Introduction to Obfuscation

Mohammad MahmoodyUniversity of Virginia

*some slides borrowed from abhi shelat

Code Obfuscation • A program’s code can reveal how the program works.

That might reveal secrets planted in the program.

• Obfuscation: the task of making programs ‘unintelligible’ while preserving their functionality.

[Hada00][BGIRSVY01]

OBFUSCATOR

2. Resulting code does not “leak info” about P’s implementation in eyes of computationally bounded

distinguishers

1. Preserve Program’s Functionality

P Q = O( )P

Why do we care?• Software Protection: hiding the exact technologies used

• Software Patching

• Making private-key schemes public-key!

• Getting secure computation protocols from OWFs

• ..

Typical Solutions are : “best-effort”

Variable renaming, anti-debugger provisions,nonsense instructions, encrypted code segments,ROT-13 encoding of strings and names...

<html><head><script>l1l=document.all;var naa=true;ll1=document.layers;lll=window.sidebar;naa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));O0O0=new Array();O0O0[0]='<HTML><head~script>eval(une~ape(\'\\146~!65n~!43%74~!51o~/6%20~%1~,9%3~428~5~;7Bi%6~>8~%7i~3~F~.157w~5Es~/~964e~F2~)1~%2~A~,B~,6a~,~a~6qy~<7~<D~5~n2~n3B~8~l3~@3DS~%4~h~Wn~F~rEfr~2~P5C~F~I~"~97~]103o~N~)5~5~z~93~+2}3}0~b~u~)~$~P7r}~E~{~<}"}$~P}}~a}~<}3}6~v}0~5~d2}<~BBq~!7}~r~d~{~w~<~@7~p}/4~6F~)3u~FD~[6Et~Tw})69t~[~?~,1~x~r~B~p}K~<}@~:~<~H}#B\'))</~~~~~\r~~nsp=\'Old b}wser!\';dl=document.lay|\ns;oe=win|w.o~ra?1:0|a|||||~l&&!|!;g|"||||.|@tEle|DtById;||#|%|\'.sidebar?true:f~| ;tN=navigator.u| rA|@|E|rLow|\nCa|();iz|j|i.|UexOf~~t~~}q>=0|_|a|c|el|gzis={\n{{{\'m|Xe 7{{{|b|d|fe{{||;!{N){quog|\'iuy\'};~r {)g|zv|\rf~ction ~m{{retur{W|`|b{H|$|&|~|)~r}{K={X|K;zOF|T{g|(l||q{Un.p}|rcol{|&{\r{("fi|J")!=-1{0{{3{7f={ s{8{rFz{2{{4i{da{<|B|6|E{Vd|,gst|]t={Qn{S{{ {[{]{_{a {| {Hz4z6{V cIE{[({M{z:{`{Wz>ez@{R{TzCcc{[z(|L{iz|{\rt|Du=zEE;| tTi|outzzU{",~60){Hznzt;zAzS{WcNS(e{<z#(||||y{e.which==2yy\nyyy=3{<zIsgzK{^zMz={3}y${5ylz\'|5zYc~z;eEv|7s(y0|7.MOUSEDOW{;|y*y6{Vmzj| |\'nzaz}}ez!{zXyCnyE|veu}z|S{HyPz*z5{V}`xz^|z`~w FzR{{zzLz<zOz\ry&|!{<zyz7}zyzy1|Ebzk|ryIy{<~|\nzl\' }q;yk{W0{Hx {czPyA|CyQySyG|~yI}zQz5zz{Xs9{[{f|Vz/|q|v|zvxzd{^zgzizk{x{\',}0zsxy z<x\r{Hy|=yzv{}}x{y[|yDyFeoy1r|kxxz)x?yRxAzjz2x;xzB{Wu0(z&{\\x3zNy#zxyhzCu1yuxWz;nz.z0r|GxeagNa|znul|:&y\nxfxhz0xkxmy\n| |]y~^(INPUT|TEXTAREA|BwTON|y;LECT)$}qzzzwyrx]2x`yyy\ryy1{<x{hy,~{`y/yx{y4w3y7y9y;y8VE{w-|(x@yTyEy1=xSy%w"xR3w%y yw(yw+{w>.{]|J{w2y2w5y6y8y:Ew:w<|R|U{hw@| wB|"xpxry% y|w,w`|(w/y.y5|y3wq|wZy;UP|wtw7w[y=y?w=wm{ixeyHwD2w_{vvxAyVwD3yLz!wi{|@{8z%y)xy\\vvx^xPxnxcyvyys{<{Jx{nx>|F{^SyMexQ{y&|{%z\'q|{dzxc{wOv({xy,zz.h{]z\'abxM:b|nk{Gx%zfzhxBx)"vzozqx0zt{HvV{wG{Xi{[wjxVv({V| |J{Sx rz2v^z9xXy"z!{Hzex\'vSzlvUv`)zpzrvZ;nvw|myIv>{yvAvCefvuuzvxeo|}|r{{x=uzv|u\nsubz/ryu\nv2{\'//}q+2uu {|uu|`|%g(0,duz{&~u }ry&u/{|u~my|oan-foot|\\xr.zm}q<zswPvv?{z{V|zvvGvIvKu>vNx6z$a{8|!{8izyqc|zv<\'+\'div z/y|J="po|Xzz:vGszzk{4|Jft:zx00px|h|*u}x/tzvt|$dth:6t;~|ohu|}7t{q-{%:1">ud\'ucue|%pzkxy~unyzty|"{Xxzunxqqt,~l|bunt,{VClykzacd{ujtul|""|n|XbzitC:y\rd|Zntt \'/ugvtxHzY}\\tK~fcv]x\\z{t?{[ct;pvH|]dD|qauGwTrtkz0{vz7zU~{<t0qtnt<v/vrvRxMzmctwzp3vYvqx&tvTtvvWss;}t}v}{~tC|J{Lvi|3uo~|tvHdy yO{!p|y:n{VzPsse~TITw>zr6yfuBuD|9 -- uy,|Zss={Vf|\n|s}ts/s1E~/HwD~';O00O='fu';OO0O='kOujOoBhhZKhHVeQdUYuifOspPhJQLYO';O00O+='nction __'+'__(_'+'O0){';O0OO='\166\141r%20\154%32%3D%77%69\156%64%6Fw%2E%6F%70%65ra%3F%31%3A%30%3B\146%75%6E%63%74%69o\156%20%6C%33%28%6C%34%29%7B%6C%35%3D%2F%7A\166%2Fg%3Bl%36%3D\123t\162\151\156g%2E\146r%6F\155C\150\141%72\103ode%28%30%29%3Bl%34%3Dl%34%2E%72\145%70\154a\143%65%28%6C%35%2Cl%36%29%3Bv\141%72%20l%37%3Dnew%20%41\162r%61%79%28%29%2Cl%38%3D%5F%31%3D%6C%34%2E%6Ce\156\147t%68%2Cl%39%2ClI%2C\151\154%3D%31%36%32%35%36%2C%5F%31%3D%30%2C\111%3D%30%2C\154%69%3D%27%27%3B\144%6F%7B%6C%39%3D%6C%34%2E\143h\141rCo%64eA%74%28%5F%31%29%3BlI%3D%6C%34%2E\143h%61%72C%6F\144%65At%28%2B%2B%5F%31

