Towards Optimally Hiding Protected Assets in Software Applications

Software applications contain valuable assets that, if compromised, can make the security of users at stake and cause huge monetary losses for software developers. Software protections are applied whenever assets' security is at risk as they delay successful attacks. Unfortunately, protections might have recognizable fingerprints that can expose the location of the assets, thus facilitating the attackers' job. This paper presents a novel approach that uses three main methods to hide the protected assets: protection fingerprint replication, enlargement, and shadowing. The best way to hide assets is determined with a Mixed Integer Linear Program, which is automatically built starting from the code structure, the protected assets, and a model that depicts the dependencies among protection and the fingerprints they generate. Additional constraints, such as overhead limits are also supported to ensure the usability of the protected applications. Our implementation, which uses off-the-shelf solvers, showed promising performance and scalability on large applications.

[1]  Roberto Giacobazzi,et al.  Semantic-Based Code Obfuscation by Abstract Interpretation , 2005, ICALP.

[2]  Marco Torchiano,et al.  A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques , 2013, Empirical Software Engineering.

[3]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[4]  Hua Qu,et al.  User-Centric QoS Provisioning for Heterogeneous D2D Multimedia Flows with Dense Spectral Reuse , 2016, 2016 IEEE Globecom Workshops (GC Wkshps).

[5]  Holger Karl,et al.  Response-Time-Optimized Service Deployment: MILP Formulations of Piece-Wise Linear Functions Approximating Bivariate Mixed-Integer Functions , 2015, IEEE Transactions on Network and Service Management.

[6]  Ahmed Karmouch,et al.  MILP-Based Approach for Efficient Cloud IaaS Resource Allocation , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[7]  Christian S. Collberg,et al.  Breaking abstractions and unstructuring data structures , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[8]  Robert H. Deng,et al.  Remote attestation on program execution , 2008, STC '08.

[9]  Andrew Blyth,et al.  An empirical examination of the reverse engineering process for binary files , 2006, Comput. Secur..

[10]  Bart Coppens,et al.  Tightly-coupled self-debugging software protection , 2016, SSPREW '16.

[11]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[12]  Marco Torchiano,et al.  Assessment of Source Code Obfuscation Techniques , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[13]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[14]  Marco Torchiano,et al.  The effectiveness of source code obfuscation: An experimental assessment , 2009, 2009 IEEE 17th International Conference on Program Comprehension.

[15]  Mariano Ceccato,et al.  Barrier Slicing for Remote Software Trusting , 2007 .

[16]  Stefan Katzenbeisser,et al.  Protecting Software through Obfuscation , 2016, ACM Comput. Surv..

[17]  Paolo Falcarin,et al.  Software Protection with Code Mobility , 2015, MTD@CCS.

[18]  Mariano Ceccato,et al.  POSTER: A Measurement Framework to Quantify Software Protections , 2014, CCS.

[19]  Mariano Ceccato,et al.  Reactive Attestation: Automatic Detection and Reaction to Software Tampering Attacks , 2016, SPRO@CCS.

[20]  K. De Bosschere,et al.  DIABLO: a reliable, retargetable and extensible link-time rewriting framework , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[21]  David A. Wood,et al.  Optimization and Mathematical Modeling in Computer Architecture , 2013, Optimization and Mathematical Modeling in Computer Architecture.

[22]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[23]  Alexandru Telea,et al.  SQuAVisiT: A Software Quality Assessment and Visualisation Toolset , 2007 .

[24]  Mikhail J. Atallah,et al.  Protecting Software Code by Guards , 2001, Digital Rights Management Workshop.

[25]  Kevin Coogan,et al.  Deobfuscation of virtualization-obfuscated software: a semantics-based approach , 2011, CCS '11.

[26]  Young-Chon Kim,et al.  Efficient routing and spectrum allocation considering QoT in elastic optical networks , 2015, 2015 38th International Conference on Telecommunications and Signal Processing (TSP).

[27]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[28]  Rami Langar,et al.  A fair cluster-based resource and power allocation scheme for two-tier LTE femtocell networks , 2016, 2016 Global Information Infrastructure and Networking Symposium (GIIS).