Iterated Transformations and Quantitative Metrics for Software Protection

This paper describes a new framework for design, implementation and evaluation of software-protection schemes. Our approach is based on the paradigm of iterated protection, which repeats and combines simple transformations to build up complexity and security. Based on ideas from the field of complex systems, iterated protection is intended as an element of a comprehensive obfuscation and tamper-resistance system, but not as a full-fledged, standalone solution. Our techniques can (and should) be combined with previously proposed approaches, strengthening overall protection. A long-term goal of this work is to create protection methods amenable to analysis or estimation of security in practice. As a step towards this, we present security evaluation via metrics computed over transformed code. Indicating the difficulty of real-life reverse engineering and tampering, such metrics offer one approach to move away from ad hoc, poorly analyzable approaches to protection.

[1]  Jack W. Davidson,et al.  Software Tamper Resistance: Obstructing Static Analysis of Programs , 2000 .

[2]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[3]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[4]  Ramarathnam Venkatesan,et al.  Towards integral binary execution: implementing oblivious hashing using overlapped instruction encodings , 2007, MM&Sec.

[5]  Angelos D. Keromytis,et al.  Hydan: Hiding Information in Program Binaries , 2004, ICICS.

[6]  Ramarathnam Venkatesan,et al.  Oblivious Hashing: A Stealthy Software Integrity Verification Primitive , 2002, Information Hiding.

[7]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[8]  Koen De Bosschere,et al.  Software piracy prevention through diversity , 2004, DRM '04.

[9]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[10]  Robert E. Tarjan,et al.  Dynamic Self-Checking Techniques for Improved Tamper Resistance , 2001, Digital Rights Management Workshop.

[11]  Stephen Wolfram,et al.  A New Kind of Science , 2003, Artificial Life.

[12]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[13]  Koen De Bosschere,et al.  Run-Time Randomization to Mitigate Tampering , 2007, IWSEC.

[14]  Gang Tan,et al.  Delayed and Controlled Failures in Tamper-Resistant Software , 2006, Information Hiding.

[15]  Koen De Bosschere,et al.  Program obfuscation: a quantitative approach , 2007, QoP '07.

[16]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[17]  John C. Knight,et al.  A security architecture for survivability mechanisms , 2001 .

[18]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[19]  Christian S. Collberg,et al.  Breaking abstractions and unstructuring data structures , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[20]  Ramarathnam Venkatesan,et al.  A Graph Game Model for Software Tamper Protection , 2007, Information Hiding.

[21]  GoldreichOded,et al.  Software protection and simulation on oblivious RAMs , 1996 .

[22]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[23]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .