What is Tigress?

Tigress is a diversifying obfuscator for the C language that supports many novel defenses against both static and dynamic reverse engineering and de-virtualization attacks. Tigress supports two major transformations:

In addition, Tigress has a collection of supporting transformations that can help with resilience to attack, diversity, and stealth:

Tigress also supports three transformations designed to thwart particular static and dynamic analyses:

Design. Tigress is a source-to-source transformer built in OCaml on top of CIL and MyJit:

Tigress supports all of the C99 language, including gcc extensions. The source-to-source design means that the transformed code can be easily examined, which is useful in a pedagogical setting. Also, Tigress' output, once compiled and stripped of symbols, is a good target for reverse engineering and de-virtualization exercises. Tigress' design is similar to that of commercial tools, such as Cloakware/IRDETO's C/C++ Transcoder.

Diversity. Tigress is designed such that, from a single source program, it is possible to generate large numbers of highly diversified variants. This diversity is both static and dynamic, i.e. two variants will differ both in their machine code and in the resulting instruction traces. In essence, every decision Tigress makes is dependent on a randomization seed, controllable by the user. There are two major sources of diversity:

Usage. The user interacts with Tigress by giving an input C file, a seed, and a sequence of transformations: