Kaiyuan Kuang,Zhanyong Tang,Xiaoqing Gong,Dingyi Fang,Xiaojiang Chen,Tianzhang Xing,Guixin Ye,Jie Zhang,Zheng Wang

DOI: https://doi.org/10.1109/trustcom.2016.0101

2016-01-01

Abstract:Code virtualization built upon virtual machine (VM) technologies is emerging as a viable method for implementing code obfuscation to protect programs against unauthorized analysis. State-of-the-art VM-based protection approaches use a fixed scheduling structure where the program follows a single, static execution path for the same input. Such approaches, however, are vulnerable to certain scenarios where the attacker can reuse knowledge extracted from previously seen software to crack applications using similar protection schemes. This paper presents DSVMP, a novel VM-based code obfuscation approach for software protection. DSVMP brings together two techniques to provide stronger code protection than prior VM-based schemes. Firstly, it uses a dynamic instruction scheduler to randomly direct the program to execute different paths without violating the correctness across different runs. By randomly choosing the program execution paths, the application exposes diverse behavior, making it much more difficult for an attacker to reuse the knowledge collected from previous runs or similar applications to perform attacks. Secondly, it employs multiple VMs to further obfuscate the relationship between VM bytecode and their interpreters, making code analysis even harder. We have implemented DSVMP in a prototype system and evaluated it using a set of widely used applications. Experimental results show that DSVMP provides stronger protection with comparable runtime overhead and code size when compared to two commercial VM-based code obfuscation tools.

Kaiyuan Kuang,Zhanyong Tang,Xiaoqing Gong,Dingyi Fang,Xiaojiang Chen,Zheng Wang

DOI: https://doi.org/10.1016/j.cose.2018.01.008

IF: 5.105

2018-01-01

Computers & Security

Abstract:Code virtualization built upon virtual machine (VM) technologies is emerging as a viable method for implementing code obfuscation to protect programs against unauthorized analysis. State-of-the-art VM-based protection approaches use a fixed scheduling structure where the program always follows a single, deterministic execution path for the same input. Such approaches, however, are vulnerable in certain scenarios where the attacker can reuse knowledge extracted from previously seen software to crack applications protected with the same obfuscation scheme. This paper presents Dsvmp, a novel VM-based code obfuscation approach for software protection. Dsvmp brings together two techniques to provide stronger code protection than prior VM-based approaches. Firstly, it uses a dynamic instruction scheduler to randomly direct the program to execute different paths without violating the correctness across different runs. By randomly choosing the program execution path, the application exposes diverse behavior, making it much more difficult for an attacker to reuse the knowledge collected from previous runs or similar applications to launch an attack. Secondly, it employs multiple VMs to further obfuscate the mapping from VM opcode to native machine instructions, so that the same opcode could be mapped to different native instructions at runtime, making code analysis even harder. We have implemented Dsvmp in a prototype system and evaluated it using a set of widely used applications. Experimental results show that Dsvmp provides stronger protection with comparable runtime overhead and code size, when it is compared to two commercial VM-based code obfuscation tools.

Chao Xue,Zhanyong Tang,Guixin Ye,Guanghui Li,Xiaoqing Gong,Wei Wangg,Dingyi Fang,Zheng Wang

DOI: https://doi.org/10.1109/padsw.2018.8644535

2018-01-01

Abstract:Code virtualization built upon virtual machine (VM) technologies is emerging as a viable method for implementing code obfuscation to protect programs against unauthorized analysis. State-of-the-art VM-based protection approaches use a fixed set of virtual instructions and bytecode interpreters across programs. This, however, exposes a security vulnerability where an experienced attacker can use knowledge extracted from other programs to quickly uncover the mapping between virtual instructions and native code for applications protected under the same scheme. In this paper, we propose a novel VM-based code obfuscation system to address this problem. The core idea of our approach is to obfuscate the mapping between the opcodes of bytecode instructions and their semantics. We achieve this by partitioning each protected code region into multiple segments where the mapping of opcodes and their semantics is randomized in different ways in different segments. In this way, each bytecode instruction will be translated into different native code in different sections of the obfuscated code. This significantly increases the diversity of the program behavior. As a result, the knowledge of bytecode to native code mappings obtained from other programs will be less useful when targeting a new program. We evaluate our approach on a set of real-world applications and compare it against two state-of-the-art VM-based code obfuscation approaches. Experimental results show that our approach is effective, which provides stronger protection with comparable runtime overhead and code size.

Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Wei Wang,Meng Li,Zhanyong Tang,Huanting Wang,Guixin Ye,Fuwei Wang,Jie Ren,Xiaoqing Gong,Dingyi Fang,Zheng Wang

DOI: https://doi.org/10.1109/access.2019.2954165

IF: 3.9

2019-01-01

IEEE Access

Abstract:To protect programs from unauthorized analysis, virtualize the code based on Virtual Machine (VM) technologies is emerging as a feasible method for accomplishing code obfuscation. However, in some State-of-the-art VM-based protection approaches, the set of virtual instructions and bytecode interpreters are fixed across the whole programs. This means an experienced attacker could extract the mapping information between virtual instructions and native code from programs, and use this knowledge to uncover the mapping relationships in similar protecting applications. To address this problem, we present CoDiver (Code Virtualization Protection with Diversity), a novel VM-based code obfuscation system in this paper. The main idea of our approach is to obfuscate the mapping between the opcodes of bytecode instructions and their semantics. To achieve this goal, we first turn every protected code region into multiple parts by partition proceeding, randomize the mapping of opcodes and their semantics of each part. By this way, we could translate the bytecode instruction into different native code in different sections of the obfuscated code. This method could increase the diversity of program behavior significantly. As a result, it will be useless to learn the mapping relationship between bytecode and native code of some other programs, then migrate it into a new program. We build a prototype of CoDiver and tested it on a set of real-world applications. Experimental results show that as compared with two state-of-the-art VM-based code obfuscation approaches, our approach is more effective and could provide stronger protection with comparable runtime overhead and code size.

Zhanyong Tang,Meng Li,Guixin Ye,Shuai Cao,Meiling Chen,Xiaoqing Gong,Dingyi Fang,Zheng Wang

DOI: https://doi.org/10.3390/app8050771

2018-01-01

Abstract:Process-level virtual machine (PVM) based code obfuscation is a viable means for protecting software against runtime code tampering and unauthorized code reverse engineering. PVM-based approaches rely on a VM to determine how instructions of the protected code region are scheduled and executed. Therefore, it is crucial to protect the VM against runtime code tampering that alters the instructions and behavior of the VM. This paper presents VMGuards, a novel PVM-based code protection system that puts the security of VM as the first class design concern. Our approach advances prior work by promoting security of the VM as the first class design constraint. We achieve this by introducing two new instruction sets to protect the internal implementations of critical code segments and the host runtime environment where the VM runs in. Our new instruction sets not only have an identical code structure as standard virtual instructions, but also provide additional information to allow the VM to check whether the critical internal implementation or the runtime environment is affected. We evaluate our approach by using a set of real-life applications. Experimental results show that our approach provides stronger and more fine-grained protection when compared to the state-of-the-art with little extra overhead.

Lei Yu,Yucong Duan

DOI: https://doi.org/10.32604/cmc.2023.038970

2023-01-01

Abstract:Cloud computing and edge computing brought more software, which also brought a new danger of malicious software attacks. Data synchronization mechanisms of software can further help reverse data modifications. Based on the mechanisms, attackers can cover themselves behind the network and modify data undetected. Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks, when attackers intrude cloud server to access the source or binary codes. Therefore, we proposed a novel method to resist this kind of reverse engineering by breaking these rules. Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era. Our method is capable of (1) replacing the original assembly codes of the protected program with equivalent assembly instructions in an iteration way, (2) obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs, (3) encrypting data to confuse attackers. In addition, the approach can periodically and automatically modify the protected software binary codes, and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis. Furthermore, a simplified virtual machine is implemented to make the protected codes unreadable to attackers. Cloud game is one of the specific scenarios which needs low latency and strong data consistency. Cheat engine, Ollydbg, and Interactive Disassembler Professional (IDA) are used prevalently for games. Our improved methods can protect the software from the most vulnerable aspects. The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations. We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis. Experiments show that hidden dangers can be eliminated with efficient methods: Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.

