survey

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?

Authors:
Sebastian Schrittwieser

St. Pölten University of Applied Sciences, St. Pölten, Austria

St. Pölten University of Applied Sciences, St. Pölten, Austria
View Profile

,
Stefan Katzenbeisser

Technische Universität Darmstadt, Darmstadt, Germany

Technische Universität Darmstadt, Darmstadt, Germany
View Profile

,
Johannes Kinder

Royal Holloway, University of London, Egham, United Kingdom

Royal Holloway, University of London, Egham, United Kingdom
View Profile

,
Georg Merzdovnik

SBA Research, Vienna, Austria

SBA Research, Vienna, Austria
View Profile

,
Edgar Weippl

SBA Research, Vienna, Austria

SBA Research, Vienna, Austria
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 49 Issue 1Article No.: 4pp 1–37https://doi.org/10.1145/2886012

Published:05 April 2016Publication History

ACM Computing Surveys

Abstract

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools.

The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.

References

Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy.Google Scholar
B. Anckaert, B. De Sutter, and K. De Bosschere. 2004. Software piracy prevention through diversity. In Proceedings of the 4th ACM Workshop on Digital Rights Management. ACM, New York, NY, 63--71.Google Scholar
B. Anckaert, M. Jakubowski, and R. Venkatesan. 2006. Proteus: Virtualization for diversified tamper-resistance. In Proceedings of the ACM Workshop on Digital Rights Management. ACM, New York, NY, 47--58.Google Scholar
Bertrand Anckaert, Mariusz H. Jakubowski, Ramarathnam Venkatesan, and Chit Wei Saw. 2009. Runtime protection via dataflow flattening. In Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE’09). IEEE, 242--248.Google ScholarDigital Library
B. Anckaert, M. Madou, B. De Sutter, B. De Bus, K. De Bosschere, and B. Preneel. 2007. Program obfuscation: A quantitative approach. In Proceedings of the 2007 ACM Workshop on Quality of Protection. ACM, New York, NY, 15--20.Google Scholar
G. Avoine, P. Junod, and P. Oechslin. 2007. Computer System Security: Basic Concepts and Solved Exercises. EPFL Press.Google Scholar
D. F. Bacon, S. L. Graham, and O. J. Sharp. 1994. Compiler transformations for high-performance computing. ACM Comput. Surv. 26, 4 (1994), 345--420.Google ScholarDigital Library
Gogul Balakrishnan and Thomas W. Reps. 2004. Analyzing memory accesses in x86 executables. In Compiler Construction, Evelyn Duesterwald (Ed.). Vol. 2985. Springer, Berlin, 5--23.Google Scholar
Boaz Barak, Sanjam Garg, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. 2014. Protecting obfuscation against algebraic attacks. In Advances in Cryptology--EUROCRYPT 2014. Springer, Berlin, 221--238.Google Scholar
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. 2001. On the (im)possibility of obfuscating programs. In Advances in Cryptology--Crypto 2001. Springer, Berlin, 1--18.Google Scholar
Sébastien Bardin, Philippe Herrmann, and Franck Védrine. 2011. Refinement-based CFG reconstruction from unstructured programs. In Proceedings of the 12th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’11). 54--69.Google ScholarDigital Library
U. Bayer, C. Kruegel, and E. Kirda. 2006. TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR’06).Google Scholar
Daniel Bilar. 2007. Opcodes as predictor for malware. Int. J. Electron. Security Digital Forens. 1, 2 (2007), 156--168.Google ScholarDigital Library
Olivier Billet, Henri Gilbert, and Charaf Ech-Chatbi. 2005. Cryptanalysis of a white box AES implementation. In Proceedings of the 11th International Conference on Selected Areas in Cryptography. Springer, Berlin, 227--240.Google Scholar
Philippe Biondi and Fabrice Desclaux. 2006. Silver needle in the skype. Black Hat Eur. 6 (2006), 25--47.Google Scholar
Nir Bitansky, Ran Canetti, Henry Cohn, Shafi Goldwasser, Yael Tauman Kalai, Omer Paneth, and Alon Rosen. 2014. The impossibility of obfuscation with auxiliary input or a universal simulator. In Advances in Cryptology--CRYPTO 2014. Springer, Berlin, 71--89.Google Scholar
Nir Bitansky, Ran Canetti, Shafi Goldwasser, Shai Halevi, Yael Tauman Kalai, and Guy N. Rothblum. 2011. Program obfuscation with leaky hardware. In Advances in Cryptology--Asiacrypt 2011. Vol. 7073. Springer, Berlin, 722--739.Google Scholar
Martial Bourquin, Andy King, and Edward Robbins. 2013. BinSlayer: Accurate comparison of binary executables. In Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. ACM, New York, NY.Google ScholarDigital Library
Zvika Brakerski and Guy N. Rothblum. 2014. Virtual black-box obfuscation for all circuits via generic graded encoding. In Theory of Cryptography. Springer, Berlin, 1--25.Google Scholar
Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto. 2012. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. In Blackhat 2012.Google Scholar
Murray Brand. 2010. Analysis Avoidance Techniques of Malicious Software. Ph.D. Dissertation. Edith Cowan University.Google Scholar
Julien Bringer, Herve Chabanne, and Emmanuelle Dottax. 2006. White box cryptography: Another attempt. IACR Cryptology Eprint Archive 2006 (2006).Google Scholar
Tom Brosch and Maik Morgenstern. 2006. Runtime packers: The hidden problem. Black Hat USA. Retrieved from https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf.Google Scholar
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the 23th International Conference on Computer Aided Verification (CAV’11). 463--469.Google Scholar
David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. 2008. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP’08). IEEE, 143--157.Google ScholarDigital Library
D. Bruschi, L. Martignoni, and M. Monga. 2006a. Detecting self-mutating malware using control-flow graph matching. Detection of Intrusions and Malware & Vulnerability Assessment (2006), 129--143.Google Scholar
Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. 2006b. Using code normalization for fighting self-mutating malware. In Proceedings of the International Symposium on Secure Software Engineering. 37--44.Google Scholar
Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song. 2010. Binary code extraction and interface identification for security applications. In Proceedings of Network and Distributed System Security Symposium (NDSS’09).Google Scholar
Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security. 322--335.Google Scholar
Joan Calvet, José M. Fernandez, and Jean-Yves Marion. 2012. Aligot: Cryptographic function identification in obfuscated binary programs. In Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM, New York, NY, 169--182.Google ScholarDigital Library
R. Canetti and R. Dakdouk. 2008. Obfuscating point functions with multibit output. Advances in Cryptology--Eurocrypt 2008 (2008), 489--508.Google Scholar
Gerardo Canfora, Aniello Cimitile, and Andrea De Lucia. 1998. Conditioned program slicing. Inform. Software Technol. 40, 11 (1998), 595--607.Google ScholarCross Ref
Gerardo Canfora, Aniello Cimitile, Andrea De Lucia, and Giuseppe A. Di Lucca. 1994. Software salvaging based on conditions. In Proceedings of the International Conference on Software Maintenance (ICSM’94). IEEE, 424--433.Google Scholar
Jan Cappaert, Nessim Kisserli, Dries Schellekens, and Bart Preneel. 2006. Self-encrypting code to protect against analysis and tampering. In Proceedings of the 1st Benelux Workshop on Information and System Security.Google Scholar
Jan Cappaert and Bart Preneel. 2010. A general model for hiding control flow. In Proceedings of the 10th Annual ACM Workshop on Digital Rights Management. ACM, New York, NY, 35--42.Google ScholarDigital Library
Hoi Chang and Mikhail J. Atallah. 2002. Protecting software code by guards. In Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management. Springer, Berlin, 160--175.Google ScholarDigital Library
Mohamed R. Chouchane and Arun Lakhotia. 2006. Using engine signature to detect metamorphic malware. In Proceedings of the 4th ACM Workshop on Recurring Malcode. ACM, New York, NY, 73--78.Google Scholar
S. Chow, P. Eisen, H. Johnson, and P. Van Oorschot. 2003a. White-box cryptography and an AES implementation. In Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography. Springer, Berlin, 250--270.Google Scholar
Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. Van Oorschot. 2003b. A white-box DES implementation for DRM applications. In Digital Rights Management. Vol. 2696. Springer, Berlin, 1--15.Google Scholar
Stanley Chow, Yuan Gu, Harold Johnson, and Vladimir A. Zakharov. 2001. An approach to the obfuscation of control-flow of sequential computer programs. In Information Security. Springer, Berlin, 144--155.Google Scholar
Mihai Christodorescu, Somesh Jha, Johannes Kinder, Stefan Katzenbeisser, and Helmut Veith. 2007. Software transformations to improve malware detection. J. Comput. Virol. 3, 4 (2007), 253--265.Google ScholarCross Ref
M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. 2005. Semantics-aware malware detection. In Proceedings of the 26th IEEE Symposium on Security and Privacy. IEEE, 32--46.Google Scholar
Cristina Cifuentes and K. John Gough. 1995. Decompilation of binary programs. Software Pract. Exp. 25, 7 (1995), 811--829.Google ScholarDigital Library
Aniello Cimitile, Andrea De Lucia, and Malcolm Munro. 1996. A specification driven slicing process for identifying reusable functions. J. Software Maint. Res. Pract. 8, 3 (1996), 145--178.Google ScholarDigital Library
F. B. Cohen. 1993. Operating system protection through program evolution. Comput. Security 12, 6 (1993), 565--584.Google ScholarDigital Library
Christian Collberg and Jasvir Nagra. 2009. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional.Google ScholarDigital Library
C. Collberg, C. Thomborson, and D. Low. 1997. A Taxonomy of Obfuscating Transformations. Technical Report. Department of Computer Science, The University of Auckland, New Zealand.Google Scholar
Christian Collberg, Clark Thomborson, and Douglas Low. 1998a. Breaking abstractions and unstructuring data structures. In Proceedings of the 1998 International Conference on Computer Languages. IEEE, 28--38.Google ScholarDigital Library
C. Collberg, C. Thomborson, and D. Low. 1998b. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, NY, 184--196.Google Scholar
Paolo Milani Comparetti, Guido Salvaneschi, Engin Kirda, Clemens Kolbitsch, Christopher Kruegel, and Stefano Zanero. 2010. Identifying dormant functionality in malware programs. In Proceedings of the 30th IEEE Symposium on Security and Privacy. IEEE, 61--76.Google ScholarDigital Library
Kevin Coogan, Saumya Debray, Tasneem Kaochar, and Gregg Townsend. 2009. Automatic static unpacking of malware binaries. In Proceedings of the 16th Working Conference on Reverse Engineering (WCRE’09). IEEE, 167--176.Google ScholarDigital Library
K. Coogan, G. Lu, and S. Debray. 2011. Deobfuscation of virtualization-obfuscated software: A semantics-based approach. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, New York, NY, 275--284.Google Scholar
Bart Coppens, Bjorn De Sutter, and Jonas Maebe. 2013. Feedback-driven binary code diversification. ACM Trans. Arch. Code Optimiz. (TACO) 9, 4 (2013).Google Scholar
Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King. 2008. Digging for data structures. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI’08).Google Scholar
Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong. 2006. Temporal search: Detecting hidden malware timebombs with virtual machines. ACM SIGPLAN Not. 41, 11 (2006), 25--36.Google ScholarDigital Library
Mila Dalla Preda and Roberto Giacobazzi. 2005. Semantic-based code obfuscation by abstract interpretation. In Automata, Languages and Programming. Springer, Berlin, 1325--1336.Google Scholar
M. Dalla Preda, R. Giacobazzi, S. Debray, K. Coogan, and G. Townsend. 2011. Modelling metamorphism by abstract interpretation. In Proceedings of the 17th Annual Symposium onStatic Analysis. 218--235.Google Scholar
M. Dalla Preda, M. Madou, K. De Bosschere, and R. Giacobazzi. 2006. Opaque predicates detection by abstract interpretation. Algebr. Methodol. Software Technol. (2006), 81--95.Google Scholar
Sebastian Danicic, Mohammed Daoudi, Chris Fox, Mark Harman, Robert M. Hierons, John R. Howroyd, Lahcen Ourabya, and Martin Ward. 2005. Consus: A light-weight program conditioner. J. Syst. Software 77, 3 (2005), 241--262.Google ScholarDigital Library
Sebastian Danicic, Andrea De Lucia, and Mark Harman. 2004. Building executable union slices using conditioned slicing. In Proceedings of the 12th IEEE International Workshop on Program Comprehension. IEEE, 89--97.Google ScholarCross Ref
Manuvir Das, Sorin Lerner, and Mark Seigle. 2002. ESP: Path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation. New York, NY, 57--68.Google ScholarDigital Library
Lucas Davi, Alexandra Dmitrienko, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2012. XIFER: A software diversity tool against code-reuse attacks. In Proceedings of the 4th ACM International Workshop on Wireless of the Students, by the Students, for the Students (S3’12).Google Scholar
Yoni De Mulder, Brecht Wyseur, and Bart Preneel. 2010. Cryptanalysis of a perturbated white-box AES implementation. In Progress in Cryptology—INDOCRYPT 2010. Springer, Berlin, 292--310.Google ScholarCross Ref
B. De Sutter, B. Anckaert, J. Geiregat, D. Chanet, and K. De Bosschere. 2009. Instruction set limitation in support of software diversity. Inform. Security Cryptol. (2009), 152--165.Google Scholar
Saumya Debray and Jay Patel. 2010. Reverse engineering self-modifying code: Unpacker extraction. In 17th Working Conference on Reverse Engineering (WCRE’10). IEEE, 131--140.Google ScholarDigital Library
N. Dedić, M. Jakubowski, and R. Venkatesan. 2007. A graph game model for software tamper protection. In Proceedings of the 9th International Conference on Information Hiding. Springer-Verlag, 80--95.Google Scholar
J. C. Deprez and A. Lakhotia. 2000. A formalism to automate mapping from program features to code. In Proceedings of the 8th International Workshop on Program Comprehension. IEEE, 69--78.Google Scholar
Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. 2013. Protocol misidentification made easy with format-transforming encryption. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, New York, NY, 61--72.Google ScholarDigital Library
Chris Eagle. 2008. The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press.Google Scholar
Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 2 (2012).Google Scholar
Eldad Eilam. 2005. Reversing: Secrets of Reverse Engineering. Wiley, New York, NY.Google Scholar
M. V. Emmerik and Trent Waddington. 2004. Using a decompiler for real-world source recovery. In Proceedings of the 11th Working Conference on Reverse Engineering. IEEE, 27--36.Google ScholarCross Ref
Justin Ferguson and Daniel Kaminsky. 2008. Reverse Engineering Code with IDA Pro. Syngress.Google Scholar
John Field, Ganesan Ramalingam, and Frank Tip. 1995. Parametric program slicing. In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, NY, 379--392.Google ScholarDigital Library
Halvar Flake. 2004. Structural comparison of executable objects. In Proceedings of the Detection of Intrusions and Malware & Vulnerability Assessment, GI SIG SIDAR Workshop (DIMVA’’04). 161--173.Google Scholar
Christophe Foket, Bjorn De Sutter, Bart Coppens, and Koen De Bosschere. 2013. A novel obfuscation: Class hierarchy flattening. In Foundations and Practice of Security. Springer, Berlin, 194--210.Google Scholar
Christophe Foket, Bjorn De Sutter, and Koen De Bosschere. 2014. Pushing java type obfuscation to the limit. IEEE Trans. Dependable Secure Comput. 6 (2014), 553--567.Google ScholarCross Ref
Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. IEEE, 67--72.Google Scholar
Chris Fox, Sebastian Danicic, Mark Harman, and Robert M. Hierons. 2004. ConSIT: A fully automated conditioned program slicer. Software: Pract. Exp. 34, 1 (2004), 15--46.Google ScholarDigital Library
Michael Franz. 2010. E. unibus pluram: Massive-scale software diversity as a defense mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms. ACM, New York, NY, 7--16.Google ScholarDigital Library
Bin Fu, Sai Aravalli, and John Abraham. 2007. Software protection by hardware and obfuscation. In Proceedings of the 2007 International Conference on Security & Management (SAM’’07). 367--373.Google Scholar
Debin Gao, Michael K. Reiter, and Dawn Song. 2008. Binhunt: Automatically finding semantic differences in binary programs. In Information and Communications Security. Springer, Berlin, 238--255.Google Scholar
Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. 2013. Candidate indistinguishability obfuscation and functional encryption for all circuits. In Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS’13). IEEE, 40--49.Google ScholarDigital Library
Sudeep Ghosh, Jason D. Hiser, and Jack W. Davidson. 2010. A secure and robust approach to software tamper resistance. In Information Hiding. Springer, Berlin, 33--47.Google Scholar
Roberto Giacobazzi. 2008. Hiding information in completeness holes: New perspectives in code obfuscation and watermarking. In Proceedings of the 6th IEEE International Conference on Software Engineering and Formal Methods (SEFM’08). IEEE, 7--18.Google ScholarDigital Library
Roberto Giacobazzi and Isabella Mastroeni. 2012. Making abstract interpretation incomplete: Modeling the potency of obfuscation. In Proceedings of the 19th International Symposium Static Analysis (SAS’12). Springer, Berlin, 129--145.Google ScholarDigital Library
Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). 213--223.Google ScholarDigital Library
Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of Network and Distributed System Security Symposium (NDSS’08).Google Scholar
Shafi Goldwasser and Guy N. Rothblum. 2007. On best-possible obfuscation. In Theory of Cryptography. Vol. 4392. Springer, Berlin, 194--213.Google Scholar
L. Goubin, J. M. Masereel, and M. Quisquater. 2007. Cryptanalysis of white box DES implementations. In Selected Areas in Cryptography. Vol. 4876. Springer, Berlin, 278--295.Google Scholar
K. Griffin, S. Schneider, X. Hu, and T. Chiueh. 2009. Automatic generation of string signatures for malware detection. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 5758. Springer, Berlin, 101--120.Google Scholar
Felix Gröbert, Carsten Willems, and Thorsten Holz. 2011. Automated identification of cryptographic primitives in binary programs. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 6961. Springer, Berlin, 41--60.Google Scholar
Derrick Grover. 1992. Protection of Computer Software: Its Technology and Application. Cambridge University Press, Cambridge.Google Scholar
Y. Guillot and A. Gazet. 2010. Automatic binary deobfuscation. J. Comput. Virol. 6, 3 (2010), 261--276.Google ScholarCross Ref
Wadie Guizani, J.-Y. Marion, and Daniel Reynaud-Plantey. 2009. Server-side dynamic code analysis. In Proceedings of the 2009 4th International Conference on Malicious and Unwanted Software (MALWARE’09). IEEE, 55--62.Google ScholarCross Ref
L. C. Harris and B. P. Miller. 2005. Practical analysis of stripped binary code. ACM SIGARCH Comput. Arch. News 33, 5 (2005), 63--68.Google ScholarDigital Library
Bill Horne, Lesley Matheson, Casey Sheehan, and Robert E. Tarjan. 2002. Dynamic self-checking techniques for improved tamper resistance. In Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management. Springer, Berlin, 141--159.Google Scholar
S. Horwitz. 1997. Precise flow-insensitive may-alias analysis is np-hard. ACM Trans. Program. Lang. Syst. 19, 1 (1997), 1--6.Google ScholarDigital Library
Grégoire Jacob, Paolo Milani Comparetti, Matthias Neugschwandtner, Christopher Kruegel, and Giovanni Vigna. 2012. A static, packer-agnostic filter to detect similar malware samples. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, 102--122.Google ScholarDigital Library
M. Jacob, D. Boneh, and E. Felten. 2003. Attacking an obfuscated cipher by injecting faults. Digital Rights Manag. (2003), 16--31.Google Scholar
Matthias Jacob, Mariusz H. Jakubowski, and Ramarathnam Venkatesan. 2007. Towards integral binary execution: Implementing oblivious hashing using overlapped instruction encodings. In Proceedings of the 9th Workshop on Multimedia & Security. ACM, New York, NY, 129--140.Google ScholarDigital Library
M. Jakubowski, P. Naldurg, V. Patankar, and R. Venkatesan. 2007. Software integrity checking expressions (ICEs) for robust tamper detection. In Information Hiding. Vol. 4567. Springer, Berlin, 96--111.Google Scholar
Min Gyung Kang, Pongsin Poosankam, and Heng Yin. 2007. Renovo: A hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode. ACM, New York, NY, 46--53.Google ScholarDigital Library
Yuichiro Kanzaki, Akito Monden, Masahide Nakamura, and Ken-ichi Matsumoto. 2003. Exploiting self-modification mechanism for program protection. In Proceedings of the 27th Annual International Conference on Computer Software and Applications. IEEE, 170--179.Google ScholarDigital Library
Abhishek Karnik, Suchandra Goswami, and Ratan Guha. 2007. Detecting obfuscated viruses using cosine similarity analysis. In Proceedings of the 1st Asia International Conference on Modelling & Simulation (AMS’’07). IEEE, 165--170.Google ScholarDigital Library
Dhiru Kholia and Przemysław Wegrzyn. 2013. Looking inside the (drop)box. In Proceedings of the 7th Usenix Workshop on Offensive Technologies (Woot’13).Google Scholar
Johannes Kinder. 2012. Towards static analysis of virtualization-obfuscated binaries. In Proceedings of the 19th Working Conference Reverse Engineering (WCRE 2012). IEEE, 61--70.Google ScholarDigital Library
Johannes Kinder, Stefan Katzenbeisser, Christian Schallhart, and Helmut Veith. 2005. Detecting malicious code by model checking. In Detection of Intrusions and Malware, and Vulnerability Assessment. Vol. 3548. Springer, Berlin, 174--187.Google Scholar
J. Kinder and H. Veith. 2008. Jakstab: A static analysis platform for binaries. In Proceedings of the 20th International Conference on Computer Aided Verification (CAV’08). Springer, Berlin, 423--427.Google Scholar
J. Kinder, F. Zuleger, and H. Veith. 2009. An abstract interpretation-based framework for control flow reconstruction from binaries. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’09). Springer, Berlin, 214--228.Google Scholar
James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.Google ScholarDigital Library
S. T. King and P. M. Chen. 2006. SubVirt: Implementing malware with virtual machines. In Proceedings of the 27th IEEE Symposium on Security and Privacy. IEEE.Google Scholar
C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. 2010. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proceedings of the 30th IEEE Symposium on Security and Privacy. IEEE, 29--44.Google Scholar
Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, New York, NY, 285--296.Google ScholarDigital Library
Christopher Krügel, William K. Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the USENIX Security Symposium. 255--270.Google Scholar
