Awesome

Obfuscation Benchmarks

By Obfuscation Benchmarks we mean programs which can be obfuscated using different tools at: source code, intermediate representation and/or machine code level. The reason for obfuscating these programs can be (but is not limited) to compare the strength of different obfuscation transformations/implementations against both human-assisted and automated attacks. This repository contains the source code of C programs, which can be used as obfuscation benchmarks.

Description of Each Directory

• basic-algorithms contains typical algorithms taught in Bachelor level computer science and programming courses, e.g. factorial, sorting algorithms, searching algorithms, greatest common divisor, least common multiple, etc.
• resources contains archives of some of the tools we used for our experiments. We install these tools in an automated Docker build (instructions provided below), where one can play around with the tools and scripts provided in this repository, without the hassle of installing an configurating everything from scratch.
• simple-hash-functions contains non-cryptographic hash functions
• small-programs contains a set of 48 programs with few lines of code constructed by varying the following code characteristics:
  • Range of symbolic inputs
  • Number of symbolic inputs
  • Depth of nested control flow
  • Number of IF-statements
  • Number of input dependent IF-statements
  • Type of IF-condition
  • Number of loops
  • Number of input length dependent loops (e.g. if the input is 10 characters long, then the loop has 10 iterations)
  • Number of input value dependent loops (e.g. if the input is an integer equal to 100, then the loop has 100 iterations)
• tigress-generated-programs contains a large set of programs automatically generated by the RandomFuns transformation of the Tigress C Diversifier/Obfuscator by varying the following command line options:
  • Seed randomization seed
  • RandomFunsTypes data type of variables
  • RandomFuns Operators types of operators (e.g. arithmetic, logic)
  • RandomFunsControlStructures control structure of the program
  • RandomFunsBasicBlockSize the number of statements in each basic block
  • RandomFunsForBound the type of bound in loop conditions (e.g. constant, input dependent)
• scrips contains bash, Python and R scripts to obfuscate C programs using the Tigress and ollvm obfuscation tools and to perform a symbolic execution attack described a series of papers by Banescu et al. [1], [2] and [3]. For more details about how to use these scripts see README inside folder.

Automated Docker Build

Based on Ubuntu 14.04, having the following software installed:

• KLEE symbolic execution engine (latest Docker)
• Tigress C Obfuscator (version 2.2)
• SATGraf (version 0.2)
• Z3 SMT Solver (version 4.5.0)

Root credentials

• Username: klee
• Password: klee

Running the container in Ubuntu

To run GUI apps from the container execute the following command:

XSOCK=/tmp/.X11-unix
XAUTH=/tmp/.docker.xauth
touch $XAUTH
xauth nlist $DISPLAY | sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge -
docker run -it --volume=$XSOCK:$XSOCK:rw \
               --volume=$XAUTH:$XAUTH:rw \
               --env="XAUTHORITY=${XAUTH}" \
               --env="DISPLAY" --user="klee" banescusebi/obfuscation-symex

If you also want to mount your current directoy to a directlory called test then replace the last command from above with:

docker run -it --volume=$XSOCK:$XSOCK:rw \
               --volume=$XAUTH:$XAUTH:rw \
               --env="XAUTHORITY=${XAUTH}" \
               --env="DISPLAY" --user="klee" \
               --mount type=bind,src="$(pwd)",dst=/home/klee/test \
               banescusebi/obfuscation-symex

Running the container in macOS X

This post helpful to follow in order to run GUI apps from the container on macOS X. For convenience we present the steps here:

brew install socat
socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\"

Install xQuartz either using the following commands or downloding the .dmg file from the website.

brew install xquartz

After installing xQuartz run the following command:

open -a XQuartz

In the preferences window of XQuartz, in the "Security" tab, check the "Allow connections from network clients" checkbox.

IP=$(ifconfig en0 | grep inet | awk '$1=="inet" {print $2}')
docker run -it -v /tmp/.X11-unix:/tmp/.X11-unix \
           -e DISPLAY=$IP:0 banescusebi/obfuscation-symex

References

1. Banescu, S., Ochoa, M., & Pretschner, A. (2015, May). A framework for measuring software obfuscation resilience against automated attacks. In Proceedings of the 1st International Workshop on Software Protection.
2. Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., & Pretschner, A. (2016, December). Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications.
3. Banescu, S., Collberg, C., & Pretschner, A. (2017, August). Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning. In Proceedings of the 26th USENIX Security Symposium.
4. Banescu, S. E. (2017, August). Characterizing the Strength of Software Obfuscation Against Automated Attacks. Doctoral dissertation, Technische Universität München.