Author:

Keywords:

Software protection, Code obfuscation, Tamper Resistant Software, Cryptography, Software security

Abstract:

This thesis examines code obfuscation techniques to protect software against analysis and unwanted modifications. Program obfuscation makes code harder to analyze. Indirectly, this also contributes to protecting against malicious modifications to a program. This stems from the fact that an attacker first must understand the software before he can make specified modifications. In addition to techniques that improve a program's analysis resistance, one can add techniques that make tampering hard.First, we present a comprehensive overview of software protection techniques. These are compared in terms of protection against analysis and protection against modifications. In both cases a distinction is made between protection against static attacks and protect against dynamic attacks.The main part of this thesis describes two research contributions. A first contribution describes a technique which makes it difficult to statically derive the control flow of a program (this is the construction of the control flow graph). This technique is based on one-way functions to make backward analysis hard, and bijective functions that do not leak any control flow information that can assist an attacker. We continue by presenting three application models and several attacks to evaluate the strength of our technique.The second contribution presents a technique to thwart dynamic attacks. These attacks include: (1) dynamic analysis of the code, for example by dumping memory, and (2) dynamic tampering. Against the first threat, we protect by introducing an on-demand encryption scheme which decrypts code just before its execution and re-encrypts it afterwards. Accordingly, exposure in memory is limited. Dynamic modifications are precluded by implicitly verifying code fragments and making other code fragments dependent on the outcome of this verification. We use cryptographic hash functions to hash code fragments; the resulting hash values are used as the decryption/encryption keys for other code fragments. This technique has been implemented using Diablo, a link-time binary rewriter designed by Ghent University. To illustrate the cost of our technique, we protect several programs from the SPEC CPU2006 benchmark and measure the runtime overhead. Finally, we define a heuristic which identifies frequently executed code allowing us to trade off between our more secure on-demand encryption scheme and the more efficient bulk encryption.There is an urgent need for flexible and cheap software protection techniques; moreover, deploying these techniques in untrusted environments is extremely challenging. We present some proposals for further research that help to address these challenges.