Dual-Path Obfuscation Rewriting

• Dual-path obfuscation rewriting is a program transformation technique that reshapes a program's CFG into a non-isomorphic graph while maintaining its semantics.
• It uses a dual-path embedding strategy by mapping active (functional) nodes and inserting passive (no-op) nodes, complicating both static and dynamic analysis.
• The approach leverages random target graph generation and dual-path routing to ensure secure obfuscation with tunable trade-offs between security and performance.

Dual-path obfuscation rewriting is a program transformation technique designed to obfuscate a program’s control-flow graph (CFG) while ensuring semantic equivalence. The principal objective is to rewrite a code $P$ into a functionally equivalent code $P'$ such that $G' = \operatorname{CFG}(P')$ is non-isomorphic to the original $G = \operatorname{CFG}(P)$, thereby thwarting static and dynamic program analysis. This method achieves obfuscation at a structural level by decoupling observable CFG structure from program semantics via embedding the code into a larger, random target graph and weaving distinct active (semantic) and passive (semantic no-op) execution blocks, synchronized by a global routing variable (Géraud et al., 2017).

1. Restricted Control-Flow Graphs and Non-Isomorphism

A restricted control-flow graph $G(P) = (V, E)$ for a program $P$ is constructed where each node $v\in V$ corresponds to a straight-line block: a maximal sequence of instructions with a single entry point, no interior dynamic/indirect jumps, and terminating in a conditional or unconditional static jump, or a return. Edges $(x\to y)\in E$ arise when control can transfer from $x$ to $y$ by such jumps or by fall-through. Indirect jumps are excluded in the static CFG and handled separately during rewriting.

Two graphs, $G=(V, E)$ and $G'=(V', E')$, are isomorphic ($G\cong G'$) if there exists a bijection $\pi: V \to V'$ such that $$(u\to v)\in E \Leftrightarrow (\pi(u)\to\pi(v))\in E'$$. The main goal is constructing $P'$ such that $G' \not\cong G$.

2. Transcompilation via Dual-Path Embedding

The algorithm to obtain $P'$ with a radically different CFG consists of several conceptual stages:

1. Target Graph Generation: A random directed graph $T=(V', E')$ is generated with $|V'|\geq|V|$ and maximum out-degree 2.
2. Edge-Preserving Injection: An injective node mapping $\pi: V \to V'$ is identified, ensuring each $(a\to b)\in E$ has $(\pi(a)\to\pi(b))\in E'$.
3. Path Replacement Construction: For each $(a\to b)\in E$, a random simple path $f(a, b)=[s_1, ..., s_k]$ in $T$ connects $\pi(a)$ and $\pi(b)$. The set of all intermediate nodes $S$ comprises the "passive" nodes.
4. Node Annotation and Code Generation: Nodes in $A:=\pi(V)$ (active) represent functional code; nodes in $V'\setminus A$ (passive) house code fragments that enact identity state transformations.

The complete code $P'$ is linearized (e.g., by CompCert layout) as a contiguous array of blocks. Each block $v$ is instrumented with a context prologue: loading a per-block mask $m_v$ to distinguish active from passive behavior. Active blocks restore state and perform original computations, then update a global routing variable $r$ and dispatch to successors through masked jumps. Passive blocks execute register/memory-preserving no-ops and proceed linearly.

3. Dual-Path Routing and Onion Masking

Since out-degree is restricted to at most 2, each block $v\in V'$ has at most two successor blocks $v_L$ and $v_R$. A dedicated bit of the global routing variable $r$ at each active block determines whether the left or right path is followed. After executing active code, branching in $P'$ is realized by setting $r_v$ according to the original jump in $P$—either 0 (left) or 1 (right)—and applying a masked jump to $v_L$ or $v_R$.

To further complicate analysis, per-block "path" and "next_path" variables can be masked (e.g., via XOR of all intermediate node constants), implementing a form of weak onion routing. This design ensures that an adversary must reconstruct all masks along the execution chain to resolve the identity or role of even a single active block.

