ABSTRACT
The goal of obfuscation is to transform a program, without affecting its functionality, such that some secret information within the program can be hidden for as long as possible from an adversary armed with reverse engineering tools. Slicing is a form of reverse engineering which aims to abstract away a subset of program code based on a particular program point and is considered to be a potent program comprehension technique. Thus, slicing could be used as a way of attacking obfuscated programs. It is challenging to manufacture obfuscating transforms that are provably resilient to slicing attacks.We show in this paper how we can utilise the information gained from slicing a program to aid us in designing obfuscations that are more resistant to slicing. We extend a previously proposed technique and provide proofs of correctness for our transforms. Finally, we illustrate our approach with a number of obfuscating transforms and provide empirical results using software engineering metrics.
- Business Software Alliance. Second annual BSA and IDC software piracy study, May 2005. Available from www.bsa.org/globalstudy/upload/2005-Global-Study-English.pdf.Google Scholar
- Paul Anderson and Tim Teitelbaum. Software inspection using CodeSurfer. In Proceedings of the Workshop on Inspection in Software Engineering (WISE 2001), Paris, France, July 2001. IEEE Computer Society.Google Scholar
- Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pages 1--18. Springer-Verlag, 2001. Google ScholarDigital Library
- David Binkley and Mark Harman. An empirical study of predicate dependence levels and trends. In ICSE '03: Proceedings of the 25th International Conference on Software Engineering, pages 330--339, Washington, DC, USA, 2003. IEEE Computer Society. Google ScholarDigital Library
- David Binkley and Mark Harman. A large-scale empirical study of forward and backward static slice size and context sensitivity. In ICSM '03: Proceedings of the International Conference on Software Maintenance, pages 44--53, Washington, DC, USA, 2003. IEEE Computer Society. Google ScholarDigital Library
- Phillipe Biondi and Fabrice Desclaux. Silver needle in the Skype. Presentation at BlackHat Europe, March 2006. Available from www.blackhat.com/html/bh-media-archives/bh-archives-2006.html.Google Scholar
- Christian Collberg, Clark D. Thomborson, and Douglas Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997.Google Scholar
- Christian Collberg, Clark D. Thomborson, and Douglas Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In POPL '98: Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 184--196, New York, NY, USA, 1998. ACM Press. Google ScholarDigital Library
- Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, October 1991. Google ScholarDigital Library
- Willem-Paul de Roever and Kai Engelhardt. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1998.Google ScholarDigital Library
- Stephen Drape. Obfuscation of Abstract Data-Types. DPhil thesis, Oxford University Computing Laboratory, 2004.Google Scholar
- Stephen Drape, Oege de Moor, and Ganesh Sittampalam. Transforming the .NET Intermediate Language using Path Logic Programming. In Principles and Practice of Declarative Programming, pages 133--144. ACM Press, 2002. Google ScholarDigital Library
- Stephen Drape and Anirban Majumdar. Design and Evaluation of Slicing Obfuscations. Technical Report 311, University of Auckland, New Zealand, June 2007.Google Scholar
- Stephen Drape, Anirban Majumdar, and Clark Thomborson. Slicing aided design of obfuscating transforms. In IEEE/ACIS ICIS 2007: In proceedings of the International Computing and Information Systems Conference (ICIS 2007), Melbourne, Australia, 2007. IEEE Computer Society.Google ScholarCross Ref
- Keith Brian Gallagher and James R. Lyle. Using program slicing in software maintenance. IEEE Transactions on Software Engineering, 17(8):751--761, 1991. Google ScholarDigital Library
- Susan Horwitz, Thomas Reps, and David Binkley. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1):26--60, 1990. Google ScholarDigital Library
- Ganeshan Jayaraman, Venkatesh Prasad Ranganath, and John Hatcliff. Kaveri: Delivering the Indus Java program slicer to Eclipse. In FASE, pages 269--272. Lecture Notes In Computer Science, Springer Verlag, 2005. Google ScholarDigital Library
- Anirban Majumdar, Antoine Monsifrot, and Clark D. Thomborson. On evaluating obfuscatory strength of alias-based transforms using static analysis. In ADCOM 2006: Proceedings of the 14th International Conference on Advanced Computing and Communication (ADCOM 2006), Mangalore, India, 2006. IEEE Computer Society.Google ScholarCross Ref
- Anirban Majumdar, Clark D. Thomborson, and Stephen Drape. A survey of control-flow obfuscations. In Information Systems Security, Second International Conference, ICISS 2006, Kolkata, India, pages 353--356, December 2006. Google ScholarDigital Library
- Timothy M. Meyers and David Binkley. Slice-based cohesion metrics and software intervention. In WCRE '04: Proceedings of the 11th Working Conference on Reverse Engineering (WCRE'04), pages 256--265, Washington, DC, USA, 2004. IEEE Computer Society. Google ScholarDigital Library
- Linda M. Ott and Jeffrey J. Thuss. Slice based metrics for estimating cohesion. In Proceedings of the IEEE-CS International Software Metrics Symposium, pages 78--81, 1993.Google Scholar
- Juergen Rilling and Tuomas Klemola. Identifying comprehension bottlenecks using program slicing and cognitive complexity metrics. In IWPC '03: Proceedings of the 11th IEEE International Workshop on Program Comprehension, pages 115--124, Washington, DC, USA, 2003. IEEE Computer Society. Google ScholarDigital Library
- Nuno Santos, Pedro Pereira, and Luís Moura e Silva. A Generic DRM Framework for J2ME Applications. In Olli Pitkänen, editor, First International Mobile IPR Workshop: Rights Management of Information (MobileIPR), pages 53--66. Helsinki Institute for Information Tecnhology, August 2003.Google Scholar
- Frank Tip. A survey of program slicing techniques. Technical Report CS-R9438, CWI (Centre for Mathematics and Computer Science), Amsterdam, The Netherlands, 1994. Google ScholarDigital Library
- Sharath K. Udupa, Saumya K. Debray, and Matias Madou. Deobfuscation: Reverse engineering obfuscated code. In WCRE '05: Proceedings of the 12th Working Conference on Reverse Engineering, pages 45--54, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
Index Terms
- Slicing obfuscations: design, correctness, and evaluation
Recommendations
Metrics-based Evaluation of Slicing Obfuscations
IAS '07: Proceedings of the Third International Symposium on Information Assurance and SecurityAn obfuscation aims to transform a program, without affecting its functionality, so that some secret data within the program can be hidden for as long as possible from an adversary armed with reverse engineering tools. Slicing is a reverse engineering ...
Static Detection of API-Calling Behavior from Malicious Binary Executables
ICCEE '08: Proceedings of the 2008 International Conference on Computer and Electrical EngineeringThe broad spread of malware in recent years has presented a serious threat to our world. Because Windows API-calling sequence usually reflects the vicious behavior in a piece of particular code, more and more AV researchers like to detect malware based ...
Binary-code obfuscations in prevalent packer tools
The first steps in analyzing defensive malware are understanding what obfuscations are present in real-world malware binaries, how these obfuscations hinder analysis, and how they can be overcome. While some obfuscations have been reported independently,...
Comments