Software Security by Obscurity - A Programming Language Perspective

In this paper we present recent achievements and open problems in software security by obscurity. We consider the problem of software protection as part of the Digital Asset Protection problem, and develop a formal security model that allows to better understand and compare known attacks and protection algorithms. The ultimate goal is to provide a comprehensive theory that allows a deeper understanding and systematical derivation of secured code against specific attacks.

[1]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[2]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[3]  Markus G. Kuhn,et al.  Information hiding-a survey , 1999, Proc. IEEE.

[4]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[5]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[6]  Christian S. Collberg,et al.  Toward Digital Asset Protection , 2011, IEEE Intelligent Systems.

[7]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[8]  Roberto Giacobazzi,et al.  Obfuscation by partial evaluation of distorted interpreters , 2012, PEPM '12.

[9]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[10]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[11]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[12]  Arun Lakhotia,et al.  Imposing order on program statements to assist anti-virus scanners , 2004, 11th Working Conference on Reverse Engineering.

[13]  Roberto Giacobazzi,et al.  Hiding Information in Completeness Holes: New Perspectives in Code Obfuscation and Watermarking , 2008, 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods.

[14]  Dusko Pavlovic,et al.  Gaming security by obscurity , 2011, NSPW '11.

[15]  Christian S. Collberg,et al.  Dynamic graph-based software fingerprinting , 2007, TOPL.

[16]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[17]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[18]  Roberto Giacobazzi,et al.  Semantics-based code obfuscation by abstract interpretation , 2009, J. Comput. Secur..