Cited By
View all- Simion E(2022)Encapsulating Secrets Using Lockable Obfuscation and a RMERS-Based Public Key EncryptionSustainability10.3390/su14181141214:18(11412)Online publication date: 12-Sep-2022
Dynamic Taint Analysis versus Obfuscated Self-Checking
Authors: 
Sebastian Banescu, Samuel Valenzuela, Marius Guggenmos, Mohsen Ahmadvand, Alexander PretschnerAuthors Info & Claims
Sebastian Banescu, Samuel Valenzuela, Marius Guggenmos, Mohsen Ahmadvand, Alexander PretschnerAuthors Info & ClaimsPages 182 - 193
Abstract
Software protection in practice addresses the yearly loss of tens of billion USD for software manufacturers, a result of malicious end-users tampering with the software (”software cracking”). Software protection is prevalent in the gaming and license checking industries, and also relevant in the embedded and other industries. State of the art research in the area of software tamper protection against man-at-the-end (MATE) attackers focuses on the localization of integrity checks. The goal of this paper is a general assessment of the resilience of software self-checking, protected themselves by obfuscations against (1) (automated) detection and (2) (automated) bypass, without deobfuscating the code. Using dynamic taint analysis on a benchmark set of programs, we study how easy it is to detect and bypass combinations of self-checking and various obfuscation transformations. We aim at generalizing these findings across different programs rather than focusing on one particular program instance. To this end, we perform a set of controlled experiments using a data set of real-world programs, the MiBench suite and open-source games, and show that all of these can be broken by dynamic taint analysis attacks. To counter such attacks, we propose and implement improvements to an existing obfuscation implementation. We evaluate the implemented improvement and discuss the security-performance trade-offs.
References
[1]
Bert Abrath, Bart Coppens, Stijn Volckaert, Joris Wijnant, and Bjorn De Sutter. 2016. Tightly-coupled self-debugging software protection. In Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering. ACM, 7.
[2]
Mohsen Ahmadvand, Daniel Below, Sebastian Banescu, and Alexander Pretschner. 2019. VirtSC: Combining Virtualization Obfuscation with Self-Checksumming. In Proceedings of the 3rd ACM Workshop on Software Protection (London, United Kingdom) (SPRO’19). ACM, New York, NY, USA, 53–63. https://doi.org/10.1145/3338503.3357723
[3]
Mohsen Ahmadvand, Dennis Fischer, and Sebastian Banescu. 2019. SIP Shaker: Software Integrity Protection Composition. In Proceedings of the 35th Annual Computer Security Applications Conference (San Juan, Puerto Rico) (ACSAC ’19). Association for Computing Machinery, New York, NY, USA, 203–214. https://doi.org/10.1145/3359789.3359848
[4]
Mohsen Ahmadvand, Anahit Hayrapetyan, Sebastian Banescu, and Alexander Pretschner. 2018. Practical Integrity Protection with Oblivious Hashing. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC ’18). ACM, New York, NY, USA, 40–52. https://doi.org/10.1145/3274694.3274732
[5]
Mohsen Ahmadvand, Alexander Pretschner, and Florian Kelbert. 2018. Chapter Eight - A Taxonomy of Software Integrity Protection Techniques. Advances in Computers 112 (2018), 413–486.
[6]
Dennis Andriesse, Herbert Bos, and Asia Slowinska. 2015. Parallax: Implicit code integrity verification using return-oriented programming. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 125–135.
[7]
David Aucsmith. 1996. Tamper resistant software: An implementation. In International Workshop on Information Hiding. Springer, 317–333.
[8]
Sebastian Banescu, Mohsen Ahmadvand, Alexander Pretschner, Robert Shield, and Chris Hamilton. 2017. Detecting Patching of Executables without System Calls. In CODASPY’17, Gail-Joon Ahn, Alexander Pretschner, and Gabriel Ghinita (Eds.). The Association for Computing Machinery, 185–196. https://doi.org/10.1145/3029806.3029835
[9]
Sebastian Banescu, Christian Collberg, Vijay Ganesh, Zack Newsham, and Alexander Pretschner. 2016. Code Obfuscation Against Symbolic Execution Attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications (Los Angeles, California, USA) (ACSAC ’16). ACM, New York, NY, USA, 189–200. https://doi.org/10.1145/2991079.2991114
[10]
Sebastian Banescu and Alexander Pretschner. 2017. Chapter Five - A Tutorial on Software Obfuscation. Advances in Computers 108 (2017), 283–353.
[11]
Sebastian Banescu, Alexander Pretschner, Dominic Battré, Stéfano Cazzulani, Robert Shield, and Greg Thompson. 2015. Software-based protection against changeware. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. ACM, 231–242.
