research-article

Comparing the effectiveness of commercial obfuscators against MATE attacks

Authors:

Ramya Manikyam,

J. Todd McDonald,

William R. Mahoney,

Samuel H. RussAuthors Info & Claims

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

Article No.: 8, Pages 1 - 11

https://doi.org/10.1145/3015135.3015143

Published: 05 December 2016 Publication History

Abstract

The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.

References

[1]

Anon, 2013. Defending Against the Triple Threat to Intellectual Property. Retrieved June 15, 2015, from http://www.safenet-inc.com/resource/Resources7Detail.aspx?cat=srm&sc=341

[2]

Anon, 2014. The Compliance Gap. Retrieved June 28, 2015, from http://globalstudy.bsa.org/2013/

[3]

Akhunzada, A., Sookah, M., Anuar, NB., Gani, A., Ahmed, E., Shiraz, M., Furnell, S., Hayat, A. and Khan, M.K., 2015. Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions. Journal of Network and Computer Applications, 48:44--57.

Digital Library

[4]

Pressman, R., 2005. Software engineering, Boston, Mass.: McGraw-Hill.

Digital Library

[5]

Kotonya, G. and Sommerville, I., 1998. Requirements engineering, Chichester: J. Wiley.

Digital Library

[6]

Garg, M. Mamta Garg. 2009. Reverse Engineering - Roadmap to Effective Software Design. International Journal of Recent Trends in Engineering, 1(2), 186--188, 2009.

[7]

Falcarin, P., Collberg, C., Atallah, M. and Jakubowski, M., 2011. Guest Editors' Introduction: Software Protection. IEEE Softw., 28(2), pp.24--27.

Digital Library

[8]

Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., and Yang, K., 2012. On the (im)possibility of obfuscating programs. Journal of the ACM, 59(2), 1--48.

Digital Library

[9]

Vmpsoft.com, 2003. VMProtect Software Protection: VMProtect. Retrieved August 3, 2015, from http://vmpsoft.com/products/vmprotect/

[10]

Oreans.com, 2004. Oreans Technology : Themida. Retrieved August 12, 2015, from http://www.oreans.com/themida.php

[11]

Oreans.com, 2006. Oreans Technology : Code Virtualizer. Retrieved August 12, 2015, from http://www.oreans.com/codevirtualizer.php

[12]

Red-gate.com, Redgate's SmartAssembly. Retrieved August 13, 2015, from https://www.red-gate.com/products/dotnet-development/smartassembly/

[13]

Ssware.com, 2010. Crypto Obfuscator For .Net - Obfuscator With Code Protection, Exception Reporting, Optimization. Retrieved August 14, 2015, from http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

[14]

Collberg, C., 2015. The Tigress C Diversifier/Obfuscator. Retrieved August 14, 2015, from Arizona University: Tigress.cs.arizona.edu.

[15]

Ollydbg.de, 2013. OllyDbg. Retrieved September 8, 2015, from http://www.ollydbg.de/

[16]

hex-rays.com, Hex-Rays Home: IDA. Retrieved September 20, 2015, from https://www.hex-rays.com/products/ida/

[17]

Cheatengine.org, Cheat Engine. Retrieved September 25, 2015, from http://www.cheatengine.org/index.php

[18]

Red-gate.com, .NET Decompiler: Decompile Any .NET Code | .NET Reflector. Retrieved August 23, 2015, from https://www.red-gate.com/products/dotnet-development/reflector/

[19]

Jetbrains.com, Free .NET decompiler : JetBrains dotPeek. Retrieved October 10, 2015, from https://www.jetbrains.com/decompiler/

[20]

Ilspy.net, ILSpy. Retrieved October 17, 2015, from http://ilspy.net/

[21]

Collberg, C. and Nagra, J., 2009. Surreptitious software, Boston, Mass.: Addison-Wesley.

[22]

Emanuelsson, P. and Nilsson, U., 2008. A Comparative Study of Industrial Static Analysis Tools. Electronic Notes in Theoretical Computer Science, 217, pp.5--21.

Digital Library

[23]

Collberg, C., Thomborson, C., and Low, D. 1997. A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand.

[24]

Cazalas J., McDonald, J.T., Andel, T. R., and Stakhanova, N. Probing the Limits of Virtualized Software Protection. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop (PPREW-4). ACM, New York, NY, USA, Article 5, 11 pages, 2014,

Digital Library

[25]

Collberg, C. and Thomborson, C., 2002. Watermarking, tamper-proofing, and obfuscation - tools for software protection. IEEE Transactions on Software Engineering, 28(8), pp.735--746.

Digital Library

[26]

Macbride, J., Mascioli, C., Marks, S., Tang, Y., Head, L.M. and Ramach, P., 2005. A comparative study of java obfuscators. In Proceedings of the IASTED International Conference on Software Engineering and Applications (SEA 2005). 14--16.