Arun Lakhotia, Davidson R. Boccardo, Anshuman Singh, and Aleardo Manacero Jr. 2010. Context-sensitive analysis without calling-context. Higher-Order Symbol. Comput. 23, 3 (2010), 275--313.Google ScholarDigital Library
Filippo Lanubile and Giuseppe Visaggio. 1997. Extracting reusable functions by flow graph based program slicing. IEEE Trans. Software Eng. 23, 4 (1997), 246--259.Google ScholarDigital Library
Tımea László and Ákos Kiss. 2009. Obfuscating C++ programs via control flow flattening. Annales Universitatis Scientarum Budapestinensis De Rolando Eötvös Nominatae, Sectio Computatorica 30 (2009), 3--19.Google Scholar
Felix Leder, Peter Martini, and Andre Wichmann. 2009. Finding and extracting crypto routines from malware. In IEEE 28th International Performance Computing and Communications Conference (IPCCC’09). IEEE, Washington, DC, 394--401.Google ScholarCross Ref
J. Li, M. Xu, N. Zheng, and J. Xu. 2009. Malware obfuscation detection via maximal patterns. In Proceedings of the 3rd International Symposium on Intelligent Information Technology Application (LITA’09), Vol. 2. IEEE, 324--328.Google Scholar
Z. Lin, X. Zhang, and D. Xu. 2010. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Network and Distributed System Security Symposium.Google Scholar
Hamilton E. Link and William D. Neumann. 2005. Clarifying obfuscation: Improving the security of white-box des. In Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05), Vol. 1. IEEE, 679--684.Google Scholar
Hamilton E. Link, Richard Crabtree Schroeppel, William Douglas Neumann, Philip LaRoche Campbell, Cheryl Lynn Beaver, Lyndon George Pierson, and William Erik Anderson. 2004. Securing Mobile Code. Technical Report. Sandia National Laboratories.Google Scholar
C. Linn and S. Debray. 2003. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, NY, 290--299.Google Scholar
Benno Lomb and Tim Guneysu. 2011. Decrypting HDCP-protected video streams using reconfigurable hardware. In Proceedings of the International Conference on Reconfigurable Computing and FPGAs (ReConFig’11). IEEE, 249--254.Google ScholarDigital Library
B. Lynn, M. Prabhakaran, and A. Sahai. 2004. Positive results and techniques for obfuscation. In Advances in Cryptology--Eurocrypt 2004. Springer, Berlin, 20--39.Google Scholar
Matias Madou, Bertrand Anckaert, Bruno De Bus, Koen De Bosschere, Jan Cappaert, and Bart Preneel. 2006. On the effectiveness of source code transformations for binary obfuscation. In Proceedings of the International Conference on Software Engineering Research and Practice (SERP’06). 527--533.Google Scholar
Matias Madou, Bertrand Anckaert, Bjorn De Sutter, and Koen De Bosschere. 2005. Hybrid static-dynamic attacks against software protection mechanisms. In Proceedings of the 5th ACM Workshop on Digital Rights Management. ACM, New York, NY, 75--82.Google ScholarDigital Library
Matias Madou, Bertrand Anckaert, Patrick Moseley, Saumya Debray, Bjorn De Sutter, and Koen De Bosschere. 2006a. Software protection through dynamic code mutation. In Information Security Applications. Springer, Berlin, 194--206.Google Scholar
M. Madou, L. Van Put, and K. De Bosschere. 2006b. LOCO: An interactive code (de) obfuscation tool. In Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. ACM, New York, NY, 140--144.Google Scholar
M. Madou, L. Van Put, and K. De Bosschere. 2006c. Understanding obfuscated code. In Proceedings of the 14th IEEE International Conference on Program Comprehension (ICPC’06). IEEE, 268--274.Google Scholar
A. Majumdar, A. Monsifrot, and C. Thomborson. 2006. On evaluating obfuscatory strength of alias-based transforms using static analysis. In Proceedings of the International Conference on Advanced Computing and Communications (ADCOM’06). IEEE, 605--610.Google Scholar
Anirban Majumdar and Clark Thomborson. 2006. Manufacturing opaque predicates in distributed systems for code obfuscation. In Proceedings of the 29th Australasian Computer Science Conference-Volume 48. Australian Computer Society, 187--196.Google ScholarDigital Library
Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus. 2009. English shellcode. In Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, New York, NY, 524--533.Google ScholarDigital Library
Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho. 2010. Stuxnet under the microscope. ESET LLC (September 2010) (2010).Google Scholar
Nikos Mavrogiannopoulos, Nessim Kisserli, and Bart Preneel. 2011. A taxonomy of self-modifying code for obfuscation. Comput. Security 30, 8 (2011), 679--691.Google ScholarDigital Library
Wil Michiels, Paul Gorissen, and Henk D. L. Hollmann. 2009. Cryptanalysis of a generic class of white-box implementations. In Selected Areas in Cryptography. Vol. 5381. Springer, Berlin, 414--428.Google Scholar
Craig Miles, Arun Lakhotia, and Andrew Walenstein. 2012. In situ reuse of logically extracted functional components. J. Comput. Virol. 8, 3 (2012), 73--84.Google ScholarDigital Library
Akito Monden, Antoine Monsifrot, and Clark Thomborson. 2004. A framework for obfuscated interpretation. In Proceedings of the 2nd Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internationalisation-Volume 32. Australian Computer Society, 7--16.Google ScholarDigital Library
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007a. Exploring multiple execution paths for malware analysis. In Proceedings of the 28th IEEE Symposium on Security and Privacy. IEEE, 231--245.Google ScholarDigital Library
A. Moser, C. Kruegel, and E. Kirda. 2007b. Limits of static analysis for malware detection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 421--430.Google Scholar
M. Myska. 2009. The true story of DRM. Masaryk Ujl & Tech. 3 (2009), 267--278.Google Scholar
C. Nachenberg. 1997. Computer virus-coevolution. Commun. ACM 50, 1 (1997), 46--51.Google ScholarDigital Library
