• Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 2 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hardening code obfuscation against automated attacks

Loki: Hardening Code Obfuscation Against Automated Attacks

Loki is an academic obfuscator prototype developed to showcase novel VM handler hardening techniques.

It is based on our paper published at Usenix Security '22 (link):

@inproceedings{schloegel2022loki,
    author = {Moritz Schloegel and Tim Blazytko and Moritz Contag and Cornelius Aschermann and Julius Basler and Thorsten Holz and Ali Abbasi},
    title =  {{Loki}: Hardening Code Obfuscation Against Automated Attacks},
    year = {2022},
    booktitle = {USENIX Security Symposium} 
}

In this repository, we open-source our implementation and evaluation tooling. Please note that this is research code: Our academic prototype is not intended for use in production but provided as-is. Unless otherwise specified, all our code and data are licensed under AGPL3. Loki has been awarded the Artifact Available, Artifact Functional, and Artifact Reproduced badges by the Usenix Artifact Evaluation Committee.

Further Resources

We released an additional artifact on Zenodo which contains binaries and data produced during our evaluation.

Beyond our paper, a technical report with more details is available on arxiv.

Structure

This repository is structured as follows:

  1. loki: contains our prototype of an obfuscator, testcases, and a script to generate obfuscated targets
  2. lokiattack: contains our evaluation tooling to attack binaries obfuscated by Loki
  3. experiments: all experiments of our evaluation, documented and with scripts to reproduce them

Installation

The easiest way to use Loki is Docker.

Docker

We provide a Dockerfile and a few convenience/helper scripts. You either need to pull the image from Dockerhub or build it yourself.

Pull image from Dockerhub

For your convenience, you can pull the image from Dockerhub using our pull.sh script:

./pull.sh

When pulling the image, you don't have to build the docker image yourself. You can skip to Run docker container.

Build docker image

Instead of pulling the image from Dockerhub, you can build it yourself:

Run ./docker_build.sh -- the image name is set in docker_data/docker_config.sh. By default, this will use all available CPU cores (as determined by nproc). If this is not desired, set PARALLEL_JOBS in docker_build.sh to the number of cores you want to use.

In general, we recommend building and running this on a server with at least 64GB of RAM. Both for building the image and running the experiments, more CPU cores and higher amounts of RAM are beneficial. If running out of RAM, set PARALLEL_JOBS to a lower value.

Run docker container

Once you pulled the image from Dockerhub or you built it yourself, you can launch a container:

Run ./docker_run.sh twice: First time, the docker container is started. If running ./docker_run.sh while the container is running, you are connected (/bin/zsh). The bash and zsh history are saved (as is zshrc) in docker_data. This directory is available as volume within the container as /home/user/loki, which allows to copy files to/from the container.

Stop docker container

To stop (and delete) the container, run ./docker_stop.sh.

Steps within Docker & Dependencies

Once within the Docker container, install all tools and dependencies by running:

./setup.sh

This script will use all available cores (as determined by nproc). If this is not desired, set PARALLEL_JOBS in docker_data/zshrc to the number of cores you want to use. This environment variable is used by all build scripts, however, has no effect on experiment scripts.

Manual installation of dependencies

Alternatively, install the dependencies manually.

  1. Install Loki (and z3)
cd loki
./build.sh
  1. For LokiAttack, run:
cd lokiattack
python3 -m pip install --user -r requirements.txt
./install_triton.sh
  1. Finally, install Intel Pin for tracing needed by Experiment 2:
cd experiments/experiment_02_coverage/tracer
./install_pin.sh

Getting started

Once you built our docker container and installed the dependencies, you can either look at our experiments in experiments; their documentation and code are a good starting point to get familiar with the full functionality provided by Loki and LokiAttack.

If you are interested in obfuscation, head to loki, which is our prototype implementation capable of obfuscating code (with limitations). For practical uses, the high-level wrapper script obfuscate.py should be sufficient to generate obfuscated binaries. If you are interested in the deeper architecture, make sure to checkout Loki's two components:

  • translator: This C++ component is responsible for parsing the input program and lifting the to-be-obfuscated function. Once the second component has processed the input, the translator will compile the final binary.
  • obfuscator: This Rust component works on the lifted representation of the function and applies the actual obfuscation transformations.

If you are more interested in deobfuscation, look at lokiattack, which provides an attack framework that extracts all of Loki's handler, such that different attacks can be tested (e.g., taint analysis, symbolic execution, or program synthesis). We provide plugins for these techniques; if you come up with an own, write your own plugin! For most uses, our wrapper script run.py should provide a sufficient interface to unlock LokiAttack's capabilities.