Xuangan Xiao,Yizhuo Wang,Yikun Hu,Dawu Gu

DOI: https://doi.org/10.1109/saner56733.2023.00082

2023-01-01

Abstract:Obfuscation techniques are widely used to protect the digital copyright and intellectual property rights of software. Among them, code virtualization is one of the most powerful obfuscation techniques, which hides both the control flow and the data flow of the code, thereby preventing code from being decompiled. However, existing code virtualization solutions are not well-resistant to de-obfuscation techniques (e.g., symbolic execution and frequency analysis), and only target limited program languages and architectures, which are challenging to integrate into the process of software development and maintenance.In this paper, We propose an LLVM-based code virtualization tool, namely xVMP to fulfill a scalable and virtualized instruction-hardened obfuscation. To mask the effects of multiple program languages and architectures, xVMP incorporates the obfuscation process of code virtualization into the compilation, and generates virtualized code based on LLVM intermediate representation (IR). After virtualization, it embeds the interpreter of virtualized code into the IR and compiles to an executable. To enhance the security, xVMP encrypts virtualized instructions in each basic block and decrypts them at runtime to enhance the security of obfuscation. In addition, it supports specified function obfuscation. xVMP identifies the function annotations marked by the developer in the source code to locate the function to protect. We implement the prototype of xVMP, and evaluate it with a microbenchmark and three real-world programs. The experimental results show that xVMP can be more difficult to crack than the state-of-the-art obfuscators, and it can support more source code types and architectures, and can be applied to real-world software. Source Code: https://github.com/GANGE666/xVMP.

Yujie Zhao,Zhanyong Tang,Guixin Ye,Dongxu Peng,Dingyi Fang,Xiaojiang Chen,Zheng Wang

DOI: https://doi.org/10.1016/j.cose.2020.101821

IF: 5.105

2020-01-01

Computers & Security

Abstract:Infringing intellectual property by reverse analysis is a severe threat to Android applications. By replacing the program instructions with virtual instructions that an adversary is unfamiliar with, code obfuscation based on virtualization is a promising way of protecting Android applications against reverse engineering. However, the current code virtualization approaches for Android only target at the DEX bytecode level. The DEX file with the open file format and more semantic information makes the decode-dispatch pattern easier to expose, which has been identified as a severe vulnerability of security and can be exploited by various attacks. Further, decode-dispatch interpretation frequently uses indirect branches in this structure to introduce extra overhead. This paper presents a novel approach to transfer code virtualization from DEX level to native level, which possesses strong security strength and good stealth, with only modest cost. Our approach contains two components: pre-compilation and compile-time virtualization. Pre-compilation is designed for performance improvement by identifying and decompiling the critical functions which consume a significant fraction of execution time. Compile-time virtualization builds upon the widely used LLVM compiler framework. It automatically translates the DEX bytecode into the common LLVM intermediate representations where a unified code virtualization pass can be applied for DEX code. We have implemented a working prototype Dex2VM of our technique and applied it to eight representative Android applications. Our experimental results show that the proposed approach can effectively protect the target code against a state-of-the-art code reverse engineering tool that is specifically designed for code virtualization, and it achieves good stealth with only modest cost.

Hui Fang,Yongdong Wu,Shuhong Wang,Yin Huang

DOI: https://doi.org/10.1007/978-3-642-24861-0_12

2011-01-01

Abstract:A software obfuscator transforms a program into another executable one with the same functionality but unreadable code implementation. This paper presents an algorithm of multi-stage software obfuscation method using improved virtual machine techniques. The key idea is to iteratively obfuscate a program for many times in using different interpretations. An improved virtual machine (VM) core is appended to the protected program for byte-code interpretation. Adversaries will need to crack all intermediate results in order to figure out the structure of original code. Compared with existing obfuscators, our new obfuscator generates the protected code which performs more efficiently, and enjoys proven higher level security.

Zheng Zhang,Jingfeng Xue,Thar Baker,Tian Chen,Yu-an Tan,Yuanzhang Li

DOI: https://doi.org/10.1016/j.cose.2024.104038

IF: 5.105

2024-01-01

Computers & Security

Abstract:Virtualization obfuscation is a very effective method used to protect programs from malicious analysis by obscuring their code. Due to the fixed scheduling structures, typical virtualization obfuscation schemes can be compromised by automated analysis tools. To enhance the protection strength of virtualization obfuscation, additional protection techniques of the virtualization structure have been proposed. However, previously proposed solutions incur significant performance overhead or require a strong assumption in software-protection techniques. We present COVER, a novel virtualization obfuscation technique in conjunction with the flash controller. COVER enhances the obfuscation and protects the secret parameters of the virtualization structure with a flash controller-based secure module. We implement a prototype of COVER and describe a prototype implementation of a flash controller-based secure module on a Solid State Drive (SSD). We demonstrate COVER’s efficacy against various code analysis methods, and evaluate COVER’s performance using a set of real-world applications. The evaluation results demonstrate that COVER effectively protects the secret parameters of the virtualization structure and increases the effort involved in deobfuscation. Compared with two commercial obfuscators, COVER provides additional protection strength without incurring significantly more overhead in terms of runtime and code size.

