Research On Code Protection Enhancement Technology Based On Call Graph Obfuscation

With the popularization of the network and the rapid development of computer technology,people’s life is increasingly inseparable from a variety of computer software.However,while these softwares bring convenience to us,they also provide opportunities for criminals.Attackers crack the software through reverse analysis,and even exploit software vulnerabilities to attack the entire system.This not only harms the interests of software developers,but also threatens the privacy of users.Therefore,how to protect software from attacks has become a hot issue.The reverse engineer mainly analyzes the complete logic of the code based on the disassembly code,control flow graph and call graph of the program.Therefore,adversarial techniques based on call graph obfuscation have very important research significance for software security.The KHAOS system is currently the most effective call graph obfuscation technology.Among them,the function fission technology converts part of the control flow relationship within the function into the calling relationship between functions by extracting one or more code regions in the function to form a new function.However,there are still some shortcomings in the function fission technology: the algorithm for selecting the fission region does not consider the execution frequency of the code,resulting in frequent function calls;the ability to resist manual analysis based on the call graph is weak.This paper analyzes the existing problems of function fission technology from the aspects of performance overhead and protection strength,proposes an enhancement scheme for KHAOS system function fission technology,and implements function fission enhancement technology based on LLVM compiler.After the SPEC CPU 2006 test,compared with the KHAOS system function fission technology,the optimization scheme proposed in this paper has better results in performance overhead and protection strength,and can effectively resist manual analysis based on the call graph.The main contribution of this paper include:(1)We propose a hot and cold code region selection algorithm based on code execution frequency.The algorithm is based on graph segmentation algorithm and the dominator tree is the constraint condition for subgraph segmentation.Fission is carried out directly for regions with low execution frequency;for regions with high execution frequency,the performance cost caused by function fission is effectively reduced by balancing the cost and benefit of partition.(2)We inline the fissioned functions.Considering the function size of the original function after fission and whether the callcite is in the loop,the original function that meets the conditions is inlined.(3)We change the direct call to the new function to an indirect call.Bogus function call relationships are built through indirect calls,the correct call relationships are restored at run time by decrypting functions,and enhance the ability to resist manual analysis based on call graph.