First, Netease easy to launch security shield why the compiler Maze?
With the advent of 5G era, more and more things into our lives equipment, but things are generally at the terminal itself, the white-box environment, the attacker can easily obtain information related to the attack, this time if not be guarded, it is bound to have a significant impact on our lives. However, code security devices are all safe foundation, if the code is not to be protective equipment or protective enough, not only will cause leakage of core technology itself, but also pose a threat to the stable operation of IoT devices.
At the same time, with the increasing security awareness and developers for more consideration on the performance, there will be more and more mobile developers to the core logic or algorithms written in the local level, the local level if protection is not enough, attack reverse analysis we can get the core of the algorithm, serious harm to the interests of the enterprise, and with the industry to improve the level of reverse, reverse tool use has become increasingly popular, gradually reduce for C / C ++ binaries to break through those barriers.
Based on these pain points and threats, Netease easy to shield developed a compiler IoT security Maze. Maze is a targeted tool for C / C ++ layer source code encryption confusion for protection smart car, smart cameras, smart furniture and other firmware code to avoid reverse engineering to crack, resulting in core technology was leaked, the code execution flow is analyzed, etc. safe question.
Safety ordinary compiler compiler similar, can be C, C ++ and other source code into binary code. Except that, the compiler at compile time security, the code can be confused with flow control, encryption and other security protection of the string, thus avoiding decompile binary attacker reverse IDA Pro like tools, business analysis code execution flow, further tamper or steal core technology.
Two, Maze Rationale: "Labyrinth Matrix" technology
The Maze "matrix maze" technique consists of two parts: a logical confusion, a further scheduling logic.
2.1 Logical confusion
- Control flow planarization
Since the control flow is an important manifestation of a function logic function point, here to control the flow as a function of protection and the description of the object. Since the flow control function is presented in a form of sequence, it can be analyzed by reverse reverse its tool, reduction algorithm logic program.
Easy safety shield compiler control flow flattening process to perform a primary control program distributor basic block, the relationship between the dispersion of program logic, greatly increases the difficulty of analysis of a reverse engineer, schematic diagram below:
- String Encryption
Since the function of the string is the first significant entry by reverse analysis, and therefore easy to shield security compiler, the string is the default and recommended encryption, you can see the string protection from the figure disappeared to protect the safety function.
- Alternatively forgery control flow instruction &&
Since the function control flow inlet is important to analyze the attackers reverse, so the compiler by the security control flow between the semantic equivalents may be substituted with false deformation, and instructions. By "enrich" the entire series of program logic configured logical predicates, and equivalents conversion rule, greatly increases the difficulty to reverse analysis by reverse analysis, before and after transformation diagram as follows:
2.2 scheduling logic
- Call Hide
Program logic which is an important part of the logic by calling between the subroutine to be embodied, safety compiler by calling the chain between the analysis function, call the relationship between the increasing and complex, making calls to achieve a hidden program effect.
- Indirect call
In order to further increase the difficulty of analysis between programs, through the "fragmented" and re-organize the relationship between the block call state by introducing a dynamic distribution block structure, to simulate the whole process of running, whether it is static or dynamic all It makes the program look more difficult, rendering the subsequent conversion as follows:
Third, the comparison of before and after the protective effect
The following is the use of before and after the effect of protecting the security compiler, which can be seen after a string of important static analysis done by the IDA disappeared, static analysis to bring some difficulties.
Control flow through the confusion before and after the observation of protection, you can see the future protection and control flow becomes extremely complicated to analyze the attacker enormous difficulties, not only static analysis, dynamic analysis, even if there are great difficulties.
Fourth, the strength & compatibility
4.1 compatibility
Maze confusion grammatical features compatible with all C C / ++, not only for application development clients, NDK is compatible with the market most of the current version, but also for embedded development, protection equivalent conversion function before and after the confusion protection. This also makes it compatible with all customers on the system side, such as Windows, Linux and Mac;
4.2 Strength
We know the strength and performance reflects this relationship to a certain extent: the need to ensure the performance of a certain strength loss as the price. Here Maze greatest extent possible weakening of correspondence between, to find a balance, with minimal performance loss maximum strength protection, while providing a flexible and fine-grained usage, guarantee to achieve the best results.
V. Summary
对于众所周知的黑盒加壳保护,攻击者通常只需要抓住分析到的某一个点,就能让整个保护“沦陷”,而Maze在性能和体积可接受范围内,使得攻击者陷入一种“迷宫”(Maze)状态,越走越乱。
从这来看,Maze是一种新的安全代码保护思路,拥有更加灵活、强度更高、性能和体积优良、保护效果好等优点。在部署上,Maze不仅支持通过脚本轻量级进行部署,也可以对强度和需要进行混淆保护的函数进行灵活的控制,开发层面支持NDK开发和嵌入式开发,使用上则非常灵活,兼容Windows、Linux、Mac等系统。
IoT安全编译器Maze适用于保护智能汽车、智能摄像头、智能家居等固件代码,也适用于保护移动应用,避免因逆向工程被破解,造成核心技术泄漏、代码执行流程被分析等安全问题。