Replacement attacks: automatically evading behavior-based software birthmark

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

[1]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[2]  Andreas Zell,et al.  Practical Graph Isomorphism for Graphlet Data Mining in Protein Structures , 2010, IJCCI.

[3]  Michael Stepp,et al.  Dynamic path-based software watermarking , 2004, PLDI '04.

[4]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[5]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[6]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[7]  Akito Monden,et al.  Design and evaluation of birthmarks for detecting theft of java programs , 2004, IASTED Conf. on Software Engineering.

[8]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[9]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[10]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[11]  Christian S. Collberg,et al.  K-gram based software birthmarks , 2005, SAC '05.

[12]  Craig A. Knoblock,et al.  Advanced Programming in the UNIX Environment , 1992, Addison-Wesley professional computing series.

[13]  Fei-Yue Wang,et al.  A Survey of Software Watermarking , 2005, ISI.

[14]  David Schuler,et al.  A dynamic birthmark for java , 2007, ASE.

[15]  Sencun Zhu,et al.  Behavior based software theft detection , 2009, CCS.

[16]  Mario Vento,et al.  A Performance Comparison of Five Algorithms for Graph Isomorphism , 2001 .

[17]  Stephanie Forrest,et al.  The Evolution of System-Call Monitoring , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[18]  Christian S. Collberg,et al.  On the Limits of Software Watermarking , 1998 .

[19]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[20]  Akito Monden,et al.  Design and evaluation of dynamic software birthmarks based on API calls , 2007 .

[21]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[22]  Akito Monden,et al.  Dynamic Software Birthmarks to Detect the Theft of Windows Applications , 2004 .

[23]  Mario Vento,et al.  A (sub)graph isomorphism algorithm for matching large graphs , 2004, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[24]  Sencun Zhu,et al.  Replacement Attacks on Behavior Based Software Birthmark , 2011, ISC.

[25]  Brendan D. McKay,et al.  Practical graph isomorphism, II , 2013, J. Symb. Comput..

[26]  P. Foggia,et al.  Performance evaluation of the VF graph matching algorithm , 1999, Proceedings 10th International Conference on Image Analysis and Processing.

[27]  Christian S. Collberg,et al.  Detecting Software Theft via Whole Program Path Birthmarks , 2004, ISC.