[27]

Ceccato, M., Di Penta, M., Falcarin, P., Ricca, F., Torchiano, M. and Tonella, P., 2013. A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques. Empirical Software Engineering.

Digital Library

[28]

Zhang, X., Tsang, A., Yue, W.T. and Chau, M., 2015. The classification of hackers by knowledge exchange behaviors. Information Systems Frontiers, 17(6), pp.1239--1251.

Digital Library

[29]

Nagra, Jasvir and Collberg, C. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection (Addison-Wesley Software Security Series). Pearson Education, 2010.

Cited By

De Sutter BSchrittwieser SCoppens BKochberger P(2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
https://doi.org/10.1145/3702314
Collins SPoulopoulos AMuench MChothia TSchrittwieser SIanni M(2024)Anti-Cheat: Attacks and the Effectiveness of Client-Side DefencesProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690816(30-43)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690816
Zhang NFeng ZXu D(2024)An In-Depth Analysis of the Code-Reuse Gadgets Introduced by Software ObfuscationApplied Cryptography and Network Security10.1007/978-3-031-54776-8_9(217-240)Online publication date: 29-Feb-2024
https://doi.org/10.1007/978-3-031-54776-8_9
Show More Cited By

Index Terms

Comparing the effectiveness of commercial obfuscators against MATE attacks
1. Security and privacy
  1. Software and application security
    1. Software reverse engineering
  2. Systems security
    1. Vulnerability management
      1. Penetration testing
2. Social and professional topics
  1. Computing / technology policy
    1. Intellectual property
      1. Digital rights management
      2. Software reverse engineering

Recommendations

Toward Digital Asset Protection

The goal of software protection (SP) research is to make software safe from malicious attacks by preventing adversaries from tampering, reverse engineering, and illegally redistributing software. The Digital Asset Protection Association (DAPA) was ...
Hybrid static-dynamic attacks against software protection mechanisms
DRM '05: Proceedings of the 5th ACM workshop on Digital rights management

Advances in reverse engineering and program analyses have made software extremely vulnerable to malicious host attacks. These attacks typically take the form of intellectual property violations, against which the software needs to be protected. The ...
Code Obfuscation: Why is This Still a Thing?
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy
Early developments in code obfuscation were chiefly motivated by the needs of Digital Rights Management (DRM). Other suggested applications included intellectual property protection of software and code diversification to combat the monoculture problem ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

December 2016

85 pages

ISBN:9781450348416

DOI:10.1145/3015135

General Chair:
J. Todd McDonald
University of South Alabama
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SSPREW '16

SSPREW '16: Software Security, Protection, and Reverse Engineering Workshop

December 5 - 6, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 6 of 13 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
225
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)2

Reflects downloads up to 08 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

De Sutter BSchrittwieser SCoppens BKochberger P(2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
https://doi.org/10.1145/3702314
Collins SPoulopoulos AMuench MChothia TSchrittwieser SIanni M(2024)Anti-Cheat: Attacks and the Effectiveness of Client-Side DefencesProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690816(30-43)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690816
Zhang NFeng ZXu D(2024)An In-Depth Analysis of the Code-Reuse Gadgets Introduced by Software ObfuscationApplied Cryptography and Network Security10.1007/978-3-031-54776-8_9(217-240)Online publication date: 29-Feb-2024
https://doi.org/10.1007/978-3-031-54776-8_9
Luo CMing JFu JPeng GLi Z(2023)Reverse Engineering of Obfuscated Lua Bytecode via Interpreter Semantics TestingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.328925418(3891-3905)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3289254
Wu JChiu WLiu PMeng WLi W(2023)The Instruction Separation Framework against Man-At-The-End Attacks: Protect What is Mattered On-the-Fly2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00070(286-293)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00070
Zhang NAlden DXu DWang SJaeger TRuml W(2023)No Free Lunch: On the Increased Code Reuse Attack Surface of Obfuscated Programs2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00039(313-326)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00039
Todd McDonald JManikyam RBardin SBonichon RAndel TCarambat J(2023)Evaluating Defensive Countermeasures for Software-Based Hardware AbstractionE-Business and Telecommunications10.1007/978-3-031-36840-0_13(281-304)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-36840-0_13
Adhikari DMcDonald JAndel TRichardson J(2022)Argon: A Toolbase for Evaluating Software Protection Techniques Against Symbolic Execution AttacksSoutheastCon 202210.1109/SoutheastCon48659.2022.9764028(743-750)Online publication date: 26-Mar-2022
https://doi.org/10.1109/SoutheastCon48659.2022.9764028
Suresh ASankaran S(2020)Power Profiling and Analysis of Code Obfuscation for Embedded Devices2020 IEEE 17th India Council International Conference (INDICON)10.1109/INDICON49873.2020.9342447(1-6)Online publication date: 10-Dec-2020
https://doi.org/10.1109/INDICON49873.2020.9342447
Xu DMing JFu YWu DLie DMannan MBackes MWang X(2018)VMHuntProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243827(442-458)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243827

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents