Pang Jianmin,Zhang Yujia,Zhang Zheng,Wu Jiangxing

DOI: https://doi.org/10.15302/j-sscae-2016.06.015

2016-01-01

Abstract:With the development of the Internet, the process of computer software globalization continues to advance. A lot of identical software is installed on tens of thousands of computers. This makes widespread exploitation of software vulnerabilities easy and attractive for an attacker because the same attack vector will probably successfully affect numerous targets. Traditional software security methods can only be used to repair the vulnerabilities. Although software-diversity technology can remove the threat momentarily, it cannot eliminate the risk caused by vulnerabilities. This paper proposes a scheme of combining software diversity and mimic defense in the software security industry to eliminate the threat.

Hongchao Hu,Jiangxing Wu,Zhenpeng Wang,Guozhen Cheng

DOI: https://doi.org/10.1049/iet-ifs.2017.0086

2017-01-01

IET Information Security

Abstract:In recent years, both academia and industry in cyber security have tried to develop innovative defense technologies, expecting that to change the rules of the game between attackers and defenders. The authors start by analysing the root causes of security problems in cyberspace: (i) vulnerabilities in cyber systems are universal; (ii) current cyber systems are static, predictable and monoculture which allows adversaries to plan and launch attacks effectively; (iii) existing techniques cannot detect and eliminates attacks employing unknown vulnerabilities. Based on their analysis, they develop a novel defense framework, mimic defense (MD), that employs dynamic, heterogeneity, redundancy (DHR)' mechanism to defense cyber attacks. The main ideas behind MD are: constructing diverse functional equivalent variants for the protected target; scheduling some variants to run in parallel dynamically; and adopting policy-based arbitration mechanism to decide whose results of current running variants are correct. Theoretical analysis and simulation results show that DHR can significantly increase the difficulties for attackers and enhance the security of cyber systems, and the security enhancement can be more than ten times. They also present a proof-of-principle prototype that employ MD, mimic router, to examine its effectiveness. Finally, they conclude its limitations.

Kun HAN,Hailin ZHANG,Bo WU,Dan XIN,Zhiyuan REN

DOI: https://doi.org/10.3969/j.issn.1001-2400.2017.02.032

2017-01-01

Abstract:The traditional software security defense approach has always been faced with the problem of being easy to conquer and hard to defend, so in order to build a software security defense system that is easy to defend and hard to conquer, based on the idea of moving target defense, a combined defense in depth method for software security is designed and implemented to resist the attacks due to software vulnerabilities.The method introduces the mechanism of randomization on the source code and binary code level, and makes those mechanisms work together comprehensively through the design of metadata database, and finally forms a defense in depth for software security protection.The experimental results of the prototype system show that the proposed method can automatically and effectively build a diversity of software, and the generated software shows the uncertainty from both static analysis and dynamic aspects, which makes it difficult to analyze and attack, thus being able to effectively resist the network attacks based on software vulnerabilities.

Hui Xu,Yangfan Zhou,Jiang Ming,Michael Lyu

DOI: https://doi.org/10.1186/s42400-020-00049-3

2020-01-01

Abstract:Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

FU Jian-jing,WANG Ke

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.012

2010-01-01

Abstract:A compiler built-in obfuscating technology was developed in order to protect software intellectual property and keep from reverse engineering and static analysis. A crossing control-flow code obfuscation technology and the corresponding compiling solution were presented. The control crossing principle of If statement and While loop statement were given out,which produced the control blocks of multi-level exit and entry,so the code control flow became more complicated. Meanwhile,the protected code block was placed in the crossing control blocks to conceal the true control flow. Then the automatic anti-compile can be effectively prevented and the difficulty of software analysis was enhanced. Because the crossing control-flow in source code level cannot be passed by compiler,a compatible compiling method of built-in functions was presented,which made programming simple and safe. The simulation and analysis results indicated that the technology had good protection effect for source code; the target code was slightly increased after compiled,and its running efficiency was almost not affected.

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Chang Wang,Zhaolong Zhang,Xiaoqi Jia,Donghai Tian

DOI: https://doi.org/10.1109/malware.2018.8659363

2018-01-01

Abstract:Software reverse engineering is the process of retrieving the source code or recovering the higher level structure from an executable binary file. It has a wide range of applications in software analysis, such as vulnerability mining and exploiting, blind patching and so on. But it can also be used for illegal activities such as software piracy and plagiarism, which bring huge losses to relevant workers. So Anti-reverse has important significance for intellectual property protection. In fact, it is difficult to protect a software against being reversed or malicious modifications.In this paper, we present and discuss a new binary obfuscation method based on reassemble. The binary reassembling refers to the process of disassembling an executable binaries into assembly code and assemble it back to a correct binary. We make binary obfuscation in this process because it can avoid many problems and have better protection than other obfuscation methods. We designed two obfuscating schemes including instruction substitution and control flow confusion. The resulting code is still a correct program, but it has more complex instruction execution sequence and sophisticated control flow graph. According to the experiment results, the obfuscated program has more smaller file size but it execute more slowly than the original program.

