research-article

A framework for measuring software obfuscation resilience against automated attacks

Authors:

Sebastian Banescu,

Alexander PretschnerAuthors Info & Claims

SPRO '15: Proceedings of the 1st International Workshop on Software Protection

Pages 45 - 51

Published: 16 May 2015 Publication History

Abstract

Software obfuscation of programs, with the goal of protecting against attackers having physical access to the machine executing them, is a common practice motivated by the necessity of keeping intellectual property (such as business critical algorithms) and critical data (such as cryptographic keys) secret. However, as of today, it is unclear how secure popular obfuscation operators are relative to each other or to other protection techniques. In this paper we propose a formal framework to characterize attacker models and guarantees, inspired by similar notions from cryptography. We then map prior work in the area of deobfuscation to our formal model to the possible extent. We also perform a case-study about using symbolic execution for deobfuscation, concretely mapped onto our formal model.

References

[1]

S. Banescu, M. Ochoa, A. Pretschner, and N. Kunze. Benchmarking indistinguishability obfuscation - a candidate implementation. In Proc. of 7th International Symposium on ESSoS, number 8978 in LNCS, 2015.

[2]

O. Billet, H. Gilbert, and C. Ech-Chatbi. Cryptanalysis of a white box AES implementation. In Selected Areas in Cryptography, number 3357 in LNCS, pages 227--240. Springer Berlin Heidelberg, Jan. 2005.

Digital Library

[3]

A. Biryukov, D. Khovratovich, and I. Nikolić. Distinguisher and related-key attack on the full aes-256. Advances in Cryptology-CRYPTO 2009, pages 231--249, 2009.

Digital Library

[4]

J. Bringer, H. Chabanne, and E. Dottax. White box cryptography: Another attempt. located at, last visited on Jul, 22(2011):14, 2006.

[5]

C. Cadar, D. Dunbar, and D. R. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008.

Digital Library

[6]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. ACM Trans. Inf. Syst. Secur., 12(2):10:1--10:38, Dec. 2008.

Digital Library

[7]

M. Ceccato, M. D. Penta, P. Falcarin, F. Ricca, M. Torchiano, and P. Tonella. A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques. Empirical Software Engineering, 19(4):1040--1074, Feb. 2013.

Digital Library

[8]

V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. ASPLOS XVI, pages 265--278, New York, NY, USA, 2011. ACM.

Digital Library

[9]

S. Chow, P. Eisen, H. Johnson, and P. C. V. Oorschot. Whitebox cryptography and an AES implementation. In Selected Areas in Cryptography, number 2595 in LNCS, pages 250--270. Springer Berlin Heidelberg, Jan. 2003.

Digital Library

[10]

S. Chow, P. Eisen, H. Johnson, and P. C. Van Oorschot. A whitebox DES implementation for DRM applications. In Digital Rights Management, pages 1--15. Springer, 2003.

[11]

C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand, 1997.

[12]

K. Coogan, G. Lu, and S. Debray. Deobfuscation of virtualization-obfuscated software: A semantics-based approach. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 275--284, New York, NY, USA, 2011. ACM.

Digital Library

[13]

M. Dalla Preda. Code obfuscation and malware detection by abstract interpretation. PhD thesis, University of Verona, 2007.

[14]

M. Dalla Preda and R. Giacobazzi. Control code obfuscation by abstract interpretation. In Third IEEE International Conference on Software Engineering and Formal Methods., pages 301--310. IEEE, 2005.

Digital Library

[15]

F. Gabriel. Deobfuscation: recovering an OLLVM-protected program. http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html, 2014. Quarkslab, Accessed: 2014-01-20.

[16]

S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In Proc. of the 54th Annual Symp. on Foundations of Computer Science, pages 40--49, 2013.

Digital Library

[17]

Y. Guillot and A. Gazet. Automatic binary deobfuscation. Journal in computer virology, 6(3):261--276, 2010.

[18]

J. Kinder. Towards static analysis of virtualization-obfuscated binaries. In 19th Working Conference on Reverse Engineering (WCRE), pages 61--70, Oct 2012.

Digital Library

[19]

W. Michiels, P. Gorissen, and H. D. L. Hollmann. Cryptanalysis of a generic class of white-box implementations. In R. M. Avanzi, L. Keliher, and F. Sica, editors, Selected Areas in Cryptography, number 5381 in LNCS, pages 414--428. Springer Berlin Heidelberg, Jan. 2009.

Digital Library

[20]

Y. D. Mulder, B. Wyseur, and B. Preneel. Cryptanalysis of a perturbated white-box AES implementation. In Progress in Cryptology - INDOCRYPT 2010, number 6498 in LNCS, pages 292--310. Springer Berlin Heidelberg, 2010.

[21]

R. Rolles. Control Flow Deobfuscation via Abstract Interpretation. https://www.openrce.org/blog/view/1672/Control_Flow_Deobfuscation_via_Abstract_Interpretation, 2011. OpenRCE, Accessed: 2014-01-20.

[22]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. In Security and Privacy, 2009 30th IEEE Symposium on, pages 94--109, May 2009.

Digital Library

[23]

N. Smart. ECRYPT II Yearly Report on Algorithms and key-sizes (2011-2012), 2012. http://www.ecrypt.eu.org/documents/D.SPA.20.pdf.

