Abstract
To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an experimental evaluation on realistic use cases and state-of-the-art tools, we demonstrate our technique’s potency and resilience to advanced attacks. All relevant code is publicly available online.
Similar content being viewed by others
References
Ceccato, M., Tonella, P., Basile, C., Falcarin, P., Torchiano, M., Coppens, B., De Sutter, B.: Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge. Empir. Softw. Eng. 24(1), 240–286 (2019)
Cabutto, A., Falcarin, P., Abrath, B., Coppens, B., De Sutter, B.: Software protection with code mobility. In: Proceedings of the 2nd ACM Workshop on Moving Target Defense, pp. 95–103 (2015)
Ceccato, M., Dalla Preda, M., Nagra, J., Collberg, C., Tonella, P.: Barrier slicing for remote software trusting. In: 7th IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 27–36 (2007)
Viticchié, A., Basile, C., Avancini, A., Ceccato, M., Abrath, B., Coppens, B.: Reactive attestation: Automatic detection and reaction to software tampering attacks. In: Proceedings of the 2016 ACM Workshop on Software PROtection, pp. 73–84 (2016)
Abrath, B., Coppens, B., Volckaert, S., Wijnant, J., De Sutter, B.: Tightly-coupled self-debugging software protection. In: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering, p. 7 (2016)
Ghosh, S., Hiser, J.D., Davidson, J.W.: A secure and robust approach to software tamper resistance. In: Proceedings of the International Workshop on Information Hiding, pp. 33–47 (2010)
Nagra, J., Collberg, C.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education, London (2009)
Wang, Y.: Cognitive complexity of software and its measurement. In: 2006 5th IEEE International Conference on Cognitive Informatics, vol. 1, pp. 226–235 (2006). https://doi.org/10.1109/COGINF.2006.365701
Woodward, M.R., Hennell, M.A., Hedley, D.: A measure of control flow complexity in program text. IEEE Trans. Softw. Eng. 5(1), 45–50 (1979)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 290–299 (2003)
Van Put, L., Chanet, D., De Bus, B., De Sutter, B., De Bosschere, K.: Diablo: a reliable, retargetable and extensible link-time rewriting framework. In: Proceedings of the 5th IEEE International Symposium on Signal Processing and Information Technology, 2005, pp. 7–12 (2005)
Debray, S.K., Evans, W., Muth, R., De Sutter, B.: Compiler techniques for code compaction. ACM Trans. Program. Lang. Syst. (TOPLAS) 22(2), 378–415 (2000)
Muchnick, S., et al.: Advanced Compiler Design Implementation. Morgan Kaufmann, Burlington (1997)
Coppens, B., De Sutter, B., Maebe, J.: Feedback-driven binary code diversification. ACM Trans. Arch. Code Optim. (TACO) 9(4), 24 (2013)
Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Proceedings of 22nd Annual Computer Security Applications Conference, pp. 339–348 (2006)
Meng, X., Miller, B.P.: Binary code is not easy. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 24–35 (2016)
Ngo, M.N., Tan, H.B.K.: Detecting large number of infeasible paths through recognizing their patterns. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, pp. 215–224 (2007)
Dalla Preda, M., Madou, M., De Bosschere, K., Giacobazzi, R.: Opaque predicates detection by abstract interpretation. In: International Conference on Algebraic Methodology and Software Technology, pp. 81–95 (2006)
Yadegari, B., Debray, S.: Symbolic execution of obfuscated code. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 732–744 (2015)
Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: IEEE Symposium on Security and Privacy, pp. 674–691 (2015)
Blazytko, T., Contag, M., Aschermann, C., Holz, T.: Syntia: Synthesizing the semantics of obfuscated code. In: Proceedings of the 26th USENIX Conference on Security Symposium, pp. 643–659 (2017)
Madou, M.: Application security through program bfuscation. Phd thesis, Ghent University (2007)
Collberg, C.S., Thomborson, C.D., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: POPL (1998)
Wegman, M.N., Zadeck, F.K.: Constant propagation with conditional branches. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(2), 181–210 (1991)
Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: obstructing static analysis of programs. Technical Report, Technical Report CS-2000-12, University of Virginia (2000)
Debray, S., Evans, W., Muth, R.: Compiler techniques for code compression. In: Workshop on Compiler Support for System Software, pp. 117–123 (1999)
De Sutter, B., De Bus, B., De Bosschere, K.: Sifting out the mud: low level C++ code reuse. ACM SIGPLAN Not. 37, 275–291 (2002)
/OPT (Optimizations)—Microsoft Docs (2018). https://docs.microsoft.com/en-us/cpp/build/reference/opt-optimizations?view=vs-2019. Accessed 17 Apr 2019
De Sutter, B., De Bus, B., De Bosschere, K.: Sifting out the mud: low level C++ code reuse. In: Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), vol. 37, pp. 275–291 (2002)
