Zhi Xin,Huiyu Chen,Xinche Wang,Peng Liu,Sencun Zhu,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/s10207-012-0170-9

2012-01-01

International Journal of Information Security

Abstract:Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Kaige Liu,Tao Zheng,Linxi Wei

DOI: https://doi.org/10.1109/wisa.2014.28

2014-01-01

Abstract:With the rapid development of software technology and open source projects, software industry becomes more and more threatened by software piracy. As an excellent detection technique of software piracy, software birthmark, which can describe the unique characteristic of a program, has obtained more and more attention. In this paper, we propose a software birthmark called SCDG-DDGB (System Call Dependence Graph - C Data Dependence Graph Birthmark) which combines system call dependence with program data dependence. SCDG-DDGB keeps the advantages of system call based software birthmark and expands the scope of detection. What's more, SCDG-DDGB also can be used to detect algorithm plagiarism. We demonstrate the accuracy of SCDG-DDGB and evaluate the robustness with many powerful obfuscation techniques. The result shows that SCDG-DDGB is reliable and effective in detecting software piracy.

Jiang Ming,Zhi Xin,Pengwei Lan,Dinghao Wu,Peng Liu,Bing Mao

DOI: https://doi.org/10.1007/s11416-016-0281-3

2016-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and also clearly stand out from other programs. Although the traditional malware specifications based on syntactic signatures are efficient, they can be easily defeated by various obfuscation techniques. Since the malicious behavior is often stable across similar malware instances, behavior-based specifications which capture real malicious characteristics during run time, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from the system call dependence graph that a malware sample invokes. In this paper, we present replacement attacks to camouflage similar behaviors by poisoning behavior-based specifications. The key method of our attacks is to replace a system call dependence graph to its semantically equivalent variants so that the similar malware samples within one family turn out to be different. As a result, malware analysts have to put more efforts into reexamining the similar samples which may have been investigated before. We distil general attacking strategies by mining more than 5200 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate the effectiveness of our approach to impede various behavior-based malware analysis tasks, such as similarity comparison and malware clustering. In the end, we also discuss possible countermeasures in order to strengthen existing malware defense.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Zhe-Ming Lu,Xin-Wu Liao

2006-01-01

Abstract:In this paper, we present two attacking methods aiming at two robust water- marking schemes respectively. It is shown that these two robust watermarking schemes have some security problems and are vulnerable to the counterfeiting attack. Specifi- cally, given a watermarked image, one can make a statistical analysis on it to estimate the key parameters used for watermark insertion and forge the corresponding watermark into another image without knowing the secret key and even without explicitly knowing the watermark. In the simulation experiment, we successfully implement the attacks on these two robust watermarking schemes and demonstrate the effectiveness of the proposed counterfeiting attacking schemes.

Yu-jia ZHANG,Jian-min PANG,Zheng ZHANG,Jiang-xing WU

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.02.037

2018-01-01

Abstract:With the development of reverse engineering,the software industry has suffered a great loss from the software piracy and malicious attack for a long time.Code obfuscation techniques which can hide specific function of a program from malicious analysis for malware is thus frequently employed to mitigate this risk.However,most of the existing obfuscation methods are language embedded and depend on the target architecture,this paper proposed a method of compile-time obfuscation,and further presented a prototype implementedation based on the LLVM compiler infrastructure.Furthermore,this paper implemented a mimic security defence system which is free from malicious attack with the software diversity method.

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

WU Jian-jun,GAO Ji

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.012

2005-01-01

Abstract:A novel blind watermark scheme with the mark spread over the whole instruction distribution was proposed. Two disjoint subsets of equal size were randomly selected from among instruction set, and this selection was the watermark superimposed by changing the elements of one subset through adding a positive integer factor. The means of two subsets were computed for detecting mark. The mark was found if the difference of two means exceeded the threshold. The effectiveness of the scheme was derived from hypotheses test theory. The scheme was implemented treating Java bytecode as targets and was validated by the experiments. The experimental results show that it is very robust and is immune to most known (attacks).

Jianlong Yang,Jianmin Wang,Deyi Li

DOI: https://doi.org/10.1109/IIH-MSP.2006.85

2006-01-01

Abstract:To detect the theft of natural language text effectively, we present a novel scheme to derive birthmark from the text. Since birthmark is a unique and native characteristic of every text, a text with the same birthmark of another can be easily suspected of a copy. Ideally, birthmark should satisfy two properties: (a) credibility - independent texts must be distinguished by completely different birthmarks, and (b) resilience - birthmark should be tolerant against meaningpreserving attacks. To evaluate the effectiveness of the proposed birthmark, we conduct two experiments. The first one shows that birthmark successfully distinguishes non-copied files. In the second one, it shows that birthmark has quite good a tolerance against meaning-preserving attacks.

Diego Bendersky,Ariel Futoransky,Luciano Notarfrancesco,Carlos Sarraute,Ariel Waissbein

DOI: https://doi.org/10.48550/arXiv.1006.2356

2010-06-12

Abstract:Software digital rights management is a pressing need for the software development industry which remains, as no practical solutions have been acclamaimed succesful by the industry. We introduce a novel software-protection method, fully implemented with today's technologies, that provides traitor tracing and license enforcement and requires no additional hardware nor inter-connectivity. Our work benefits from the use of secure triggers, a cryptographic primitive that is secure assuming the existence of an ind-cpa secure block cipher. Using our framework, developers may insert license checks and fingerprints, and obfuscate the code using secure triggers. As a result, this rises the cost that software analysis tools have detect and modify protection mechanisms. Thus rising the complexity of cracking this system.