Mathilde Ollivier,Sébastien Bardin,Richard Bonichon,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1908.01549

2019-08-07

Abstract:Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

Cryptography and Security

Yu-jia ZHANG,Jian-min PANG,Zheng ZHANG,Jiang-xing WU

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.02.037

2018-01-01

Abstract:With the development of reverse engineering,the software industry has suffered a great loss from the software piracy and malicious attack for a long time.Code obfuscation techniques which can hide specific function of a program from malicious analysis for malware is thus frequently employed to mitigate this risk.However,most of the existing obfuscation methods are language embedded and depend on the target architecture,this paper proposed a method of compile-time obfuscation,and further presented a prototype implementedation based on the LLVM compiler infrastructure.Furthermore,this paper implemented a mimic security defence system which is free from malicious attack with the software diversity method.

Mingyue Liang,Zhoujun Li,Qiang Zeng,Zhejun Fang

DOI: https://doi.org/10.1007/978-3-319-89500-0_28

2017-01-01

Abstract:Virtualization-obfuscation replaces native code in a binary with semantically equivalent and self-defined bytecode, which, upon execution, is interpreted by a custom virtual machine. It makes the code very difficult to analyze and is thus widely used in malware. How to deobfuscate such virtualization obfuscated code has been an important and challenging problem. We approach the problem from an innovative perspective by transforming it into a compilation optimization problem, and propose a novel technique that combines trace analysis, symbolic execution and compilation optimization to defeat virtualization obfuscation. We implement a prototype system and evaluate it against popular virtualization obfuscators; the results demonstrate that our method is effective in deobfuscation of virtualization-obfuscated code.

Zhang Xiaohan,Zhang Yuan,Chi Xinjian,Yang Min

DOI: https://doi.org/10.11999/jeit191036

2020-01-01

Abstract:Android system is now increasingly used in different kinds of smart devices, such as smart phones, smart watches, smart TVs and smart cars. Unfortunately, reverse attacks against Android applications are also emerging, which not only violates the intellectual right of application developers, but also brings security risks to end users. Existing Android application protection methods such as naming obfuscation, dynamic loading, and code hiding can protect Java code and native (C/C++) code, but are relatively simple and easy to be bypassed. A more promising method is to use instruction virtualization, but previous binary-based methods target specific architecture (x86), and cannot be applied to protect Android devices with different architectures. An architecture-independent instruction virtualization method is proposed, a prototype named Virtual Machine Packing Protection (VMPP) to protect Android native code is designed and implemented. VMPP includes a register-based fix-length instruction set, an interpreter to execute virtualized instructions, and a set of toolchains for developers to use to protect their code. VMPP is tested on a large number of C/C++ code and realworld Android applications. The results show that VMPP can effectively protect the security of Android native code for different architectures with low overhead.

YANG Ming,HUANG Liu-sheng

2011-01-01

Abstract:With the development of reverse engineering,previous traditional methods to protect software do not meet the need of modern software protection.A new virtual-machine-based scheme is proposed.It encodes the local machine instructions into virtual instructions,which are interpreted and executed by the virtual machine.The software semantics is also abstracted.This makes the reverse engineers very hard to understand the high level logic of the original program.Moreover,nested virtual machine technique is adopted in the scheme.Thus a reverse engineer has to fully understand the prior layer before he can proceed with the next layer.By this,a high security for software protection is achieved.

Zhanyong Tang,Kaiyuan Kuang,Lei Wang,Chao Xue,Xiaoqing Gong,Xiaojiang Chen,Dingyi Fang,Jie Liu,Zheng Wang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.246

2017-01-01

Abstract:Increasingly sophisticated code obfuscation techniques are quickly adopted by malware developers to escape from malware detection and to thwart the reverse engineering effort of security analysts. State-of-the-art de-obfuscation approaches rely on dynamic analysis, but face the challenge of low code coverage as not all software execution paths and behavior will be exposed at specific profiling runs. As a result, these approaches often fail to discover hidden malicious patterns. This paper introduces SEEAD, a novel and generic semantic-based de-obfuscation system. When building SEEAD, we try to rely on as few assumptions about the structure of the obfuscation tool as possible, so that the system can keep pace with the fast evolving code obfuscation techniques. To increase the code coverage, SEEAD dynamically directs the target program to execute different paths across different runs. This dynamic profiling scheme is rife with taint and control dependence analysis to reduce the search overhead, and a carefully designed protection scheme to bring the program to an error free status should any error happens during dynamic profile runs. As a result, the increased code coverage enables us to uncover hidden malicious behaviors that are not detected by traditional dynamic analysis based de-obfuscation approaches. We evaluate SEEAD on a range of benign and malicious obfuscated programs. Our experimental results show that SEEAD is able to successfully recover the original logic from obfuscated binaries.

Jun Guo,Lei Wang,Zhanyong Tang,Dingyi Fang

DOI: https://doi.org/10.13245/j.hust.160311

2016-01-01

Abstract:Current binary code de-obfuscation approaches only target a limited set of specific obfusca-tions and are ineffective against new obfuscations.State-of-the-art approaches of this problem are based on dynamic analysis and face the challenge of low code coverage.A semantics-based automated de-obfuscation approach was introduced.The key point of this approach is to optimize the instruction traces of the obfuscated program with the results of semantically relevant instruction identification, which can be applied to both existing and new obfuscation techniques.Moreover,a low-cost solution for multiple execution paths exploration was introduced.The proposed solution can enhance the code coverage and reduce the overhead at the same time.Experiment results show that the de-obfuscation approach is particularly effective and can be an invaluable aid for malware analysis.It can reduce the difficulty,and improve the efficiency of malware analysis effectively.

Dingyi Fang,Li Gao,Zhanyong Tang,Xiaojiang Chen

DOI: https://doi.org/10.1109/ncis.2011.60

2011-01-01

Abstract:The technology of software protection based on virtual machine is a hot research field of software protection. Considering the impact on the performance of target software, traditional virtual machine can only protect several key functions of target software, which makes it unable to prevent reverse engineering for the whole software. In order to balance the performance overheads against protection strength, we proposed a thin virtual machine based software protection framework using distorted encryption (TVMBDE) in this paper. Based on improving the algorithms of instruction transformation of traditional virtual machines, the framework makes use of thin virtual machine protection technology to enhance the efficiency and integration of distorted encryption so as to ensure the security. In order to implement overall protection, the common part of target software will be protected in low-power, while the key parts will be protected in high-power. Analysis and testing show the framework is effective, which achieves the purpose of protecting the whole software.

Davide Pizzolotto,Stefano Berlato,Mariano Ceccato

DOI: https://doi.org/10.1145/3631971

IF: 3.685

2024-01-25

ACM Transactions on Software Engineering and Methodology

Abstract:Java bytecode is a quite high-level language and, as such, it is fairly easy to analyze and decompile with malicious intents, e.g., to tamper with code and skip license checks. Code obfuscation was a first attempt to mitigate malicious reverse engineering based on static analysis. However, obfuscated code can still be dynamically analyzed with standard debuggers to perform step-wise execution and to inspect (or change) memory content at important execution points, e.g., to alter the verdict of license validity checks. Although some approaches have been proposed to mitigate debugger-based attacks, they are only applicable to binary compiled code and none address the challenge of protecting Java bytecode. In this paper, we propose a novel approach to protect Java bytecode from malicious debugging. Our approach is based on automated program transformation to manipulate Java bytecode and split it into two binary processes that debug each other (i.e., a self-debugging solution). In fact, when the debugging interface is already engaged, an additional malicious debugger cannot attach. To be resilient against typical attacks, our approach adopts a series of technical solutions, e.g., an encoded channel is shared by the two processes to avoid leaking information, an authentication protocol is established to avoid Man-in-the-Middle attacks and the computation is spread between the two processes to prevent the attacker to replace or terminate either of them. We test our solution on 18 real-world Java applications, showing that our approach can effectively block the most common debugging tasks (either with the Java debugger or the GNU debugger) while preserving the functional correctness of the protected programs. While the final decision on when to activate this protection is still up to the developers, the observed performance overhead was acceptable for common desktop application domains.

computer science, software engineering