4. Formal Correctness and Functional Equivalence

The construction guarantees that $P'$ is functionally equivalent to $P$. Let $\Sigma$ denote global machine state. Each passive block implements $\varphi_v: \Sigma \to \Sigma$, the identity. Each active block $u=\pi(a)$ implements the state transform $\psi_a$ of block $a$ in $P$. Routing state is stored outside $P$'s original memory footprint to avoid semantic conflicts.

Equivalence Theorem:

For every execution path $\alpha=(a_0\to a_1\to\ldots\to a_n)$ in $G$ and input state $\sigma_0$, $P$ produces $$\sigma_n=\psi_{a_n}\circ\ldots\circ\psi_{a_0}(\sigma_0)$$. In $P'$, the corresponding path in $T$ traverses $$(\pi(a_0), u_1,\ldots, u_k=\pi(a_1), \ldots, \pi(a_n))$$, yielding $$\sigma_n'=(\cdots\circ\varphi_{u_{i-1}}\circ\psi_{a_i}\circ\varphi_{\cdots})(\sigma_0)$$. Since each passive $\varphi$ is the identity, $\sigma_n' = \sigma_n$.

5. Obfuscation Security: Static and Dynamic Resistance

Security derives from the indistinguishability of active and passive nodes in $P'$'s CFG. The only nontrivial computation occurs in active nodes $A=\pi(V)$. If an adversary can identify $A$, the original CFG can be recovered via $\pi^{-1}$. This is formalized by two challenge games:

• Full Recovery: Adversary must guess $N=\pi(V)$; probability is $1/\binom{n}{k}$.
• One Recovery: Guess single $v\in V'\setminus\{\text{entry}\}$; probability $k/n$.

For $n$ large and $k\approx n/2$, both probabilities are negligible or at most $1/2$.

Static analysis cannot decide activeness in general due to Rice's theorem: determining whether $P'$ at $v$ has semantic effect is undecidable. Dynamic analysis requires experimentally perturbing each of $n$ blocks and observing output change. Since identifying activeness per block may cost $O(n^2)$ steps (to reach erroneous output), this brute-force extraction has total complexity $O(n^3)$ in the worst case.

6. Concrete Example: Double-and-Add Routine

For illustration, consider a double-and-add routine with an original 6-node restricted CFG labeled $A,\ldots,F$. For each edge, a corresponding path in a 10-node random target graph $T$ is selected, e.g., mapping $A\to 1$, $B\to 4$, etc., with inserted passive paths for edges like $(E\to C)$ via nodes $[5,6,3]$. The new adjacency matrix $M_{G'}$ is thus a $10\times 10$ matrix with entries for active and passive connectivity, embedding the semantics-preserving transformations within a significantly altered graph structure.

Original Node	Mapped Node in $T$	Example Passive Path
A	1	—
B	4	—
C	7	[5,6,3] for (E→C)
D	2	—
E	9	—
F	10	—

Editor's term: Passive nodes act as "identity transformers" in this embedding.

7. Performance and Trade-off Considerations

The approach exhibits linear overheads. Each original CFG edge is replaced by a path of expected length $\ell$, inducing $O(|E|\cdot\ell)$ code-size growth. At each passive block, the code executes $O(1)$ cycles of masked no-ops; at active blocks, context save/restore and routing variable updates add minor overhead. If $T$ is not excessively large and $\ell=O(1)$, code-size and runtime increases are linear in $|P|$ and small in practice; the obfuscation level can be amplified by increasing path lengths, incurring higher overheads.

Implementation on x86-64 demonstrates highly tunable trade-offs between security and efficiency. The process yields a $P'$ with:

1. Functional equivalence to $P$ (via compositional invariants).
2. CFG drawn from a large family of random graphs, with overwhelming probability that $G'\not\cong G$.
3. Undecidable static distinguishability between active and passive blocks.
4. Dynamic CFG recovery requiring $O(n^3)$ time via exhaustive analysis.
5. Linear and tunable code and runtime overheads for practical use (Géraud et al., 2017).