Application security through program obfuscation

Business models behind products such as iTunes and the Skype VoIP clients depend entirely on the secrecy of technical details of their product. Once the technical details are uncovered, a medium such as the Internet is extremely powerful to (anonymously) spread the sensitive information and it is shown that stopping the spread of such highly sensitive information is difficult. Therefore, program obfuscation recently attracted a lot of attention as a low cost approach to protect the inner workings of an application. However, when a new obfuscating transformation is proposed, it is unclear how to measure the quality of such transformation as there is no general agreement on this matter in this young domain. Collberg’s taxonomy [37] describes the quality of an obfuscating transformation in terms of cost, resilience and potency. The cost describes the execution penalty, the resilience measures how well a transformation withstands an attack while the potency measures how much more difficult the obfuscated code is to understand. Our work contributes by describing attacks that test the resilience of an obfuscating transformation and by the construction of a framework based on software complexity metrics to evaluate the potency of obfuscating transformations. In this dissertation, we bring together existing control flow obfuscating transformations and existing software complexity metrics. In particular, we consider three transformations: control flow flattening (CFF), branch procedures and opaque predicates together with two metrics: cyclomatic number and knot count. After applying the obfuscating transformations on a program, the complexity of the program increases. To measure this, our framework has to be capable of quantifying the obfuscating transformation independent of at which point in the development process the obfuscating transformation is applied. Therefore, our introduced framework works on the

[1]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[2]  Andrée Puttemans,et al.  Nouveautés en droits intellectuels marques et programmes d'ordinateur , 1995 .

[3]  Koen De Bosschere,et al.  Link-Time Compaction of MIPS Programs , 2004, ESA/VLSI.

[4]  Koen De Bosschere,et al.  Understanding Obfuscated Code , 2006, 14th IEEE International Conference on Program Comprehension (ICPC'06).

[5]  Genevieve Arboit,et al.  A Method for Watermarking Java Programs via Opaque Predicates , 2002 .

[6]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[7]  Levent Ertaul,et al.  Novel Obfuscation Algorithms for Software Security , 2005, Software Engineering Research and Practice.

[8]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[9]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[10]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[11]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[12]  Laurie J. Hendren,et al.  Metrics for Measuring the Effectiveness of Decompilers and Obfuscators , 2007, 15th IEEE International Conference on Program Comprehension (ICPC '07).

[13]  Kuo-Chung Tai A program complexity metric based on data flow information in control graphs , 1984, ICSE '84.

[14]  Erik H. D'Hollander,et al.  Using hammock graphs to structure programs , 2004, IEEE Transactions on Software Engineering.

[15]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[16]  Koen De Bosschere,et al.  LANCET: a nifty code editing tool , 2005, PASTE '05.

[17]  A. Appel Deobfuscation is in NP , .

[18]  Gregory Wroblewski,et al.  General Method of Program Code Obfuscation , 2002 .

[19]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[20]  Bjorn De Sutter,et al.  Compiler techniques for code compaction , 2000, TOPL.

[21]  Koen De Bosschere,et al.  Steganography for Executables and Code Transformation Signatures , 2004, ICISC.

[22]  Robert E. Tarjan,et al.  Dynamic Self-Checking Techniques for Improved Tamper Resistance , 2001, Digital Rights Management Workshop.

[23]  Masahiro Mambo,et al.  An Approach to the Objective and Quantitative Evaluation of Tamper-Resistant Software , 2000, ISW.

[24]  Ju. V. Matijasevic,et al.  ENUMERABLE SETS ARE DIOPHANTINE , 2003 .

[25]  Qwhuqhw Duh Qrz Vxiihulqj Iurp Surjudp Wkhiw,et al.  Watermarking Java Programs , 1999 .

[26]  Jun Yang,et al.  Frequent value locality and its applications , 2002, TECS.

[27]  Clark D. Thomborson,et al.  Securing Mobile Agents Control Flow Using Opaque Predicates , 2005, KES.

[28]  Douglas Low,et al.  Java Control Flow Obfuscation , 1998 .

[29]  Scott Nettles,et al.  Dynamic software updating , 2001, PLDI '01.

[30]  Taghi M. Khoshgoftaar,et al.  Measurement of data structure complexity , 1993, J. Syst. Softw..

[31]  Bjorn De Sutter,et al.  Matching Control Flow of Program Versions , 2007, 2007 IEEE International Conference on Software Maintenance.

[32]  Markus G. Kuhn,et al.  Attacks on Copyright Marking Systems , 1998, Information Hiding.

[33]  Patrick Cousot,et al.  An abstract interpretation-based framework for software watermarking , 2004, POPL.

[34]  John C. Knight,et al.  A security architecture for survivability mechanisms , 2001 .

[35]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[36]  David W. Binkley,et al.  A large-scale empirical study of forward and backward static slice size and context sensitivity , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[37]  Levent Ertaul,et al.  JHide - A tool kit for code obfuscation , 2004, IASTED Conf. on Software Engineering and Applications.

[38]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[39]  Koen De Bosschere,et al.  Program obfuscation: a quantitative approach , 2007, QoP '07.

[40]  Jens Palsberg,et al.  Experience with software watermarking , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[41]  Mary Lou Soffa,et al.  Generating test data for branch coverage , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[42]  Christian S. Collberg,et al.  Software watermarking via opaque predicates: Implementation, analysis, and attacks , 2006, Electron. Commer. Res..