[12]
Pietro Borrello, Emilio Coppa, and Daniele Cono D’Elia. 2020. Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation. arXiv preprint arXiv:2012.06658(2020).
[13]
Derek Bruening, Timothy Garnett, and Saman Amarasinghe. 2003. An infrastructure for adaptive dynamic optimization. In International Symposium on Code Generation and Optimization, 2003. CGO 2003. IEEE, 265–275.
[14]
Mariano Ceccato, Paolo Tonella, Cataldo Basile, Bart Coppens, Bjorn De Sutter, Paolo Falcarin, and Marco Torchiano. 2017. How professional hackers understand protected code while performing attack tasks. In Program Comprehension (ICPC), 2017 IEEE/ACM 25th International Conference on. IEEE, 154–164.
[15]
Hoi Chang and Mikhail J Atallah. 2001. Protecting software code by guards. In ACM Workshop on Digital Rights Management. Springer, 160–175.
[16]
Yuqun Chen, Ramarathnam Venkatesan, Matthew Cary, Ruoming Pang, Saurabh Sinha, and Mariusz H Jakubowski. 2002. Oblivious hashing: A stealthy software integrity verification primitive. In International Workshop on Information Hiding. Springer, 400–414.
[17]
Christian Collberg. 2018. Code Obfuscation: Why is This Still a Thing?. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (Tempe, AZ, USA) (CODASPY ’18). ACM, New York, NY, USA, 173–174. https://doi.org/10.1145/3176258.3176342
[18]
Christian Collberg and Jasvir Nagra. 2009. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection(1st ed.). Addison-Wesley Professional.
[19]
Christian Collberg, Clark Thomborson, and Douglas Low. 1998. Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, California, USA) (POPL ’98). ACM, New York, NY, USA, 184–196. https://doi.org/10.1145/268946.268962
[20]
Christian S. Collberg, Jack W. Davidson, Roberto Giacobazzi, Yuan Xiang Gu, Amir Herzberg, and Fei-Yue Wang. 2011. Toward Digital Asset Protection. IEEE Intelligent Systems 26, 6 (2011), 8–13. https://doi.org/10.1109/MIS.2011.106
[21]
Christian S. Collberg and Clark Thomborson. 2002. Watermarking, Tamper-proffing, and Obfuscation: Tools for Software Protection. IEEE Trans. Softw. Eng. 28, 8 (Aug. 2002), 735–746. https://doi.org/10.1109/TSE.2002.1027797
[22]
Kevin Coogan, Gen Lu, and Saumya Debray. 2011. Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 275–284.
[23]
Steven H. H. Ding, Benjamin C. M. Fung, and Philippe Charland. 2019. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. 2019 IEEE Symposium on Security and Privacy (SP) (2019), 472–489.
[24]
Wu-chang Feng, Ed Kaiser, and Travis Schluessler. 2008. Stealth measurements for cheat detection in on-line games. In Proceedings of the 7th ACM SIGCOMM Workshop on Network and System Support for Games. ACM, 15–20.
[25]
Peter Garba and Matteo Favaro. 2019. SATURN - Software Deobfuscation Framework Based On LLVM. In Proceedings of the 3rd ACM Workshop on Software Protection (London, United Kingdom) (SPRO’19). Association for Computing Machinery, New York, NY, USA, 27–38. https://doi.org/10.1145/3338503.3357721
[26]
Sudeep Ghosh, Jason D Hiser, and Jack W Davidson. 2010. A secure and robust approach to software tamper resistance. In International Workshop on Information Hiding. Springer, 33–47.
[27]
Matthew R Guthaus, Jeffrey S Ringenberg, Dan Ernst, Todd M Austin, Trevor Mudge, and Richard B Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Workload Characterization, 2001. WWC-4. 2001 IEEE International Workshop on. IEEE, 3–14.
[28]
Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM: software protection for the masses. In Proceedings of the 1st International Workshop on Software Protection. IEEE Press, 3–9.
[29]
Stamatis Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011-37th Annual Conference of the IEEE Industrial Electronics Society. IEEE, 4490–4494.
[30]
Johannes Kinder. 2012. Towards static analysis of virtualization-obfuscated binaries. In Reverse Engineering (WCRE), 2012 19th Working Conference on. IEEE, 61–70.
[31]
Matias Madou, Bertrand Anckaert, Patrick Moseley, Saumya Debray, Bjorn De Sutter, and Koen De Bosschere. 2005. Software protection through dynamic code mutation. In International Workshop on information security applications. Springer, 194–206.
