Invalidating Analysis Knowledge for Code Virtualization Protection Through Partition Diversity

To protect programs from unauthorized analysis, virtualize the code based on Virtual Machine (VM) technologies is emerging as a feasible method for accomplishing code obfuscation. However, in some State-of-the-art VM-based protection approaches, the set of virtual instructions and bytecode interpreters are fixed across the whole programs. This means an experienced attacker could extract the mapping information between virtual instructions and native code from programs, and use this knowledge to uncover the mapping relationships in similar protecting applications. To address this problem, we present CoDiver (Code Virtualization Protection with Diversity), a novel VM-based code obfuscation system in this paper. The main idea of our approach is to obfuscate the mapping between the opcodes of bytecode instructions and their semantics. To achieve this goal, we first turn every protected code region into multiple parts by partition proceeding, randomize the mapping of opcodes and their semantics of each part. By this way, we could translate the bytecode instruction into different native code in different sections of the obfuscated code. This method could increase the diversity of program behavior significantly. As a result, it will be useless to learn the mapping relationship between bytecode and native code of some other programs, then migrate it into a new program. We build a prototype of CoDiver and tested it on a set of real-world applications. Experimental results show that as compared with two state-of-the-art VM-based code obfuscation approaches, our approach is more effective and could provide stronger protection with comparable runtime overhead and code size.

[1]  Shuhong Wang,et al.  Multi-stage Binary Code Obfuscation Using Improved Virtual Machine , 2011, ISC.

[2]  Roberto Giacobazzi,et al.  Control code obfuscation by abstract interpretation , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[3]  Sandrine Blazy,et al.  Formal verification of control-flow graph flattening , 2016, CPP.

[4]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[5]  Mehmet Kayaalp,et al.  Efficiently Securing Systems from Code Reuse Attacks , 2014, IEEE Transactions on Computers.

[6]  Xiaojiang Chen,et al.  Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling , 2018, Comput. Secur..

[7]  Zheng Wang,et al.  Exploit dynamic data flows to protect software against semantic attacks , 2017, 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[8]  Stefan Katzenbeisser,et al.  Protecting Software through Obfuscation , 2016, ACM Comput. Surv..

[9]  Huang Liusheng Software Protection Scheme Via Nested Virtual Machine , 2011 .

[10]  Steven Gianvecchio,et al.  Mimimorphism: a new approach to binary code obfuscation , 2010, CCS '10.

[11]  Rolf Rolles,et al.  Unpacking Virtualization Obfuscators , 2009, WOOT.

[12]  Sencun Zhu,et al.  Semantics-Based Obfuscation-Resilient Binary Code Similarity Comparison with Applications to Software and Algorithm Plagiarism Detection , 2017, IEEE Transactions on Software Engineering.

[13]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[14]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[15]  Xuejia Lai,et al.  A generic attack against white box implementation of block ciphers , 2016, 2016 International Conference on Computer, Information and Telecommunication Systems (CITS).

[16]  Huaijun Wang,et al.  TDVMP: Improved Virtual Machine-Based Software Protection with Time Diversity , 2014, PPREW'14.

[17]  Yuval Ishai,et al.  Optimizing Obfuscation: Avoiding Barrington's Theorem , 2014, CCS.

[18]  Jie Liu,et al.  SEEAD: A Semantic-Based Approach for Automatic Binary Code De-obfuscation , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[19]  Saumya Debray,et al.  A Generic Approach to Automatic Deobfuscation of Executable Code , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Sri Parameswaran,et al.  Randomized Instruction Injection to Counter Power Analysis Attacks , 2012, TECS.

[21]  Bo Zhang,et al.  NISLVMP: Improved Virtual Machine-Based Software Protection , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[22]  Dingyi Fang,et al.  VMGuards:A Novel Virtual Machine Based Code Protection System with VM Security as the First Class Design Concern , 2018 .