TY - JOUR
T1 - Control flow obfuscation with information flow tracking
AU - Chen, Haibo
AU - Yuan, Liwei
AU - Wu, Xi
AU - Zang, Binyu
AU - Huang, Bo
AU - Yew, Pen Chung
N1 - Copyright:
Copyright 2012 Elsevier B.V., All rights reserved.
PY - 2009
Y1 - 2009
N2 - Recent micro-architectural research has proposed various schemes to enhance processors with additional tags to track various properties of a program. Such a technique, which is usually referred to as information flow tracking, has been widely applied to secure software execution (e.g., taint tracking), protect software privacy and improve performance (e.g., control speculation). In this paper, we propose a novel use of information flow tracking to obfuscate the whole control flow of a program with only modest performance degradation, to defeat malicious code injection, discourage software piracy and impede malware analysis. Specifically, we exploit two common features in information flow tracking: the architectural support for automatic propagation of tags and violation handling of tag misuses. Unlike other schemes that use tags as oracles to catch attacks (e.g., taint tracking) or speculation failures, we use the tags as flow-sensitive predicates to hide normal control flow transfers: the tags are used as predicates for control flow transfers to the violation handler, where the real control flow transfer happens. We have implemented a working prototype based on Itanium processors, by leveraging the hardware support for control speculation. Experimental results show that BOSH can obfuscate the whole control flow with only a mean of 26.7% (ranging from 4% to 59%) overhead on SPECINT2006. The increase in code size and compilation time is also modest.
AB - Recent micro-architectural research has proposed various schemes to enhance processors with additional tags to track various properties of a program. Such a technique, which is usually referred to as information flow tracking, has been widely applied to secure software execution (e.g., taint tracking), protect software privacy and improve performance (e.g., control speculation). In this paper, we propose a novel use of information flow tracking to obfuscate the whole control flow of a program with only modest performance degradation, to defeat malicious code injection, discourage software piracy and impede malware analysis. Specifically, we exploit two common features in information flow tracking: the architectural support for automatic propagation of tags and violation handling of tag misuses. Unlike other schemes that use tags as oracles to catch attacks (e.g., taint tracking) or speculation failures, we use the tags as flow-sensitive predicates to hide normal control flow transfers: the tags are used as predicates for control flow transfers to the violation handler, where the real control flow transfer happens. We have implemented a working prototype based on Itanium processors, by leveraging the hardware support for control speculation. Experimental results show that BOSH can obfuscate the whole control flow with only a mean of 26.7% (ranging from 4% to 59%) overhead on SPECINT2006. The increase in code size and compilation time is also modest.
KW - Control flow obfuscation
KW - Control speculation
KW - Information flow tracking
KW - Opaque predicate
UR - http://www.scopus.com/inward/record.url?scp=76749151451&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=76749151451&partnerID=8YFLogxK
U2 - 10.1145/1669112.1669162
DO - 10.1145/1669112.1669162
M3 - Conference article
AN - SCOPUS:76749151451
SN - 1072-4451
SP - 391
EP - 400
JO - Proceedings of the Annual International Symposium on Microarchitecture, MICRO
JF - Proceedings of the Annual International Symposium on Microarchitecture, MICRO
T2 - 42nd Annual IEEE/ACM International Symposium on Microarchitecture, Micro-42
Y2 - 12 December 2009 through 16 December 2009
ER -