aegis_vm 0.2.52

Advanced Rust code virtualization and obfuscation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308

//! Integration tests for encrypted bytecode execution
//!
//! This demonstrates the full flow:
//! 1. Create VM bytecode
//! 2. Encrypt with AES-256-GCM
//! 3. Package with header
//! 4. Decrypt at runtime
//! 5. Execute through VM

use aegis_vm::{
    execute, VmError,
    bytecode::{BytecodeHeader, BytecodePackage, BytecodeFlags, ProtectionLevel},
    crypto::CryptoContext,
    build_config::opcodes::{stack, arithmetic, control, exec, register, native},
};

/// Helper: Execute encrypted bytecode
fn execute_encrypted(
    ctx: &CryptoContext,
    package: &BytecodePackage,
    input: &[u8],
) -> Result<u64, VmError> {
    // Check if encrypted
    if !package.header.is_encrypted() {
        // Plaintext execution
        return execute(&package.code, input);
    }

    // Decrypt
    let decrypted = ctx.decrypt(
        &package.code,
        &package.header.nonce,
        &package.header.tag,
    )?;

    // Execute
    execute(&decrypted, input)
}

#[test]
fn test_encrypted_simple_addition() {
    // Create bytecode: 40 + 2 = 42
    let bytecode = [
        stack::PUSH_IMM8, 40,
        stack::PUSH_IMM8, 2,
        arithmetic::ADD,
        exec::HALT,
    ];

    // Create crypto context with test seed
    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    // Encrypt bytecode
    let (ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    // Create package with header
    let mut header = BytecodeHeader::new(
        ctx.build_id,
        1234567890,
        BytecodeFlags::Encrypted as u16,
    );
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage {
        header,
        code: ciphertext,
    };

    // Execute encrypted bytecode
    let result = execute_encrypted(&ctx, &package, &[]).unwrap();
    assert_eq!(result, 42);
}

#[test]
fn test_encrypted_complex_arithmetic() {
    // Complex arithmetic: ((100 * 3) + 50) - 8 = 342
    let bytecode = [
        stack::PUSH_IMM8, 100,
        stack::PUSH_IMM8, 3,
        arithmetic::MUL,    // 300
        stack::PUSH_IMM8, 50,
        arithmetic::ADD,    // 350
        stack::PUSH_IMM8, 8,
        arithmetic::SUB,    // 342
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    let (ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    let mut header = BytecodeHeader::new(ctx.build_id, 0, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    let result = execute_encrypted(&ctx, &package, &[]).unwrap();
    assert_eq!(result, 342);
}

#[test]
fn test_encrypted_with_input() {
    // Read input u64 and add 10
    let bytecode = [
        native::NATIVE_READ, 0x00, 0x00,  // Read u64 at offset 0
        stack::PUSH_IMM8, 10,
        arithmetic::ADD,
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    let (ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    let mut header = BytecodeHeader::new(ctx.build_id, 0, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    // Input: u64 value 32, expected output: 32 + 10 = 42
    let input = 32u64.to_le_bytes();
    let result = execute_encrypted(&ctx, &package, &input).unwrap();
    assert_eq!(result, 42);
}

#[test]
fn test_encrypted_loop() {
    // Sum 1 to 5 = 15
    let bytecode = [
        // R0 = 5 (counter)
        register::MOV_IMM, 0, 5, 0, 0, 0, 0, 0, 0, 0,
        // R1 = 0 (sum)
        register::MOV_IMM, 1, 0, 0, 0, 0, 0, 0, 0, 0,
        // loop:
        stack::PUSH_REG, 0,        // push counter
        stack::PUSH_REG, 1,        // push sum
        arithmetic::ADD,           // sum + counter
        stack::POP_REG, 1,         // store in R1
        stack::PUSH_REG, 0,        // push counter
        arithmetic::DEC,           // counter--
        stack::DUP,                // dup for check
        stack::POP_REG, 0,         // store back
        stack::PUSH_IMM8, 0,
        arithmetic::SUB,
        control::JNZ, (256 - 19) as u8, 0xFF,
        stack::PUSH_REG, 1,
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    let (ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    let mut header = BytecodeHeader::new(ctx.build_id, 0, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    let result = execute_encrypted(&ctx, &package, &[]).unwrap();
    assert_eq!(result, 15);
}

