access icon free Random table and hash coding-based binary code obfuscation against stack trace analysis

Code obfuscation is intended to thwart reverse engineering by making programmes hard to understand. Call chains collected by stack tracing can be used to understand the behaviour of programmes. To hinder reverse analysis of stack tracing, a binary code obfuscation method based on random obfuscated table and hash coding is proposed. Random obfuscated table is used to map call addresses while call and ret instructions are executing. Hash coding and random value can be used to encode and decode the data of stack frames in the run-time programmes. Experiment and analysis show that the obfuscation can effectively impede stack trace analysis and increase the cost of reverse analysis for programmes.

Inspec keywords: reverse engineering; cryptography; program diagnostics

Other keywords: call chains; reverse program analysis; ret instructions; hash coding-based binary code obfuscation method; stack trace analysis; call instructions; random table; stack tracing; thwart reverse engineering

Subjects: Diagnostic, testing, debugging and evaluating systems; Cryptography; Data security

References

    1. 1)
      • 23. Anckaert, B., Jakubowski, M., Venkatesan, R., et al: ‘Run-time randomization to mitigate tampering’. Advances in Information and Computer Security, 2007 (LNCS, 4752), pp. 153168.
    2. 2)
      • 35. Masaki Suenaga: ‘A museum of API obfuscation on win32’ (Symantec, 2009). Available at http://www.symantec.com/content/en/us/enterprise/media/security_respnose/whitepapers/a_museum_of_api_obfsucation_on_win32.pdf, accessed March 2015.
    3. 3)
      • 33. Horne, B., Matheson, L., Sheehan, C., et al: ‘Dynamic self-checking techniques for improved tamper resistance’. Security and Privacy in Digital Rights Management, 2002 (LNCS, 2320), pp. 141159.
    4. 4)
      • 28. Stephen, C., Andrei, H., Stefan, B., et al: ‘Thwarting cache side-channel attacks through dynamic software diversity’. Proc. Symp. on Network and Distributed System Security, 2015, pp. 114.
    5. 5)
      • 21. LeDoux, C., Sharkey, M., Primeaux, B., et al: ‘Instruction embedding for improved obfuscation’. Proc. 50th Annual Southeast Regional Conf., 2012, pp. 130135.
    6. 6)
      • 16. Kanzaki, Y., Monden, A., Nakamura, M., et al: ‘Exploiting self-modification mechanism for program protection’. Proc. 27th Int. Conf. on Computer Software and Applications, 2003, pp. 170179.
    7. 7)
      • 26. Wang, Z., Jia, C., Liu, M., et al: ‘Branch obfuscation using code mobility and signal’. Proc. IEEE 36th Int. Conf. on Computer Software and Applications Workshops, 2012, pp. 553558.
    8. 8)
    9. 9)
      • 10. Wang, C., Hill, J., Knight, J., et al: ‘Software tamper resistance: obstructing static analysis of programs’. Technical Report, 12, Department of Computer Science, University of Virginia, 2000.
    10. 10)
      • 19. Xu, W., Zhang, F., Zhu, S.: ‘The power of obfuscation techniques in malicious JavaScript code: a measurement study’. Proc. Seventh IEEE Int. Conf. on Malicious and Unwanted Software, 2012, pp. 916.
    11. 11)
    12. 12)
    13. 13)
    14. 14)
      • 22. Batchelder, M., Hendren, L.: ‘Obfuscation Java: the most pain for the least gain’. Proc. Int. Conf. on Compiler Construction, 2007 (LNCS, 4420), pp. 96110.
    15. 15)
      • 30. Zhang, M.W., Sekar, R.: ‘Control flow integrity for COTS binaries’. Proc. the 22nd USENIX Conf. on Security, 2013, pp. 337352.
    16. 16)
    17. 17)
      • 7. Xin, Z., Chen, H., Han, H., et al: ‘Misleading malware similarities analysis by automatic data structure obfuscation’. Proc. 13th Int. Conf. on Information Security, 2010 (LNCS, 6531), pp. 181195.
    18. 18)
      • 34. Skape: ‘Reducing the effective entropy of GS cookies’ (Uninformed, 2007). Available at http://www.leviathansecurity.com/wp-content/uploads/uninformed_v7a2.pdf, accessed March 2015.
    19. 19)
    20. 20)
    21. 21)
    22. 22)
      • 8. Collberg, C., Thomborson, C., Low, D.: ‘Manufacturing cheap, resilient, and stealthy opaque constructs’. Proc. 25th SIGPLAN-SIGACT Symp. on Principles of Programming Languages, 1998, pp. 184196.
    23. 23)
      • 11. Ogiso, T., Sakabe, Y., Soshi, M., et al: ‘Software obfuscation on a theoretical basis and its implementation’, IEICE Trans. Fundam. Electron., 2003, 86, (1), pp. 176186.
    24. 24)
      • 9. Majumdar, A., Thomborson, C.: ‘Manufacturing opaque predicates in distributed systems for code obfuscation’. Proc. 29th Int. Conf. on Australasian Computer Science, 2006, vol. 48, pp. 187196.
    25. 25)
      • 20. Linn, C., Debray, S.: ‘Obfuscation of executable code to improve resistance to static disassembly’. Proc. Tenth Int. Conf. on Computer and Communications Security, 2003, pp. 290299.
    26. 26)
      • 27. Schrittwieser, S., Katzenbeisser, S.: ‘Code obfuscation against static and dynamic reverse engineering’. Information Hiding, 2011 (LNCS, 6958), pp. 270284.
    27. 27)
    28. 28)
    29. 29)
      • 13. Popov, I.V., Debray, S.K., Andrews, G.R.: ‘Binary obfuscation using signals’. Proc. 16th USENIX Security Symp., 2007, pp. 275290.
    30. 30)
      • 3. Collberg, C.S., Thomborson, C., Low, D.: ‘A taxonomy of obfuscating transformations’. Techical Report, 148, Department of Computer Science, University of Auckland, Auckland, New Zealand, 1997.
    31. 31)
      • 6. Drape, S., Thomborson, C., Majumdar, A.: ‘Specifying imperative data obfuscations’. Proc. Tenth Int. Conf. on Information Security, 2007 (LNCS, 4779), pp. 299314.
    32. 32)
      • 4. Zhu, W., Thomborson, C.D., Wang, F.Y.: ‘Obfuscate arrays by homomorphic functions’. Proc. IEEE Int. Conf. on Granular Computing, 2006, pp. 770773.
    33. 33)
      • 12. Toyofuku, T., Tabata, T., Sakurai, K.: ‘Program obfuscation scheme using random numbers to complicate control flow’. Proc. Embedded and Ubiquitous Computing Workshops, 2005 (LNCS, 3823), pp. 916925.
    34. 34)
    35. 35)
      • 29. Richard, W., Vishwath, M., Kevin, W.H., et al: ‘Binary stirring: self-randomizing instruction addresses of legacy x86 binary code’. ACM Conf. on Computer and Communication Security, 2012, pp. 157168.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2013.0137
Loading

Related content

content/journals/10.1049/iet-ifs.2013.0137
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading