R1kk3r edited this page Jun 29, 2017 · 23 revisions

What is the purpose of Obfuscator-LLVM?

The main goal of Obfuscator-LLVM is to strengthen software with respect to reverse-engineering and modification at compilation-time.

What is obfuscation?

According to Wikipedia, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Software reverse engineering is an operation performed for understanding how software works; people use to it for several reasons, legitimate or not: understanding undocumented APIs or protocols, vulnerability discovery, intellectual property stealing, malware analysis, licensing mechanisms circumvention, etc.

What is tamper-proofing?

Software tamper-proofing consists in generating code that is able to detect modifications, and to react to it. Currently, Obfuscator-LLVM does not implement code tamper-proofing, but we are working on it intensely.

How secure is Obfuscator-LLVM?

For the moment, Obfuscator-LLVM should not be considered as being very secure. By this, we think that it is likely to slow down a lambda reverse engineer, but it will probably not be able to make the work of a skilled reverse engineer extremely difficult. In particular, the fact that constants data and buffers are not scrambled for the moment helps a lot the reverse engineering process. Of course, we expect that future releases will increase the security level in a significant way.

How much slower is obfuscated code?

Obfuscated code will certainly be slower than non-protected one, but it is very difficult to give a generic answer to this question, as it depends on many different parameters (nature of the code, obfuscating probabilities, optimizations used, etc.). You must also expect that the code size will grow.

Which programming languages are supported by Obfuscator-LLVM?

The Clang front-end supports C, C++, Objective-C and Objective-C++. Additionally, one can use LLVM as a GCC back-end through the DragonEgg plugin. DragonEgg fully supports Ada, C, C++ and Fortran and it has partial support for Go, Java, Objective-C as well as Objective-C++.

Which target platforms are support by Obfuscator-LLVM?

As Obfuscator-LLVM is currently working on the Intermediate Representation (IR), it supports all platforms supported by LLVM, i.e., x86, x86-64, PowerPC, PowerPC-64, ARM, Thumb, SPARC, Alpha, CellSPU, MIPS, MSP430, SystemZ, and XCore. DragonEgg, on its side, supports x86-32, x86-64 and ARM processor families.

How are you testing Obfuscator-LLVM?

Obviously, ensuring that a compiler produces functionally correct code is not an easy task. We currently test on several cryptographic libraries, like OpenSSL, GMP, libtomcrypt, that possess extensive test suites, to verify that the produced code is correct. We have also tested it on non-cryptographic software, like MySQL and Imagemagick.

Can I use Obfuscator-LLVM in production code?

Probably not! At the moment, although we are pretty confident about its correct working, Obfuscator-LLVM needs probably far more testing in many different conditions and scenarios before one can use it in production code. Consider it as an advanced prototype!

Why publishing an obfuscating compiler as open-source code? Isn't code obfuscation security by obscurity?

It is true that, in a certain way, implementing software protection techniques is bringing security by obscurity to software. However, we feel that it must be possible to audit the inner working of an obfuscating compiler, in order to rule out backdoor insertions. The price to pay is that automated reverse-engineering tools specifically targeting Obfuscator-LLVM will be easier to write.

How can I cite Obfuscator-LLVM in an academic context?

You can cite Obfuscator-LLVM using the following Bibtex entry:

  author={Pascal Junod and Julien Rinaldini and Johan Wehrli and Julie Michielin},
  booktitle={Proceedings of the {IEEE/ACM} 1st International Workshop on Software Protection, {SPRO'15}, Firenze, Italy, May 19th, 2015},
  editor = {Brecht Wyseur},
  publisher = {IEEE},
  title={Obfuscator-{LLVM} -- Software Protection for the Masses},

How can I contribute to Obfuscator-LLVM?

Please read our How to Contribute page.

Obfuscator-LLVM appears to produce different binaries each time it is called. Why?

Obfuscator-LLVM inner workings are heavily randomized. They make use of a cryptographically secure pseudo-random generator (PRNG) built around the AES128 block cipher operated in counter mode. Every time the compiler is invoked, the PRNG is seeded through /dev/random. If you need to generate two times the same binary, you can seed the PRNG through the -mllvm -aesSeed=DEADBEEFDEADBEEFCAFEBABECAFEBABE compilation flag, by providing the seed as a 128-bit value expressed in hexadecimal notation.

Why giving such a tool freely to bad guys?

People writing malware, viruses, etc. already heavily use software obfuscation to slow down security analysts. They mainly use ad-hoc tools, some of which are public. But many software developers do not have access to strong software protection tools. Obfuscator-LLVM is there to fill the gap.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.