Cryptography and Security

Zaenal Akbar

DOI: https://doi.org/10.48550/arXiv.1004.3250

2010-04-19

Cryptography and Security

Abstract:Software piracy, the illegal using, copying, and resale of applications is a major concern for anyone develops software. Software developers also worry about their applications being reverse engineered by extracting data structures and algorithms from an application and incorporated into competitor's code. A defense against software piracy is watermarking, a process that embeds a secret message in a cover software. Watermarking is a method that does not aim to stop piracy copying, but to prove ownership of the software and possibly even the data structures and algorithms used in the software. The language Java was designed to be compiled into a platform independent bytecode format. Much of the information contained in the source code remains in the bytecode, which means that decompilation is easier than with traditional native codes. In this thesis, we present a technique for watermarking Java programs by using a never-executed dummy method (Monden et.al., 2000) combined with opaque predicates (Collberg et.al., 1998; Arboit, 2002) and improved with dynamically opaque predicates (Palsberg et.al., 2000). This work presents a method to construct a dynamic opaque predicates by grouping two or more opaque predicates according to predefined rules. Any software watermarking technique will exhibit a trade-off between resilience, data rate, cost, and stealth. To evaluate the quality of a watermarking scheme we must also know how well it stands up to different types of attacks. Ideally, we would like our watermarks to survive translation (compilation, decompilation, and binary translation), optimization, and obfuscation. Add a single watermark will increasing source code approximate 3.854 bytes with dummy method that cover up to 15 characters, two dynamic data structures, two threads and two opaque predicates. Application loading-time increase approximate 6108 milliseconds.

Christian S. Collberg,Clark Thomborson

DOI: https://doi.org/10.1109/TSE.2002.1027797

2002-01-01

Abstract:AbstractWe identify three types of attack on the intellectual property contained in software and three corresponding technical defenses. A defense against reverse engineering is obfuscation, a process that renders software unintelligible but still functional. A defense against software piracy is watermarking, a process that makes it possible to determine the origin of software. A defense against tampering is tamper-proofing, so that unauthorized modifications to software (for example, to remove a watermark) will result in nonfunctional code. We briefly survey the available technology for each type of defense.

Zhiwei Yu,Chaokun Wang,Clark Thomborson,Jianmin Wang,Shiguo Lian,Athanasios V. Vasilakos

DOI: https://doi.org/10.1002/spe.1088

2012-01-01

Abstract:With the rapid development of cloud computing, software applications are shifting onto cloud storage rather than remaining within local networks. Software distributions within the cloud are subject to security breaches, privacy abuses, and access control violations. In this paper, we identify an insider threat to access control which is not completely eliminated by the usual techniques of encryption, cryptographic hashes, and access-control labels. We address this threat using software watermarking. We evaluate our access-control scheme within the context of a Collaboration-oriented Architecture, as defined by The Jericho Forum. Copyright © 2011 John Wiley & Sons, Ltd.

HAN Hao,MAO Bing,XIE Li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.04.040

2012-01-01

Abstract:Return-oriented Programming(ROP) is a new attack based on code-reuse technique.This paper proposes a dynamic runtime detection system for return-oriented programming attack,studies the intrinsic nature of ROP and its variant.According to these nature,it designs ret integrity checking,call integrity checking and jmp integrity checking.The detecting system is implemented to static instrument and dynamic run-time checking.Static instrument assemble the analysis code into the program to be detected and dynamic run-time checking do the real detection with the three integrity checking.Preliminary experimental results show that the method can efficiently detect ROP malicious code and have no false positives and negatives.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

W Zhu,C Thomborson,Fy Wang

DOI: https://doi.org/10.1007/11427995_42

2005-01-01

Abstract:In the Internet age, software is one of the core components for the operation of network and it penetrates almost all aspects of industry, commerce, and daily life. Since digital documents and objects can be duplicated and distributed easily and economically cheaply and software is also a type of digital objects, software security and piracy becomes a more and more important issue. In order to prevent software from piracy and unauthorized modification, various techniques have been developed. Among them is software watermarking which protects software through embedding some secret information into software as an identifier of the ownership of copyright for this software. This paper gives a brief overview of software watermarking. It describes the taxonomy, attack models, and algorithms of software watermarking.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

Bjorn De Sutter,Sebastian Schrittwieser,Bart Coppens,Patrick Kochberger

2024-05-01

Abstract:Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 571 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks and formulate a number of concrete recommendations for improving the evaluations reported in future research papers.

Cryptography and Security

Xi Xu,Qinghua Zheng,Zheng Yan,Ming Fan,Ang Jia,Ting Liu

DOI: https://doi.org/10.48550/arXiv.2103.10126

2021-03-18

Abstract:Software reuse, especially partial reuse, poses legal and security threats to software development. Since its source codes are usually unavailable, software reuse is hard to be detected with interpretation. On the other hand, current approaches suffer from poor detection accuracy and efficiency, far from satisfying practical demands. To tackle these problems, in this paper, we propose \textit{ISRD}, an interpretation-enabled software reuse detection approach based on a multi-level birthmark model that contains function level, basic block level, and instruction level. To overcome obfuscation caused by cross-compilation, we represent function semantics with Minimum Branch Path (MBP) and perform normalization to extract core semantics of instructions. For efficiently detecting reused functions, a process for "intent search based on anchor recognition" is designed to speed up reuse detection. It uses strict instruction match and identical library call invocation check to find anchor functions (in short anchors) and then traverses neighbors of the anchors to explore potentially matched function pairs. Extensive experiments based on two real-world binary datasets reveal that \textit{ISRD} is interpretable, effective, and efficient, which achieves $97.2\%$ precision and $94.8\%$ recall. Moreover, it is resilient to cross-compilation, outperforming state-of-the-art approaches.

Software Engineering