StIns4LLVM is a protection tool based on a result checking technique intended to secure sensitive pure functions. It was developed during the Software Integrity Protection Practical Course, Summer Term 2017 at Technical University Munich.
The workflow of StIns4LLVM consists of three main phases. Firstly, it generates test cases using MACKE for every specified sensitive pure function. After that, a randomly constructed network of checkers determines the guards' place in the code. These guards attempt to verify whether a given function has been tampered with and if this is the case they call a response function. StIns4LLVM introduces delayed, probabilistic failures in the protected program in case of a tampering attempt. To be more precise, the response function is configured in such a way that in 20% of the times it does nothing and continues the normal execution path of the binary, while in the other 80% it terminates the program after 0 to 9 seconds. Finally, the last phase of the protection tool injects the guards in the corresponding places and compiles the protected program.
- Execute make in the project's top directory to build the tool.
- Compose a json configuration file according to this example (all keys are compulsory and self-explanatory):
{
"functionsRC" : ["mul", "add", "sub", "isValidLicenseKey", "addChar"],
"program" : ["src/InterestingProgram.c"],
"binary" : "InterestingProgram-rewritten",
"connectivityRC" : 2,
"syminputC" : "syminput/syminputC.py",
"syminputBC" : "syminput/syminputBC.py",
"verbose" : true
}
- Finally, run StIns4LLVM which will execute the LLVM Pass on the provided source files, compile and place the resulting executable in the build folder.
./run.sh -f config.json