ROPfuscator is a research proof of concept and is not intended for production use. The authors do not take any responsibility or liability for the use of the software. Please exercise caution and use at your own risk.
ROPfuscator is a fine-grained code obfuscation framework for LLVM-supported languages using ROP (return-oriented programming). ROPfuscator obfuscates a program at the assembly code level by transforming regular instructions into ROP chains, thwarting our natural conception of normal control flow. It is implemented as an extension to LLVM (10.0.1) x86 backend.
For build, usage and implementation, see individual documents:
@inproceedings{depasquale2023ropfuscator,
title={ROPfuscator: Robust Obfuscation with ROP},
author={De Pasquale, Giulio and Nakanishi, Fukutomo and Ferla, Daniele and Cavallaro, Lorenzo},
booktitle={2023 IEEE Security and Privacy Workshops (SPW)},
pages={1--10},
year={2023},
organization={IEEE}
}
This project aims to provide an improved version of ROPfuscator with a strong focus on reproducibility and ease of integration. We have made several key enhancements in this repository, as outlined below.
ROPfuscator now leverages Nix, a powerful declarative package manager that allows for reliable and reproducible builds. Nix provides several benefits:
ROPfuscator provides a Nix flake exposing ROPfuscator's stdenv
s and various helper functions used to natively compile Nix derivations, without applying any modification to the build system of the project to be built.
The evaluation process has been rewritten from scratch, taking full advantage of the Nix package manager. This ensures a more reliable and transparent evaluation, which will be the foundation for future work on ROPfuscator.
ROPfuscator can now transparently attempt to obfuscate any package present in the upstream Nix package repository, nixpkgs, without requiring any modifications. This allows Nix users to seamlessly integrate ROPfuscator into their existing workflows and test its capabilities.
ROPfuscator can target a single project, obfuscating only the object files pertinent to the project itself, or it can obfuscate the target along with all its dependencies.
Install Nix (the package manager) and make sure that its daemon is running.
Flakes allow you to specify your code's dependencies in a declarative way and they allow to easily specify inputs and outputs for projects. ROPfuscator exposes different outputs hence we need to enable Nix to use flakes.
Here is a step-by-step process on how to enable them.
This step allows leveraging ROPfuscator's cache repository to avoid recompiling the project and all its dependencies from scratch. This step is optional but recommended.
To enable ROPfuscator's cache, first install cachix
:
nix-env -iA cachix -f https://cachix.org/api/v1/install
Then, configure nix.conf
to use the binary cache:
cachix use ropfuscator
The final step is to build ROPfuscator. This can be achieved by invoking:
nix build github:ropfuscator/ropfuscator -L
If you want to drop in a shell configured to use ROPfuscator by default, just invoke:
nix shell github:ropfuscator/ropfuscator
ROPfuscator can be used to obfuscate packages that are present in the Nixpkgs repository. Currently, we are using a custom fork because some upstream packages were not properly configured for cross-compilation. Although we have already submitted some of the patches upstream, there is still some work to be done for a seamless experience.
To get started, follow the first two steps listed above and install Nix. Then, copy flake-example.nix
into a directory, renaming it to flake.nix
:
mkdir -p ropfuscator-example && cd ropfuscator-example
cp ../flake-example.nix flake.nix
At this point, you can build the two packages defined in the flake: hello
and obfuscatedHello
.
To build obfuscatedHello
, use:
nix build .#obfuscatedHello -L
Similarly, to build hello
run:
nix build .#hello -L
We combine the following obfuscation layers to achieve robust obfuscation against several attacks.
ROPfuscator can be configured through TOML configuration files. This repository includes the following pre-made configurations:
Each configuration can be further customized with the options available in the configuration table in the README.
We encourage collaboration and are open to discussing potential extensions or improvements to the project. If you are interested in contributing, please reach out to us or open an issue.
Thank you for your support!