Edler von Koch, T.J., Franke, B., Bhandarkar, P., Dasgupta, A.: Exploiting function similarity for code size reduction. ACM SIGPLAN Not. 49(5), 85–94 (2014)
Rocha, R.C., Petoumenos, P., Wang, Z., Cole, M., Leather, H.: Function merging by sequence alignment. In: Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization, pp. 149–163 (2019)
Tip, F.: A survey of program slicing techniques. J. Program. Lang. 3(3), 121–189 (1995)
De Sutter, B., De Bus, B., De Bosschere, K.: Bidirectional liveness analysis, or how less than half of the alpha’s registers are used. J. Syst. Arch. 52(10), 535–548 (2006)
Debray, S.K., Evans, W., Muth, R., De Sutter, B.: Compiler techniques for code compaction. ACM Trans. Program. Lang. Syst. 22(2), 378–415 (2000)
Debray, S., Muth, R., Weippert, M.: Alias analysis of executable code. In: Proceedings of ACM POPL, pp. 12–24 (1998)
Basile, C.: D5.11 ASPIRE framework report. Techreport, POLITO (2016). https://aspire-fp7.eu/sites/default/files/D5.11-ASPIRE-Framework-Report.pdf. Accessed 17 Sept 2018
Banescu, S., Collberg, C., Ganesh, V., Newsham, Z., Pretschner, A.: Code obfuscation against symbolic execution attacks. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 189–200 (2016)
Standard Performance Evaluation Corporation: SPEC CPU 2006 (2018). https://www.spec.org/cpu2006/
Home—Aspire-FP7 (2018). https://aspire-fp7.eu/
De Sutter, B.: D1.06 ASPIRE validation. Techreport, Ghent University (2016). https://aspire-fp7.eu/sites/default/files/D1.06-ASPIRE-Validation-v1.01.pdf. Accessed 6 May 2019
Van den Broeck, J., Coppens, B., De Sutter, B.: Extended report on the obfuscated integration of software protections (2019). arXiv:1907.01445
Liška, M.: Optimizing large applications (2014). arXiv preprint arXiv:1403.6997
mliska: [PATCH 3/5] IPA ICF pass (2014). https://gcc.gnu.org/ml/gcc-patches/2014-06/msg01246.html. Accessed 17 Apr 2019
Tallam, S., Coutant, C., Taylor, I.L., Li, X.D., Demetriou, C.: Safe ICF: pointer safe and unwinding aware identical code folding in gold. In: GCC Developers Summit (2010)
Ueyama, R.: Elf: implement ICF (2016). https://reviews.llvm.org/rL261912. Accessed 17 Apr 2019
Schrittwieser, S., Katzenbeisser, S., Kinder, J., Merzdovnik, G., Weippl, E.: Protecting software through obfuscation: can it keep pace with progress in code analysis? ACM Comput. Surv. (CSUR) 49(1), 4 (2016)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report. Department of Computer Science, The University of Auckland, New Zealand (1997)
Myles, G., Collberg, C.: Software watermarking via opaque predicates: implementation, analysis, and attacks. Electron. Commer. Res. 6(2), 155–171 (2006)
Majumdar, A., Thomborson, C.: Manufacturing opaque predicates in distributed systems for code obfuscation. In: Proceedings of the 29th Australasian Computer Science Conference, vol. 48, pp. 187–196 (2006)
Xu, H., Zhou, Y., Kang, Y., Tu, F., Lyu, M.: Manufacturing resilient bi-opaque predicates against symbolic execution. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 666–677 (2018). https://doi.org/10.1109/DSN.2018.00073
Zobernig, L., Galbraith, S.D., Russello, G.: Indistinguishable predicates: a new tool for obfuscation. IACR Cryptol. ePrint Arch. 2017, 787 (2017)
Zobernig, L., Galbraith, S.D., Russello, G.: When are opaque predicates useful? In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 168–175. IEEE (2019)
Asghar, M.R., Galbraith, S.D., Russello, G.: Obfuscation through simplicity (2016). https://www.math.auckland.ac.nz/~sgal018/simplicity.pdf. Accessed 24 June 2019
Collberg, C., Martin, S., Myers, J., Zimmerman, B.: The tigress diversifying c virtualizer (2015). http://tigress.cs.arizona.edu/. Accessed 17 Apr 2019
Junod, P., Rinaldini, J., Wehrli, J., Michielin, J.: Obfuscator-LLVM—software protection for the masses. In: Wyseur, B. (ed.) Proceedings of the IEEE/ACM 1st International Workshop on Software Protection, SPRO’15, Firenze, Italy, May 19th, 2015, pp. 3–9. IEEE (2015). https://doi.org/10.1109/SPRO.2015.10
Funding
This research was funded by the Agency for Innovation by Science and Technology in Flanders (IWT) (Grant Number 141758). Part of this research was conducted in the EU FP7 project ASPIRE, which has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under Grant Agreement Number 609734. Part of the research was also funded by the Cybersecurity Initiative Flanders from the Flemish Government. Part of this research was also funded by the Fund for Scientific Research - Flanders (FWO) as part of project grant 3G0E2318.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Van den Broeck, J., Coppens, B. & De Sutter, B. Obfuscated integration of software protections. Int. J. Inf. Secur. 20, 73–101 (2021). https://doi.org/10.1007/s10207-020-00494-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00494-8