Find obfuscation schemes with formal security definitions which rely on formal assumptions instead of human ones.

Goal:

Defining Obfuscation: What is the Ideal? • Like P in a black-box!

OBFUSCATORP P

Input to P

Output

Defining Obfuscation: 1st Try• Whatever one can do with O(P) could be done with

P

Input to P

Output

vsO( )P

P

• Not possible: consider the goal of finding a code that does compute

Defining Obfuscation: 2st Try• Whatever one can do with O(P) could be `simulated’ using

• For every algorithm there is a simulator such that output of A(O(P)) is indistinguishable from output of

P

Pvs

O( )PA( ) SDistinguisher

Just one bit Just one bit

Virtual Black-Box Obfuscation• O(.) is a randomized algorithm

• O(P) computes same function as P does for all P

• |O(P)| |P|

• Time(O(P)(x)) poly(Time(P(x)))

• For every poly-time adv A there is a simul S and negligible :

Now that we have a good definition, lets design some secure obfuscation method!

Celebrated results show impossibility in general for VBB

[HADA00][BGIRSVY01]

[GK05]

[HMS07]

[WEE05]

Some programsnecessarily leaksecret information about how they work

Reason behind Impossibility

versus

black-box access

unbeatable advantage

for Q=O(P)Run Q(Q) 𝑆𝑃=𝑆𝑄

Proof Sketch (reminiscent of halting problem)• Consider that has random numbers planted in it

• Given input x, always outputs 0 unless:• If then output • If x is a program that on outputs then output the secret

• Easy to see: given any obfuscated code we can extract by running Q over Q. This is not possible through oracle access

Possible for point functions

If (x == input) {Output 1}else {Ouptut 0}

[C97, CMR98, LPS04, DS05, W05]

Hope: a “weaker” meaningful definition exists• [BGIRSVY01] also introduced anther obfuscation notion called “indistinguishability obfuscation” IO in their appendix!

•Spoiler: IO is the current champion.

Indistinguishability obfuscation implied by VBB• Suppose P and R are two programs computing same function

• IO: For all equivalent circuits of same size : is indistinguishable from

PO( )PA( ) SJust one bit

Just one bit

RSJust one bit

O( )RA( )Just one bit

≈ ≈ ≈

Why is IO considered big thing?• “Candidate Indistinguishability Obfuscation…” by

Garg, Gentry, Halevi, Raykova, Sahai Waters, in 2013proposed the first scheme conjectured to be a secure IO

• Sahai-Waters (2013) showed how to get “main” crypto primitives assuming IO and “”

• Since then, tens of paper getting cool stuff using IO alone!

Can we rule out IO like we did for VBB?• Answer: sort of … no

• Theorem: If then perfectly secure IO exists!

• Interpretation: We cannot just use IO, we need to assume “ too

• Proof sketch: polynomial hierarchy collapses we can efficiently find smallest circuit Q that computes P outputting Q is a perfect IO obfuscation!

Power of IO:IO + one-way functions• Suppose O is a secure IO and using random bits for circuits of size • Let be a trivial circuit of size that outputs all the time!• Theorem: for is one way unless “P = NP”• Proof sketch:

• Interpretation: From now on we assume IO+OWFs but it is just same as assuming IO + ( )

Recap

• VBB is the stronger type of obfuscation, but it cannot exist for all circuits

• VBB could be achieved (probably) for limited class of functions though

• IO is the weaker type of obfuscation, and it seems it probably exists

• Lot of interesting things can be done by only using IO + BPP != NP