14 comments

[ 2.3 ms ] story [ 41.0 ms ] thread
It's theoretically interesting up until the point where he starts eliminating registers and moving things to memory addresses. Main memory is significantly slower to access than in-processor registers. Granted, if you are taking the mov-only computation engine to it's logical conclusion (as Domas does) you may be able to speed up the hardware architecture to compensate for these losses, but is there anything of actionable value to gain from such a process?

(i did really enjoy the talk, fwiw)

> you may be able to speed up the hardware architecture to compensate for these losses

It reminds me of the concept of Scratchpad memory: https://en.wikipedia.org/wiki/Scratchpad_memory

However, the main issue is with branches. As all code is executed all the time, the execution time is exponential in the number of basic blocks in the control-flow graph C program.

I wonder whether mov-oriented programming would a useful obfuscation technique for malware authors. I'd assume that typical disassemblers are not very helpful.
one talk I remember said as much. If i remember correctly, repeated obfuscation via self modifying code can increase code size dramatically, though a correlation to time complexity was not shown (and I don't remember how the code modified).
Obfuscation uses a lot of techniques including this. Redundancy also allows to create polymorphic code, that is which creates variable copies of itself.
Yes/no. Yes, because it's (slightly) harder to see what's executed. No, because AVs will soon get a rule like: basic block full of MOVs - flag it immediately. Some AVs even flag UPX packed executables by default, so it wouldn't be unexpected.
There is the demovfuscator, which de-obfuscates movfuscated programs reasonably well. This work was actually done by friends of mine; see their talk here: https://recon.cx/2016/talks/"Movfuscator-Be-Gone.html
Interesting, thanks for the link!

Was just about to ask if such a project exists.

I wonder if there are other OISC architectures that are harder to 'decompile'.

At around 34:30 in the talk he discusses this briefly, with the conclusion that you'd signature the data and also continue to monitor API calls etc. It wouldn't be such a big deal.
More Reductio ad singulum than Reductio ad absurdum :)
If anything, this video showcases the importance of doing proper bibliographic research before working on a new problem. SISC (single instruction set computer) or OISC (One Instruction Set Computer) have been in Hennessy and Patterson for dozens of years.
Except, that wasn't at all the point of this presentation...