Replacement Attacks on Behavior Based Software Birthmark

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics-equivalent system calls to unlock the high frequent dependency between the system calls in an original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

[1]  Michael Stepp,et al.  Dynamic path-based software watermarking , 2004, PLDI '04.

[2]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[3]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[4]  Christian S. Collberg,et al.  Detecting Software Theft via Whole Program Path Birthmarks , 2004, ISC.

[5]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[6]  David Schuler,et al.  A dynamic birthmark for java , 2007, ASE.

[7]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[8]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[9]  Akito Monden,et al.  Design and evaluation of birthmarks for detecting theft of java programs , 2004, IASTED Conf. on Software Engineering.

[10]  Akito Monden,et al.  Dynamic Software Birthmarks to Detect the Theft of Windows Applications , 2004 .

[11]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[12]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[13]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[14]  Mario Vento,et al.  A (sub)graph isomorphism algorithm for matching large graphs , 2004, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[15]  Xiangyu Zhang,et al.  Dynamic slicing long running programs through execution fast forwarding , 2006, SIGSOFT '06/FSE-14.

[16]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[17]  Sencun Zhu,et al.  Behavior based software theft detection , 2009, CCS.

[18]  Mario Vento,et al.  A Performance Comparison of Five Algorithms for Graph Isomorphism , 2001 .

[19]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[20]  Christian S. Collberg,et al.  K-gram based software birthmarks , 2005, SAC '05.

[21]  S CollbergChristian,et al.  Watermarking, tamper-proffing, and obfuscation , 2002 .

[22]  Craig A. Knoblock,et al.  Advanced Programming in the UNIX Environment , 1992, Addison-Wesley professional computing series.

[23]  Fei-Yue Wang,et al.  A Survey of Software Watermarking , 2005, ISI.

[24]  Stephanie Forrest,et al.  The Evolution of System-Call Monitoring , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).