[32]
Fukutomo Nakanishi, Giulio De Pasquale, Daniele Ferla, and Lorenzo Cavallaro. 2020. Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation. arXiv preprint arXiv:2012.09163(2020).
[33]
Mathilde Ollivier, Sébastien Bardin, Richard Bonichon, and Jean-Yves Marion. 2019. How to Kill Symbolic Deobfuscation for Free (or: Unleashing the Potential of Path-Oriented Protections). In Proceedings of the 35th Annual Computer Security Applications Conference (San Juan, Puerto Rico) (ACSAC ’19). Association for Computing Machinery, New York, NY, USA, 177–189. https://doi.org/10.1145/3359789.3359812
[34]
Jing Qiu, Babak Yadegari, Brian Johannesmeyer, Saumya Debray, and Xiaohong Su. 2015. Identifying and understanding self-checksumming defenses in software. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. ACM, 207–218.
[35]
Rolf Rolles. 2009. Unpacking virtualization obfuscators. In 3rd USENIX Workshop on Offensive Technologies.(WOOT).
[36]
Aleieldin Salem and Sebastian Banescu. 2016. Metadata Recovery from Obfuscated Programs Using Machine Learning. In Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering (Los Angeles, California, USA) (SSPREW ’16). ACM, New York, NY, USA, Article 1, 11 pages. https://doi.org/10.1145/3015135.3015136
[37]
Jonathan Salwan, Sébastien Bardin, and Marie-Laure Potet. 2018. Symbolic deobfuscation: From virtualized code back to the original. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 372–392.
[38]
Florent Saudel and Jonathan Salwan. 2015. Triton: A dynamic symbolic execution framework. In Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, France, Rennes. 31–54.
[39]
Florent Saudel and Jonathan Salwan. 2015. Triton: Concolic Execution Framework. https://triton.quarkslab.com/files/sstic2015_slide_en_saudel_salwan.pdf
[40]
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In 2010 IEEE symposium on Security and privacy. IEEE, 317–331.
[41]
PaX Team. 2003. PaX non-executable pages design & implementation. Avaliable: http://pax. grsecurity. net(2003).
[42]
Ramtine Tofighi-Shirazi, Irina-Mariuca Asavoae, Philippe Elbaz-Vincent, and Thanh-Ha Le. 2019. Defeating Opaque Predicates Statically through Machine Learning and Binary Analysis. In Proceedings of the 3rd ACM Workshop on Software Protection (London, United Kingdom) (SPRO’19). Association for Computing Machinery, New York, NY, USA, 3–14. https://doi.org/10.1145/3338503.3357719
[43]
Ping Wang, Seok-kyu Kang, and Kwangjo Kim. 2005. Tamper Resistant Software Through Dynamic Integrity Checking. Proc. Symp. on Cyptography and Information Security (SCIS 05) (2005).
[44]
Glenn Wurster, Paul C Van Oorschot, and Anil Somayaji. 2005. A generic attack on checksumming-based software tamper resistance. In Security and Privacy, 2005 IEEE Symposium on. IEEE, 127–138.
[45]
Babak Yadegari, Brian Johannesmeyer, Ben Whitely, and Saumya Debray. 2015. A generic approach to automatic deobfuscation of executable code. In 2015 IEEE Symposium on Security and Privacy (SP). IEEE, 674–691.
Index Terms
- Dynamic Taint Analysis versus Obfuscated Self-Checking
Index terms have been assigned to the content through auto-classification.
Recommendations
Malware Detection by Static Checking and Dynamic Analysis of Executables
The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...
Compiler-based Attack Origin Tracking with Dynamic Taint Analysis
Information Security and Cryptology – ICISC 2021AbstractOver the last decade, many exploit mitigations based on Control Flow Integrity (CFI) have been developed to secure programs from being hijacked by attackers. However, most of them only abort the protected application after attack detection, ...
Obfuscated malware detection using API call dependency
SecurIT '12: Proceedings of the First International Conference on Security of Internet of ThingsMalwares pose a grave threat to security of a network and host systems. Many events such as Distributed Denial-of-Service attacks, spam emails etc., often have malwares as their root cause. So a great deal of research is being invested in detection and ...
Comments
Information & Contributors
Information
Published In
December 2021
1077 pages
ISBN:9781450385794
DOI:10.1145/3485832
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 December 2021
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC '21
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 315Total Downloads
- Downloads (Last 12 months)38
- Downloads (Last 6 weeks)8
Reflects downloads up to 16 Oct 2024
Other Metrics
Citations
Cited By
View all- Simion E(2022)Encapsulating Secrets Using Lockable Obfuscation and a RMERS-Based Public Key EncryptionSustainability10.3390/su14181141214:18(11412)Online publication date: 12-Sep-2022
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format