[43]  Dan Boneh,et al.  Architectural Support For Copy And Tamper-Resistant Software PhD Thesis , 2003 .

[44]  Akito Monden,et al.  Tamper-Resistant Software System Based on a Finite State Machine , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[45]  Mateo Valero,et al.  A content aware integer register file organization , 2004, Proceedings. 31st Annual International Symposium on Computer Architecture, 2004..

[46]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[47]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[48]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[49]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[50]  Christian S. Collberg CS 620 Security through obscurity , 2002 .

[51]  Yuan Xiang Gu,et al.  An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs , 2001, ISC.

[52]  M. Preda Code Obfuscation and Malware Detection by Abstract Interpretation , 2007 .

[53]  Saumya K. Debray,et al.  Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[54]  Mikhail J. Atallah,et al.  Protecting Software Code by Guards , 2001, Digital Rights Management Workshop.

[55]  Gregory R. Andrews,et al.  Binary Obfuscation Using Signals , 2007, USENIX Security Symposium.

[56]  Martin R. Woodward,et al.  A Measure of Control Flow Complexity in Program Text , 1979, IEEE Transactions on Software Engineering.

[57]  Yuichiro Kanzaki,et al.  Exploiting self-modification mechanism for program protection , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[58]  Peter Lee,et al.  A Declarative Approach to Run-Time Code Generation , 2007 .

[59]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[60]  Robert Dick,et al.  Next-Generation Protection Against Reverse Engineering , 2005 .

[61]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[62]  Koen De Bosschere,et al.  Hybrid static-dynamic attacks against software protection mechanisms , 2005, DRM '05.

[63]  Michael D. Ernst Static and dynamic analysis: synergy and duality , 2003 .

[64]  Koen De Bosschere,et al.  LOCO: an interactive code (De)obfuscation tool , 2006, PEPM '06.

[65]  Barbara G. Ryder,et al.  Pointer-induced aliasing: a problem classification , 1991, POPL '91.

[66]  Paul England,et al.  NGSCB: A Trusted Open System , 2004, ACISP.

[67]  Saumya K. Debray,et al.  Profile-guided code compression , 2002, PLDI '02.

[68]  Christian S. Collberg,et al.  The Obfuscation Executive , 2004, ISC.

[69]  Gael Hachez,et al.  A Comparative Study of Software Protection Tools Suited for E-Commerce with Contributions to Software Watermarking and Smart Cards , 2003 .

[70]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[71]  Warren A. Harrison,et al.  A complexity measure based on nesting level , 1981, SIGP.

[72]  Jason R. C. Patterson,et al.  Accurate static branch prediction by value range propagation , 1995, PLDI '95.

[73]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[74]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[75]  Jonathon T. Giffin,et al.  Strengthening software self-checksumming via self-modifying code , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[76]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[77]  Giovanni Vigna Static Disassembly and Code Analysis , 2007, Malware Detection.

[78]  Jack W. Davidson,et al.  Software Tamper Resistance: Obstructing Static Analysis of Programs , 2000 .

[79]  Gregory R. Andrews,et al.  PLTO: A Link-Time Optimizer for the Intel IA-32 Architecture , 2007 .

[80]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[81]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[82]  Paul C. van Oorschot,et al.  A generic attack on checksumming-based software tamper resistance , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[83]  Dawson R. Engler,et al.  C: a language for high-level, efficient, and machine-independent dynamic code generation , 1995, POPL '96.

[84]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[85]  Michael Stepp,et al.  Dynamic path-based software watermarking , 2004, PLDI '04.

[86]  Eldad Eilam,et al.  Reversing: Secrets of Reverse Engineering , 2005 .

[87]  Maurice H. Halstead,et al.  Elements of software science , 1977 .

[88]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[89]  Sallie M. Henry,et al.  Software Structure Metrics Based on Information Flow , 1981, IEEE Transactions on Software Engineering.

[90]  Katsuro Inoue,et al.  A practical method for watermarking Java programs , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[91]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[92]  Stephen T. Kent Protecting externally supplied software in small computers , 1980 .

[93]  Sean W. Smith,et al.  Secure coprocessing applications and research issues , 1996 .

[94]  Michael Hind,et al.  Which pointer analysis should I use? , 2000, ISSTA '00.

[95]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[96]  Julia L. Lawall,et al.  Automatic, template-based run-time specialization: implementation and experimental study , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[97]  Koen De Bosschere,et al.  Software Protection Through Dynamic Code Mutation , 2005, WISA.

[98]  Andrée Puttemans,et al.  Au bout du bout du droit d'auteur: la nouvelle protection juridique des programmes d'ordinateur , 1995 .

[99]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[100]  P. Biondi,et al.  Silver Needle in the Skype , 2006 .

[101]  Koen De Bosschere,et al.  Link-time optimization of ARM binaries , 2004, LCTES '04.

[102]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[103]  Koen De Bosschere,et al.  Software piracy prevention through diversity , 2004, DRM '04.

[104]  Koen De Bosschere,et al.  Sifting out the mud: low level C++ code reuse , 2002, OOPSLA '02.

[105]  Koen De Bosschere,et al.  DIOTA: Dynamic Instrumentation, Optimization and Transformation of Applications , 2002, PACT 2002.

[106]  Koen De Bosschere,et al.  Opaque Predicates Detection by Abstract Interpretation , 2006, AMAST.

[107]  Rupak Majumdar,et al.  Path slicing , 2005, PLDI '05.