#[test]
fn test_tampered_encrypted_bytecode_fails() {
    let bytecode = [
        stack::PUSH_IMM8, 42,
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    let (mut ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    // Tamper with ciphertext
    if !ciphertext.is_empty() {
        ciphertext[0] ^= 0xFF;
    }

    let mut header = BytecodeHeader::new(ctx.build_id, 0, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    // Decryption should fail due to authentication
    let result = execute_encrypted(&ctx, &package, &[]);
    assert!(result.is_err());
}

/// Test that wrong key fails decryption
/// Note: When whitebox feature is enabled, CryptoContext always uses build-time
/// derived keys, so this test only applies to non-whitebox mode.
#[test]
#[cfg(not(feature = "whitebox"))]
fn test_wrong_key_fails() {
    let bytecode = [
        stack::PUSH_IMM8, 42,
        exec::HALT,
    ];

    // Encrypt with one key
    let seed1 = [0x42u8; 32];
    let mut ctx1 = CryptoContext::new(seed1);

    let (ciphertext, nonce, tag) = ctx1.encrypt(&bytecode).unwrap();

    let mut header = BytecodeHeader::new(ctx1.build_id, 0, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    // Try to decrypt with different key
    let seed2 = [0x43u8; 32];
    let ctx2 = CryptoContext::new(seed2);

    let result = execute_encrypted(&ctx2, &package, &[]);
    assert!(result.is_err());
}

#[test]
fn test_plaintext_mode() {
    // Test plaintext (debug) mode - no encryption
    let bytecode = vec![
        stack::PUSH_IMM8, 42,
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let ctx = CryptoContext::new(seed);

    // Create package without encryption flag
    let mut header = BytecodeHeader::new(ctx.build_id, 0, 0);  // No flags = plaintext
    header.code_len = bytecode.len() as u32;

    let package = BytecodePackage { header, code: bytecode };

    let result = execute_encrypted(&ctx, &package, &[]).unwrap();
    assert_eq!(result, 42);
}

#[test]
fn test_package_serialization() {
    let bytecode = [
        stack::PUSH_IMM8, 42,
        exec::HALT,
    ];

    let seed = [0x42u8; 32];
    let mut ctx = CryptoContext::new(seed);

    let (ciphertext, nonce, tag) = ctx.encrypt(&bytecode).unwrap();

    let mut header = BytecodeHeader::new(ctx.build_id, 1234567890, BytecodeFlags::Encrypted as u16);
    header.nonce = nonce;
    header.tag = tag;
    header.code_len = ciphertext.len() as u32;

    let package = BytecodePackage { header, code: ciphertext };

    // Serialize to bytes
    let serialized = package.to_bytes();

    // Deserialize
    let deserialized = BytecodePackage::from_bytes(&serialized).unwrap();

    // Verify header
    assert_eq!(deserialized.header.build_id, ctx.build_id);
    assert_eq!(deserialized.header.timestamp, 1234567890);
    assert!(deserialized.header.is_encrypted());

    // Execute deserialized package
    let result = execute_encrypted(&ctx, &deserialized, &[]).unwrap();
    assert_eq!(result, 42);
}

#[test]
fn test_protection_level_flags() {
    // Test different protection levels
    assert_eq!(ProtectionLevel::Debug.to_flags(), 0);
    assert_eq!(ProtectionLevel::Low.to_flags(), BytecodeFlags::Encrypted as u16);
    assert_eq!(
        ProtectionLevel::Medium.to_flags(),
        BytecodeFlags::Encrypted as u16 | BytecodeFlags::HasIntegrity as u16
    );
    assert_eq!(
        ProtectionLevel::Paranoid.to_flags(),
        BytecodeFlags::Encrypted as u16
            | BytecodeFlags::HasIntegrity as u16
            | BytecodeFlags::HasTimingChecks as u16
            | BytecodeFlags::Paranoid as u16
    );
}