[24]

I. Sutherland, G. E. Kalb, A. Blyth, and G. Mulley. An empirical examination of the reverse engineering process for binary files. Computers & Security, 25(3):221--228, 2006.

Digital Library

[25]

S. Udupa, S. Debray, and M. Madou. Deobfuscation: reverse engineering obfuscated code. In 12th Working Conference on Reverse Engineering, 2005.

Digital Library

[26]

H. S. Warren. Hacker's Delight. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002.

Digital Library

[27]

B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel. Cryptanalysis of white-box DES implementations with arbitrary external encodings. In Selected Areas in Cryptography, number 4876 in LNCS, pages 264--277. Springer Berlin Heidelberg, 2007.

Digital Library

[28]

Y. Xiao and X. Lai. A secure implementation of white-box AES. In 2nd International Conference on Computer Science and its Applications, 2009. CSA '09, pages 1--6, 2009.

[29]

O. Yigit. Hash Functions. http://www.cse.yorku.ca/~oz/hash.html. York University, Accessed: 2014-01-27.

Cited By

Holder WMcDonald JAndel TMcDonald JPreda MStakhanova N(2017)Evaluating Optimal Phase Ordering in Obfuscation ExecutivesProceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop10.1145/3151137.3151140(1-12)Online publication date: 5-Dec-2017
https://dl.acm.org/doi/10.1145/3151137.3151140
Salem ABanescu SMcDonald JPreda MStakhanova N(2016)Metadata recovery from obfuscated programs using machine learningProceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering10.1145/3015135.3015136(1-11)Online publication date: 5-Dec-2016
https://dl.acm.org/doi/10.1145/3015135.3015136
Banescu SLucaci CKrämer BPretschner AWyseur BDe Sutter B(2016)VOT4CSProceedings of the 2016 ACM Workshop on Software PROtection10.1145/2995306.2995312(39-49)Online publication date: 28-Oct-2016
https://dl.acm.org/doi/10.1145/2995306.2995312
Show More Cited By

Index Terms

A framework for measuring software obfuscation resilience against automated attacks

Recommendations

Code obfuscation against symbolic execution attacks
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Code obfuscation is widely used by software developers to protect intellectual property, and malware writers to hamper program analysis. However, there seems to be little work on systematic evaluations of effectiveness of obfuscation techniques against ...
A Framework for Measuring Software Obfuscation Resilience against Automated Attacks
SPRO '15: Proceedings of the 2015 IEEE/ACM 1st International Workshop on Software Protection

Software obfuscation of programs, with the goal of protecting against attackers having physical access to the machine executing them, is a common practice motivated by the necessity of keeping intellectual property (such as business critical algorithms) ...
Automated containment of rootkits attacks

Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SPRO '15: Proceedings of the 1st International Workshop on Software Protection

May 2015

77 pages

General Chair:
Paolo Falcarin
University of East London, UK
,
Program Chair:
Brecht Wyseur
Nagravision, Switzerland

Sponsors

ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS\DATC: IEEE Computer Society
TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

IEEE Press

Publication History

Published: 16 May 2015

Check for updates

Qualifiers

Research-article

Conference

ICSE '15

Sponsor:

ACM
SIGSOFT
IEEE-CS\DATC
TCSE

ICSE '15: 37th International Conference on Software Engineering

May 16 - 24, 2015

Florence, Italy

Acceptance Rates

Overall Acceptance Rate 8 of 14 submissions, 57%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
116
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Holder WMcDonald JAndel TMcDonald JPreda MStakhanova N(2017)Evaluating Optimal Phase Ordering in Obfuscation ExecutivesProceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop10.1145/3151137.3151140(1-12)Online publication date: 5-Dec-2017
https://dl.acm.org/doi/10.1145/3151137.3151140
Salem ABanescu SMcDonald JPreda MStakhanova N(2016)Metadata recovery from obfuscated programs using machine learningProceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering10.1145/3015135.3015136(1-11)Online publication date: 5-Dec-2016
https://dl.acm.org/doi/10.1145/3015135.3015136
Banescu SLucaci CKrämer BPretschner AWyseur BDe Sutter B(2016)VOT4CSProceedings of the 2016 ACM Workshop on Software PROtection10.1145/2995306.2995312(39-49)Online publication date: 28-Oct-2016
https://dl.acm.org/doi/10.1145/2995306.2995312
Banescu SCollberg CGanesh VNewsham ZPretschner ASchwab SRobertson WBalzarotti D(2016)Code obfuscation against symbolic execution attacksProceedings of the 32nd Annual Conference on Computer Security Applications10.1145/2991079.2991114(189-200)Online publication date: 5-Dec-2016
https://dl.acm.org/doi/10.1145/2991079.2991114
Kanzaki YThomborson CMonden ACollberg CMcDonald JPreda MStakhanova N(2015)Pinpointing and Hiding Surprising Fragments in an Obfuscated ProgramProceedings of the 5th Program Protection and Reverse Engineering Workshop10.1145/2843859.2843862(1-9)Online publication date: 8-Dec-2015
https://dl.acm.org/doi/10.1145/2843859.2843862

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten