Khaos: The Impact of Inter-procedural Code Obfuscation on Binary Diffing Techniques

TL;DR

This paper introduces Khaos, an inter-procedural code obfuscation method that moves code across functions to hinder binary diffing techniques, demonstrating significant reductions in diffing accuracy with minimal performance overhead.

Contribution

The paper presents a novel inter-procedural obfuscation mechanism, Khaos, using fission and fusion primitives to effectively counteract advanced binary diffing methods.

Findings

Khaos reduces diffing accuracy by less than 19%.

Khaos achieves this with less than 7% runtime overhead.

It outperforms existing intra-procedural obfuscation techniques.

Abstract

Software obfuscation techniques can prevent binary diffing techniques from locating vulnerable code by obfuscating the third-party code, to achieve the purpose of protecting embedded device software. With the rapid development of binary diffing techniques, they can achieve more and more accurate function matching and identification by extracting the features within the function. This makes existing software obfuscation techniques, which mainly focus on the intra-procedural code obfuscation, no longer effective. In this paper, we propose a new inter-procedural code obfuscation mechanism Khaos, which moves the code across functions to obfuscate the function by using compilation optimizations. Two obfuscation primitives are proposed to separate and aggregate the function, which are called fission and fusion respectively. A prototype of Khaos is implemented based on the LLVM compiler and evaluated on a large number of real-world programs including SPEC CPU 2006 & 2017, CoreUtils, JavaScript engines, etc. Experimental results show that Khaos outperforms existing code obfuscations and can significantly reduce the accuracy rates of five state-of-the-art binary diffing techniques (less than 19%) with lower runtime overhead (less than 7%).