Control code obfuscation by abstract interpretation

Control code obfuscation is intended to prevent malicious reverse engineering of software by masking the program control flow. These obfuscating transformations often rely on the existence of opaque predicates, that support the design of transformations that break up the program control flow. We prove that an algorithm for control obfuscation by opaque predicate insertion can be systematically derived as an abstraction of a suitable semantic transformation. In this framework, deobfuscation is interpreted as an attacker which can observe the computational behaviour of programs up to a given precision degree. Both obfuscation and deobfuscation can therefore be interpreted as approximations of program semantics, where approximation is formalized using abstract interpretation theory. In particular we prove that abstract interpretation provides the adequate setting to measure the potency of an obfuscation algorithm by comparing the degree of abstraction of the most abstract domains which are able to disclose opaque predicates.

[1]  Mads Dam Analysis and verification of multiple-agent languages : 5th LOMAPS Workshop, Stockholm, Sweden, June 24-26, 1996 : selected papers , 1997 .

[2]  Bruno Monsuez,et al.  System F and Abstract Interpretation , 1995, SAS.

[3]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[4]  Peter Ørbæk Can you Trust your Data? , 1995, TAPSOFT.

[5]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[6]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[7]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[8]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[9]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[10]  Roberto Giacobazzi,et al.  Semantic-Based Code Obfuscation by Abstract Interpretation , 2005, ICALP.

[11]  Robert Paige,et al.  Future directions in program transformations , 1996, CSUR.

[12]  Arnaud Venet,et al.  Abstract Interpretation of the pi-Calculus , 1996, LOMAPS.

[13]  Saumya Debray,et al.  Deobfuscation: Improving reverse engineering of obfuscated code , 2005 .

[14]  Patrick Cousot,et al.  Systematic design of program transformation frameworks by abstract interpretation , 2002, POPL '02.

[15]  Giorgio Levi,et al.  An Algebraic Theory of Observables , 1994, ILPS.

[16]  David A. Plaisted,et al.  Theorem Proving with Abstraction , 1981, Artif. Intell..

[17]  Rance Cleaveland,et al.  Testing-Based Abstractions for Value-Passing Systems , 1994, CONCUR.

[18]  Patrick Cousot,et al.  Abstract interpretation , 1996, CSUR.

[19]  Roberto Giacobazzi,et al.  Incompleteness, Counterexamples, and Refinements in Abstract Model-Checking , 2001, SAS.

[20]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[21]  Roberto Giacobazzi,et al.  "Optimal" Collecting Semantics for Analysis in a Hierarchy of Logic Program Semantics , 1996, STACS.

[22]  Saumya K. Debray,et al.  Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[23]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[24]  Christian S. Collberg,et al.  Breaking abstractions and unstructuring data structures , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[25]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[26]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[27]  Patrick Cousot,et al.  Inductive definitions, semantics and abstract interpretations , 1992, POPL '92.

[28]  Susanne Graf,et al.  Characterization of a sequentially consistent memory and verification of a cache memory by abstraction , 1999, Distributed Computing.

[29]  Douglas Low,et al.  Java Control Flow Obfuscation , 1998 .

[30]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[31]  Jack W. Davidson,et al.  Software Tamper Resistance: Obstructing Static Analysis of Programs , 2000 .

[32]  Yves Caseau,et al.  Abstract Interpretation of Constraints on Order-Sorted Domains , 1991, ISLP.

[33]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[34]  Patrick Cousot,et al.  Types as abstract interpretations , 1997, POPL '97.