Contact

For more information, contact m_u00d8 (@m_u00d8) or mrphrazer (@mr_phrazer).

More Repositories

1

DroneSecurity

DroneSecurity (NDSS 2023)
Python
945
star
2

kAFL

Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
Python
550
star
3

redqueen

Python
339
star
4

OMEN

OMEN: Ordered Markov ENumerator - Password Guesser
C
313
star
5

Microcode

Microcode Updates for the USENIX 2017 paper: Reverse Engineering x86 Processor Microcode
Python
297
star
6

syntia

Program synthesis based deobfuscation framework for the USENIX 2017 paper "Syntia: Synthesizing the Semantics of Obfuscated Code"
Python
296
star
7

mobile_sentinel

Python
187
star
8

nyx-net

Python
176
star
9

Nyx

USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types
C
169
star
10

ijon

C
164
star
11

GANDCTAnalysis

Code for the ICML 2020 paper: Leveraging Frequency Analysis for Deep Fake Image Recognition.
Python
161
star
12

nautilus

a grammar based feedback fuzzer
Rust
158
star
13

aurora

Usenix Security 2021 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation
Rust
146
star
14

grimoire

Python
125
star
15

Password-Guessing-Framework

A Framework for Comparing Password Guessing Strategies
Python
120
star
16

Marx

Uncovering Class Hierarchies in C++ Programs
C++
114
star
17

antifuzz

AntiFuzz: Impeding Fuzzing Audits of Binary Executables
C
101
star
18

EthBMC

The code repository for the 2020 Usenix Security paper "EthBMC: A Bounded Model Checker for Smart Contracts"
Rust
91
star
19

WaveFake

Python
71
star
20

SiemensS7-Bootloader

Client utility for Siemens S7 bootloader special access feature
Python
55
star
21

NEMO

Modeling Password Guessability Using Markov Models
Python
54
star
22

gadget_synthesis

Esorics 2021 - Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains
Python
54
star
23

EvilCoder

Code for the paper EvilCoder: Automated Bug Insertion at ACSAC 2016
Java
42
star
24

JIT-Picker

Swift
34
star
25

cupid

Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing
C
29
star
26

Probfuscator

An Obfuscation Approach using Probabilistic Control Flows
C#
28
star
27

Hypercube

NDSS 2020 - HYPER-CUBE: High-Dimensional Hypervisor Fuzzing
C
24
star
28

ijon-data

14
star
29

PrimGen

ACSAC 2018 paper: Towards Automated Generation of Exploitation Primitives for Web Browsers
HTML
13
star
30

adversarial-papers

TeX
12
star
31

DroneSecurity-Fuzzer

DroneSecurity Fuzzer (NDSS 2023)
11
star
32

dompteur

C++
10
star
33

we-value-your-privacy

Results and data from the paper "We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy"
9
star
34

VPS

VTable Pointer Separation
C++
7
star
35

APC

Android (Unlock) Pattern Classifier
Kotlin
6
star
36

WindowsVTV

MinGW for 32bit with Vtable pointer verification (VTV)
C++
6
star
37

nyx-net-profuzzbench

Shell
6
star
38

PriDi

Python
5
star
39

xTag-mtalloc

C
5
star
40

SUCI-artifacts

some PCAPs and logs
5
star
41

ASSS

Application-Specific Software Stacks
4
star
42

xTag

4
star
43

MiddleboxProtocolStudy

Auxiliary material for NDSS'20 paper: On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways
Python
4
star
44

Password-Strength-Meter-Accuracy

Measuring the Accuracy of Password Strength Meters
Python
3
star
45

uninformed-consent

Repo for material related to the CCS 2019 paper, "(Un)informed Consent: Studying GDPR Consent Notices in the Field"
3
star
46

be-the-phisher

Code related to the study presented in "Be the Phisher - Understanding Users’ Perception of Malicious Domains" @ AsiaCCS 2020
Jupyter Notebook
2
star
47

symtegrity

Code for the DIMVA 2018 paper "On the Weaknesses of Function Table Randomization"
2
star
48

MastersOfTime

2
star
49

libXSGS

Implementation of Delerablée and Pointcheval's eXtremely Short Group Signatures (XSGS)
Shell
2
star
50

xTag-llvm

C++
1
star
51

MachineCodeTimings

JavaScript
1
star
52

tropyhunter

TODO
Python
1
star
53

GDPR-fines

Supplemental Material for the PETS 2022 Paper "Investigating GDPR Fines in the Light of Data Flows"
Jupyter Notebook
1
star
54

GeneratedMediaSurvey

Jupyter Notebook
1
star