Cullen Linn
ABSTRACT
A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the decompilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.
- D. Aucsmith. Tamper-resistant software: An implementation. In Information Hiding: First International Workshop: Proceedings, volume 1174 of Lecture Notes in Computer Science, pages 317--333. Springer-Verlag, 1996. Google Scholar
Digital Library
- R. L. Bernstein. Producing good code for the case statement. Software---Practice and Experience, 15(10):1021--1024, October 1985. Google ScholarDigital Library
- W. Cho, I. Lee, and S. Park. Againt intelligent tampering: Software tamper resistance by extended control flow obfuscation. In Proc. World Multiconference on Systems, Cybernetics, and Informatics. International Institute of Informatics and Systematics, 2001.Google Scholar
- C. Cifuentes and K. J. Gough. Decompilation of binary programs. Software---Practice and Experience, 25(7):811--829, July 1995. Google ScholarDigital Library
- C. Cifuentes and M. Van Emmerik. UQBT: Adaptable binary translation at low cost. IEEE Computer, 33(3):60--66, March 2000. Google ScholarDigital Library
- C. Cifuentes and M. Van Emmerik. Recovery of jump table case statements from binary code. Science of Computer Programming, 40(2--3):171--188, July 2001. Google ScholarDigital Library
- F. B. Cohen. Operating system protection through program evolution, 1992. http://all.net/books/IP/evolve.html.Google Scholar
- R. S. Cohn, D. W. Goodwin, and P. G. Lowney. Optimizing Alpha executables on Windows NT with Spike. Digital Technical Journal, 9(4):3--20, 1997. Google ScholarDigital Library
- C. Collberg and C. Thomborson. Software watermarking: Models and dynamic embeddings. In Proc. 26th. ACM Symposium on Principles of Programming Languages (POPL 1999), pages 311--324, January 1999. Google ScholarDigital Library
- C. Collberg and C. Thomborson. Watermarking, tamper-proofing, and obfuscation -- tools for software protecti on. Technical Report TR00-03, The Department of Computer Science, University of Arizona, February 2000.Google Scholar
- C. Collberg, C. Thomborson, and D. Low. Breaking abstractions and unstructuring data structures. In Proc. 1998 IEEE International Conference on Computer Languages, pages 28--38. Google ScholarDigital Library
- C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proc. 25th. ACM Symposium on Principles of Programming Languages (POPL 1998), pages 184--196, January 1998. Google ScholarDigital Library
- DataRescue sa/nv, Liege, Belgium. IDA Pro. http://www.datarescue.com/idabase/.Google Scholar
- M. L. Fredman, J. Komlos, and E. Szemeredi. Storing a sparse table with $O(1)$ worst case access time. Journal of the ACM, 31(3):538--544, July 1984. Google ScholarDigital Library
- J. R. Levine. Linkers and Loaders. Morgan Kaufman Publishers, San Francisco, CA, 2000. Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proc. 9th. International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 168--177, November 2000. Google ScholarDigital Library
- K. Mehlhorn and A. K. Tsakalidis. Data structures. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity (A), pages 301--341. MIT Press, 1990. Google ScholarDigital Library
- R. Muth, S. K. Debray, S. Watterson, and K. De Bosschere. alto : A link-time optimizer for the Compaq Alpha. Software---Practice and Experience, 31:67--101, January 2001. Google ScholarDigital Library
- Objdump. GNU Manuals Online. GNU Project---Free Software Foundation. http://www.gnu.org/manual/binutils-2.10.1/html_chapter/binutils_4.html.Google Scholar
- T. Ogiso, Y. Sakabe, M. Soshi, and A. Miyaji. Software obfuscation on a theoretical basis and its implementation. IEEE Trans. Fundamentals, E86-A(1), January 2003.Google Scholar
- B. Schwarz, S. K. Debray, and G. R. Andrews. Plto: A link-time optimizer for the Intel IA-32 architecture. In Proc. 2001 Workshop on Binary Translation (WBT-2001), 2001.Google Scholar
- B. Schwarz, S. K. Debray, and G. R. Andrews. Disassembly of executable code revisited. In Proc. IEEE 2002 Working Conference on Reverse Engineering (WCRE), pages 45--54, October 2002. Google ScholarDigital Library
- R. L. Sites, A. Chernoff, M. B. Kirk, M. P. Marks, and S. G. Robinson. Binary translation. Communications of the ACM, 36(2):69--81, February 1993. Google ScholarDigital Library
- A. Srivastava and D. W. Wall. A practical system for intermodule code optimization at link-time. Journal of Programming Languages, 1(1):1--18, March 1993.Google Scholar
- H. Theiling. Extracting safe and precise control flow from binaries. In Proc. 7th Conference on Real-Time Computing Systems and Applications, December 2000. Google ScholarDigital Library
- C. Wang, J. Davidson, J. Hill, and J. Knight. Protection of software-based survivability mechanisms. In Proc. International Conference of Dependable Systems and Networks, July 2001. Google ScholarDigital Library
- C. Wang, J. Hill, J. Knight, and J. Davidson. Software tamper resistance: Obstructing static analysis of programs. Technical Report CS-2000-12, 12 2000. Google ScholarDigital Library
- G. Wroblewski. General Method of Program Code Obfuscation. PhD thesis, Wroclaw University of Technology, Institute of Engineering Cybernetics, 2002.Google Scholar
Index Terms
- Obfuscation of executable code to improve resistance to static disassembly
Recommendations
Static Analysis of the Disassembly against Malicious Code Obfuscated with Conditional Jumps
ICIS '08: Proceedings of the Seventh IEEE/ACIS International Conference on Computer and Information Science (icis 2008)With the application of information technology and network, malicious codes have become a main threat to the computer security. In order to avoid being analyzed statically, malicious codes resort to various obfuscation techniques to hide themselves. ...
Analysis on Technique for Code Obfuscation
CNCIT '23: Proceedings of the 2023 2nd International Conference on Networks, Communications and Information TechnologyCode obfuscation is used to reduce legibility of the code, and protect the critical code information from being stolen by reverse engineering. For the characteristic that obfuscation can be used for assembly and source code, the main method and ...
Static program analysis of embedded executable assembly code
CASES '04: Proceedings of the 2004 international conference on Compilers, architecture, and synthesis for embedded systemsWe consider the problem of automatically checking if coding standards have been followed in the development of embedded applications. The problem arises from practical considerations because DSP chip manufacturers (in our case Texas Instruments) want ...
Comments