尚涛,谷大武

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.12.043

2009-01-01

Abstract:In order to protect the property of software,according to the characteristics of general disassembly algorithms,this paper provided code overlap,jumping address redirection and obfuscation of control flow etc.several approaches in code obfuscation technologies.These approaches are able to make the disassembly process go away,and misdirect the adversaries' comprehension to programs,consequently enhance the software's resistance to disassembly,thus preventing the software from reverse analysing and protecting its property effectively.

William Zhu,Clark Thomborson,Fei-Yue Wang

DOI: https://doi.org/10.1007/11734628_18

2006-01-01

Abstract:As various computers are connected into a world wide network, software is a target of copyright pirates, attackers, or even terrorists, as a result, software protections become a more and more important issue for software users and developers. There are some technical measures for software protections, such as hardware-based protections and software-based techniques [1], etc. Software obfuscation [2] is one of these measures to protect software from unauthorized modification by making software more obscure so that it is hard for potential attackers to understand the obfuscated software. There are several algorithms of software obfuscation such as layout transformation, computation transformation, ordering transformation, and data transformation [2]. Variable transformation is a major method of data transformation to transform software into a new semantically equivalent one that is hard for attackers to understand the true meaning of variables in software.

Weiping WEN,Han ZHANG,Xianglei CAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.05.011

2016-01-01

Abstract:With the rapid development of mobile intelligent terminals, Android operating system has become one of the most widely used mobile intelligent operating systems in the world. Java is famous for its features of good cross-platform, high efficiency and a large amount of developers, therefore the designers of Android choose Java as the system development language. The characteristics of the Java language make Java program easy be decompiled by decompilation tools and be analyzed, which makes Android applications face great risks. This paper focuses on the study of code obfuscation technology for the purpose of protecting Android applications, improving the dififculty of the attacker's reverse analysis and adding no extra time cost for the execution of the program. Based on Android executable ifle reorganization, this paper designs and implements a kind of Android obfuscation tool and carries out test and performances analysis. This Android obfuscation tool enhances the security of Android applications, protects Android applications developers' intellectual property rights, and avoids reverse analysis, piracy and malicious tampering to Android applications to a certain extent.

Mutya Sri Lakshmi Meher Gayatri,Akula Veera Vasu Sriphalya,Manas Kumar Yogi

DOI: https://doi.org/10.46610/johtdcpcv.2024.v01i01.005

2024-04-25

Abstract:This paper investigates the intricate landscape of code obfuscation and anti analysis techniques within software security. The primary objective is to comprehensively understand the various methods employed to obscure code functionality and impede analysis efforts. Through an extensive literature review, this study examines the fundamental concepts of code obfuscation and identifies common anti analysis strategies utilized by malware authors. By exploring the arms race between obfuscation and analysis, this paper aims to shed light on the evolving tactics employed by both defenders and adversaries in cybersecurity. Methodologically, this research delves into the detailed explanation of prevalent code obfuscation techniques, including control flow obfuscation, data obfuscation, and string obfuscation, alongside examples and case studies illustrating their effectiveness. Similarly, the study scrutinizes anti analysis methods utilized by malware authors, highlighting their impact on software security and malware analysis. Through experimental evaluation and case studies of real world incidents, this research evaluates the efficacy of code obfuscation and anti analysis techniques, providing insights into their implications for software security and malware defence strategies. Key findings of this research underscore the critical role of code obfuscation in software security and the escalating challenge it poses for malware detection and analysis. Moreover, the study elucidates the significance of effectively understanding and countering anti analysis techniques to bolster cybersecurity defences. The implications of this research extend to practitioners and researchers, offering valuable insights into developing mitigation strategies and tools to combat code obfuscated malware and enhance overall software security.

LI Chengyang,HUANG Tianbo,CHEN Xiarun,WEN Weiping

DOI: https://doi.org/10.3778/j.issn.1002-8331.2112-0035

2023-01-01

Abstract:Software security issues are becoming more prominent in the post-epidemic era, and code obfuscation as a mature protection scheme provides the possibility of cross-platform use with the help of LLVM. However, LLVM-based control flow obfuscation algorithms are limited in terms of protection strength, on the one hand, the existing algorithm model is immutable and lacks structural innovation. On the other hand, the obfuscation processing does not take into account the fact that attackers can base on the basic block. Therefore, two algorithms are proposed:firstly, nested switch obfuscation, which breaks the inherent flat processing model and enhances the hiding of the hopping amount by reconstructing the switch structure internally; secondly, indegree obfuscation, which adds an anti-entry degree analysis strategy to the false control flow to circumvent the false block by changing the indegree of the false block. The results show that the obfuscation method can further reduce 58.67% of the basic block similarity and increase 64.44% of the jump instructions compared to the existing control-flow obfuscation scheme within 1.5 times the temporal overhead.

