control Flow Graph (CFG), the discussed obfuscation technique decreases the amount of nodes and edges in the CFG. In an extreme case, this means that the obfuscated program degenerates to one singular basic block, while still preserving its original semantics. In this paper, we present the DeMovfuscator, a system that is able to accurately break CFL obfuscation. DeMovfuscator can reconstruct the control flow, making only marginal assumptions about the execution environment of the obfuscated code. We evaluate both the performance and size overhead of CFL as well as the feasibility of our approach to deobfuscation. Overall, we show that even though CFL sounds like an ideal solution that can evade the state of the art deobfuscation approaches, it comes with its own limitations.

Bibtex:

@inproceedings { kirsch2017combating,
author = { Julian Kirsch and Clemens Jonischkeit and Thomas Kittel and Apostolis Zarras and Claudia Eckert},
title = { Combating Control Flow Linearization },
year = { 2017 },
month = { May },
booktitle = { 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC) },
url = {https://www.sec.in.tum.de/i20/publications/combating-control-flow-linearization/@@download/file/CFL.pdf}
}