Vijayanand Nagarajan, Rajiv Gupta, Xiangyu Zhang, Matias Madou, and Bjorn De Sutter. 2007. Matching control flow of program versions. In Proceedings of the IEEE International Conference on Software Maintenance (ICSM’07). IEEE, 84--93.Google ScholarCross Ref
J. Newsome, B. Karp, and D. Song. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 26th IEEE Symposium on Security and Privacy. IEEE, 226--241.Google Scholar
Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer, Berlin.Google Scholar
Jim Q Ning, Andre Engberts, and Wojtek Kozaczynski. 1993. Recovering reusable components from legacy systems by program segmentation. In Proceedings of the Working Conference on Reverse Engineering. IEEE, 64--72.Google ScholarCross Ref
Jens Palsberg, Sowmya Krishnaswamy, Minseok Kwon, Di Ma, Qiuyun Shao, and Yi Zhang. 2000. Experience with software watermarking. In Proceedings of the 16th Annual Conference on Computer Security Applications (ACSAC’00). IEEE, 308--316.Google ScholarCross Ref
Ugo Piazzalunga, Paolo Salvaneschi, Francesco Balducci, Pablo Jacomuzzi, and Cristiano Moroncelli. 2007. Security strength measurement for dongle-protected software. IEEE Security Privacy 5, 6 (2007), 32--40.Google ScholarDigital Library
Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews. 2007. Binary obfuscation using signals. In Proceedings of the Usenix Security Symposium. 275--290.Google Scholar
Daniel A. Quist and Lorie M. Liebrock. 2009. Visualizing compiled executables for malware analysis. In Proceedings of the 6th International Workshop on Visualization for Cyber Security, 2009 (VizSec’09). IEEE, 27--32.Google Scholar
Jason Raber and Eric Laspe. 2007. Deobfuscator: An automated approach to the identification and removal of code obfuscation. In Proceedings of the 14th Working Conference on Reverse Engineering (WCRE’07). IEEE, 275--276.Google ScholarDigital Library
G. Ramalingam. 1994. The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16, 5 (1994), 1467--1471.Google ScholarDigital Library
J. Riordan and B. Schneier. 1998. Environmental key generation towards clueless agents. Mobile Agents and Security (1998), 15--24.Google Scholar
R. Rolles. 2009. Unpacking virtualization obfuscators. In Proceedings of the 3rd Usenix Workshop on Offensive Technologies (Woot’09).Google ScholarDigital Library
Kevin A. Roundy and Barton P. Miller. 2013. Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46, 1 (2013).Google Scholar
P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. 2006. Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC’06). IEEE, 289--300.Google Scholar
S. Rugaber, K. Stirewalt, and L. M. Wills. 1995. The interleaving problem in program understanding. In Proceedings of the 2nd Working Conference on Reverse Engineering. IEEE, 166--175.Google Scholar
Yusuke Sakabe, Masakazu Soshi, and Atsuko Miyaji. 2005. Java obfuscation approaches to construct tamper-resistant object-oriented programs. IPSJ Digital Courier 1 (2005), 349--361.Google ScholarCross Ref
Amitabh Saxena, Brecht Wyseur, and Bart Preneel. 2009. Towards security notions for white-box cryptography. In Information Security. Springer, Berlin, 49--58.Google Scholar
S. Schrittwieser and S. Katzenbeisser. 2011. Code obfuscation against static and dynamic reverse engineering. In Proceedings of the 13th International Conference on Information Hiding (IH’11). Springer, Berlin, 270--284.Google Scholar
Sebastian Schrittwieser, Stefan Katzenbeisser, Peter Kieseberg, Markus Huber, Manuel Leithner, Martin Mulazzani, and Edgar Weippl. 2013. Covert computation: Hiding code in code for obfuscation purposes. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ACM, 529--534.Google ScholarDigital Library
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 31st IEEE Symposium on Security and Privacy, S&P 2010. 317--331.Google ScholarDigital Library
Edward J. Schwartz, J. Lee, Maverick Woo, and David Brumley. 2013. Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. In Proceedings of the Usenix Security Symposium.Google Scholar
Benjamin Schwarz, Saumya Debray, and Gregory Andrews. 2002. Disassembly of executable code revisited. In Proceedings of the 9th Working Conference on Reverse Engineering. IEEE, 45--54.Google ScholarCross Ref
Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 263--272.Google ScholarCross Ref
Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York NY, 552--561.Google ScholarDigital Library
Adi Shamir and Nicko Van Someren. 1999. Playing’hide and seek’ with stored keys. In Financial Cryptography. Vol. 1648. Springer, Berlin, 118--124.Google Scholar
M. Sharif, A. Lanzi, J. Giffin, and W. Lee. 2009. Automatic reverse engineering of malware emulators. In Proceedings of the 30th IEEE Symposium on Security and Privacy. IEEE, 94--109.Google Scholar
M. Sharif, V. Yegneswaran, H. Saidi, P. Porras, and W. Lee. 2008. Eureka: A framework for enabling static malware analysis. Computer Security-Esorics 2008 (2008), 481--500.Google Scholar
Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffin, and Wenke Lee. 2008. Impeding malware analysis using conditional code obfuscation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’08).Google Scholar
A. Slowinska, T. Stancescu, and H. Bos. 2011. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11).Google Scholar
Harry M. Sneed. 2000. Encapsulation of legacy software: A technique for reusing legacy software components. Ann. Software Eng. 9, 1--2 (2000), 293--313.Google ScholarDigital Library
Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security. Keynote Invited Paper.Google ScholarDigital Library
Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. 2010. On the infeasibility of modeling polymorphic shellcode. Mach. Learn. 81, 2 (2010), 179--205.Google ScholarDigital Library