Teng Long,Lin Liu,Yijun Yu,Zhiguo Wan

DOI: https://doi.org/10.1109/FCST.2010.85

2010-01-01

Abstract:Nowadays, software refactoring techniques are widely adopted to enhance the quality of software by improving its understandability, performance, as well as other quality related design attributes. On the other hand, various kinds of software obfuscation methods have been proposed to protect security-sensitive information involved in software implementations. This paper analyzes how refactoring and obfuscation use reverse transformations to improve quality and security of software code, and proposes a systematic modeling approach based on i* to support the selection of refactoring techniques and obfuscation methods under different social, environmental and operational situations. First, top-level softgoals guiding designer's decision making are identified and analyzed; next accidental programming “bad smells” and intentional code cracker's threats to these softgoals are identified and analyzed; then refactoring and obfuscation transformations are modeled as countermeasures for these threats; eventually their reversal relations and counteracting patterns are examined using example code segments.

Mathilde Ollivier,Sébastien Bardin,Richard Bonichon,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1908.01549

2019-08-07

Abstract:Code obfuscation is a major tool for protecting software intellectual property from attacks such as reverse engineering or code tampering. Yet, recently proposed (automated) attacks based on Dynamic Symbolic Execution (DSE) shows very promising results, hence threatening software integrity. Current defenses are not fully satisfactory, being either not efficient against symbolic reasoning, or affecting runtime performance too much, or being too easy to spot. We present and study a new class of anti-DSE protections coined as path-oriented protections targeting the weakest spot of DSE, namely path exploration. We propose a lightweight, efficient, resistant and analytically proved class of obfuscation algorithms designed to hinder DSE-based attacks. Extensive evaluation demonstrates that these approaches critically counter symbolic deobfuscation while yielding only a very slight overhead.

Cryptography and Security

Christian Collberg,Clark Thomborson,Douglas Low

1997-01-01

Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering....

Jiangxing WU

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.04.001

2016-01-01

Abstract:The unbalance in cyber security and its root is analyzed in this paper, of which a dynamically redundant het-erogeneity architecture and the basic principle to compose an information system of high reliability and high security level with unreliable hardware is mainly discussed. Then, basic concepts about mimic defense is briefly stated. Finally, a test evaluation and preliminary conclusion about the system of mimic defense verification is presented.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

Zhi Xin,Huiyu Chen,Xinche Wang,Peng Liu,Sencun Zhu,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/s10207-012-0170-9

2012-01-01

International Journal of Information Security

Abstract:Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Eric Filiol

DOI: https://doi.org/10.48550/arXiv.1009.4000

2010-09-21

Abstract:Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection mean. This also applies to protection of software whenever one wishes to analyze them. In this paper, we show how to amour code in such a way that reserse engineering techniques (static and dymanic) are absolutely impossible by combining malicious cryptography techniques developped in our laboratory and new types of programming (k-ary codes). Suitable encryption algorithms combined with new cryptanalytic approaches to ease the protection of (malicious or not) binaries, enable to provide both total code armouring and large scale polymorphic features at the same time. A simple 400 Kb of executable code enables to produce a binary code and around $2^{140}$ mutated forms natively while going far beyond the old concept of decryptor.

Cryptography and Security

Peidai Xie,Xicheng Lu,Yongjun Wang,Jinshu Su

2013-01-01

International Journal of Security and Its Applications

Abstract:In order to be a long time alive, modern malware often make anti-emulation check after launched for evading dynamic analysis. Malware authors gain fingerprint information of target environment through several API to detect whether their creations are running in monitored state or not. If an emulated analysis environment is detected, the malware will change its running to avoid malicious behavior exposing. The existing approaches are based on trace matching with a intuition that, given the same inputs, the execution of a program should be the same in simulated analysis environment and on a real hardware reference system. However those approaches are too fine-grained to be inefficient.In this paper we propose an approach to deal with anti-emulation using instruction traces and dynamic slicing. With a difference from trace matching solutions presented in existing references, our approach is performed on one instruction trace derived from our dynamic analysis platform. We evaluate our approach with 189 malware samples collected in the wild. The experience shows that our proposed approach can spot efAPI used for anti-emulation check in an efficient way.