Standard Control Flow Flattening is fundamentally broken
11 hours ago
- #reverse engineering
- #code obfuscation
- #static analysis
- Control Flow Flattening (CFF) in OLLVM/Hikari is structurally vulnerable to static analysis due to its reliance on a dispatch table in a data section, a writable state variable, and Mixed Boolean-Arithmetic (MBA) constants, all identifiable without dynamic analysis.
- CFFDispatchTracer, a Ghidra script, automatically resolves CFF dispatch entries by scanning for specific patterns, exploiting these invariants, and iteratively building a knowledge base, achieving up to 95.8% recovery in tested binaries.
- Tested production anti-tamper/anti-fraud SDKs, including a 1.2MB anti-fraud SDK, were fully deobfuscated in hours, revealing that complex obfuscation often only obscures simple operations like token passthroughs.
- CFF is weak compared to alternatives like code virtualization or server-side attestation, but remains widely deployed due to low overhead and open-source availability, creating a false sense of security.
- Vendors should adopt more robust techniques, such as code virtualization, diversified builds, or ephemeral code generation, to provide meaningful anti-tamper protection beyond what CFF offers.