Mikhail Sosonkin, Gleb Naumovich, and Nasir Memon. 2003. Obfuscation of design intent in object-oriented applications. In Proceedings of the 3rd ACM Workshop on Digital Rights Management. ACM, New York, NY, 142--153.Google ScholarDigital Library
Joe Stewart. 2006. Ollybone: Semi-automatic unpacking on IA-32. In Proceedings of the 14th Def Con Hacking Conference.Google Scholar
Y. Tang and S. Chen. 2007. An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 7 (2007).Google ScholarDigital Library
A. Thakur, J. Lim, A. Lal, A. Burton, E. Driscoll, M. Elder, T. Andersen, and T. Reps. 2010. Directed proof generation for machine code. In Proceedings of the 22th International Conference on Computer Aided Verification (CAV’10). Springer, Berlin, 288--305.Google Scholar
S. R. Tilley, S. Paul, and D. B. Smith. 1996. Towards a framework for program understanding. In Proceedings of the 4th Workshop on Program Comprehension. IEEE, 19--28.Google Scholar
S. Treadwell and M. Zhou. 2009. A heuristic approach for detection of obfuscated malware. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics (ISI’09). IEEE, 291--299.Google Scholar
H. Y. Tsai, Y. L. Huang, and D. Wagner. 2009. A graph approach to quantitative analysis of control-flow obfuscating transformations. IEEE Trans. Inform. Forens. Security 4, 2 (2009), 257--267.Google ScholarDigital Library
S. K. Udupa, S. K. Debray, and M. Madou. 2005. Deobfuscation: Reverse engineering obfuscated code. In Proceedings of the 12th Working Conference on Reverse Engineering. IEEE.Google Scholar
Zeljko Vrba, Pål Halvorsen, and Carsten Griwodz. 2010. Program obfuscation by strong cryptography. In Proceedings of the International Conference on Availability, Reliability, and Security (ARES’10). IEEE, 242--247.Google ScholarCross Ref
A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia. 2006. Normalizing metamorphic malware using term rewriting. In Proceedings of the 6th IEEE International Workshop on Source Code Analysis and Manipulation (SCAM’06). IEEE, 75--84.Google Scholar
C. Wang, J. Davidson, J. Hill, and J. Knight. 2001. Protection of software-based survivability mechanisms. In Proceedings of the 2001 International Conference on Dependable Systems and Networks (Formerly: FTCS). IEEE, 193--202.Google Scholar
C. Wang, J. Hill, J. Knight, and J. Davidson. 2000. Software Tamper Resistance: Obstructing Static Analysis of Programs. Technical Report. CS-2000-12, University of Virginia.Google Scholar
M. Webster and G. Malcolm. 2009. Detection of metamorphic and virtualization-based malware using algebraic specification. J. Comput. Virol. 5, 3 (2009), 221--245.Google ScholarCross Ref
H. Wee. 2005. On obfuscating point functions. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing. ACM, New York, NY, 523--532.Google ScholarDigital Library
N. Wilde and M. C. Scully. 2006. Software reconnaissance: Mapping program features to code. J. Software Maint.: Res. Pract. 7, 1 (2006), 49--62.Google ScholarDigital Library
Carsten Willems and Felix C. Freiling. 2012. Reverse code engineering-state of the art and countermeasures. Inform. Technol. 54, 2 (2012), 53--63.Google ScholarCross Ref
M. J. Wolfe, C. Shanklin, and L. Ortega. 1995. High Performance Compilers for Parallel Computing. Addison-Wesley Longman, Reading, MA.Google Scholar
Z. Wu, S. Gianvecchio, M. Xie, and H. Wang. 2010. Mimimorphism: A new approach to binary code obfuscation. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, New York, NY, 536--546.Google Scholar
Brecht Wyseur. 2009. White-Box Cryptography. Ph.D. Dissertation. KU Leuven.Google Scholar
B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel. 2007. Cryptanalysis of white-box DES implementations with arbitrary external encodings. In Proceedings of the 14th International Conference on Selected Areas in Cryptography. Springer, Berlin, 264--277.Google Scholar
Brecht Wyseur and Bart Preneel. 2005. Condensed white-box implementations. In Proceedings of the 26th Symposium on Information Theory in the Benelux. 296--301.Google Scholar
Khaled Yakdan, Sebastian Eschweiler, Elmar Gerhards-Padilla, and Matthew Smith. 2015. No more gotos: Decompilation using pattern-independent control-flow structuring and semantics-preserving transformations. In Proceedings of the 22nd Network and Distributed Systems Security Symposium (NDSS).Google ScholarCross Ref
Heng Yin and Dawn Song. 2010. TEMU: Binary Code Analysis Via Whole-System Layered Annotative Execution. Technical Report UCB/EECS-2010-3. EECS Department, University of California, Berkeley.Google Scholar
Junyuan Zeng, Yangchun Fu, Kenneth A. Miller, Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. 2013. Obfuscation resilient binary code reuse through trace-oriented programming. In Proceedings of the 20th ACM Conference on Computer and Communications Security. ACM, New York, NY.Google ScholarDigital Library
Xiangyu Zhang and Rajiv Gupta. 2005. Matching execution histories of program versions. In ACM SIGSOFT Software Engineering Notes, Vol. 30. ACM, New York, NY 197--206.Google ScholarDigital Library
Z. Zhao, G. J. Ahn, and H. Hu. 2011. Automatic extraction of secrets from malware. In Proceedings of the 18th Working Conference on Reverse Engineering (WCRE’11). IEEE, 159--168.Google Scholar
Yongxin Zhou, Alec Main, Yuan X. Gu, and Harold Johnson. 2007. Information hiding in software with mixed boolean-arithmetic transforms. In Information Security Applications. Springer, Berlin, 61--75.Google Scholar
X. Zhuang, T. Zhang, H. H. S. Lee, and S. Pande. 2004. Hardware assisted control flow obfuscation for embedded processors. In Proceedings of the 2004 International Conference on Compilers, Architecture, and Synthesis for Embedded Systems. 292--302.Google Scholar

Index Terms

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Read More
Taking a Lesson from Stealthy Rootkits

Attackers' obfuscation techniques make it difficult to detect kernel rootkits merely by looking at symbol-table information. The authors show how software developers can use obfuscation techniques to fight commercial-software reverse engineering and ...
Read More
Malware Obfuscation through Evolutionary Packers
GECCO Companion '15: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation

A malicious botnet is a collection of compromised hosts coordinated by an external entity. The malicious software, or malware, that infect the systems are its basic units and they are responsible for its global behavior. Anti Virus software and ...
Read More

Reviews

Reviewer: Bayard Kohlhepp

Software obfuscation is an attempt to hide the real intent of a piece of software. The first obfuscated malware appeared in 1986, and sophistication has steadily increased since then. Commercial vendors obfuscate their software to block reverse engineering and thereby protect intellectual property. Good guys and bad guys sit on both sides of this aisle, implementing and analyzing obfuscation techniques. Despite decades of practice, though, the effectiveness of obfuscation is still a controversial subject. It's the intent of this paper to quantify the state of obfuscation and analysis, to measure the arms race and replace opinions with numbers. The paper is formatted as a survey. It opens with a concise history of code obfuscation followed by a review of prominent research papers. The authors then make their own contribution to the field by categorizing techniques of obfuscation and analysis and building a matrix of obfuscation technique versus analysis technique in order to rank the relative resistance/effectiveness of each method. Where possible, the ranking is based on results reported in the literature; where no results are available, the authors argue their case for a particular ranking. Their results show that obfuscation can slow down or even block analysis in some cases. As professed by the authors, this is just a beginning, not the last word. The rank is currently only on a scale of 1 to 3; rankings from literature are spotty; and the authors' rankings are fairly subjective. Most obfuscation analysis has been performed in isolation and with limited resources. Perhaps now that the authors have framed the competition and have built the "March Madness" rankings, additional investigators can examine each match-up in detail and contribute more precise evaluations and weightings for each category. Even though this paper is not the final word (in fact, the authors fell somewhat short of a definitive answer on the effectiveness of software obfuscation), the material and organization are both valuable for anyone practicing or considering obfuscation. The field has been improved by the authors' contribution. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 49, Issue 1
March 2017
705 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2911992
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville, FL
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 April 2016
- Accepted: 1 January 2016
- Revised: 1 June 2015
- Received: 1 November 2013
Published in csur Volume 49, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Software obfuscation
malware
program analysis
reverse engineering
software protection
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 124
  Total Citations
  View Citations
- 2,372
  Total Downloads
- Downloads (Last 12 months)258
- Downloads (Last 6 weeks)32
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Obfuscation: The Hidden Malware

Taking a Lesson from Stealthy Rootkits

Malware Obfuscation through Evolutionary Packers

Reviews

Access critical reviews of Computing literature here