Semantics-based code obfuscation by abstract interpretation

@article{Preda2009SemanticsbasedCO,
  title={Semantics-based code obfuscation by abstract interpretation},
  author={Mila Dalla Preda and Roberto Giacobazzi},
  journal={J. Comput. Secur.},
  year={2009},
  volume={17},
  pages={855-908}
}
In recent years code obfuscation has attracted research interest as a promising technique for protecting secret properties of programs. The basic idea of code obfuscation is to transform programs in order to hide their sensitive information while preserving their functionality. One of the major drawbacks of code obfuscation is the lack of a rigorous theoretical framework that makes it difficult to formally analyze and certify the effectiveness of obfuscating techniques. We face this problem by… 

Figures and Tables from this paper

Maximal incompleteness as obfuscation potency
TLDR
This paper proposes a formal model for specifying and understanding the strength of obfuscating transformations with respect to a given attack model and introduces a framework for transforming abstract domains, i.e., analyses, towards incompleteness.
Making Abstract Interpretation Incomplete: Modeling the Potency of Obfuscation
TLDR
It is shown that, for both the forms of completeness, backward and forward, the authors can uniquely simplify domains towards incompleteness, while in general it is not possible to uniquely refine domains.
Characterizing a property-driven obfuscation strategy
TLDR
This work studies the existence and the characterization of function transformers that minimally or maximally modify a program in order to reveal or conceal a certain property, and provides a characterization of the maximal obfuscating strategy for transformations concealing a given property while revealing the desired observational behavior.
Obfuscation by partial evaluation of distorted interpreters
TLDR
This work presents a novel approach to automatically generating obfuscated code P2 from any program P whose source code is given, and is applied to: code flattening, data-type obfuscation, and opaque predicate insertion.
Quantitative measures for code obfuscation security
TLDR
The notion of unintelligibility, an intuitive way to define code obfuscation, is introduced, and it is argued that it is not sufficient to capture the security of codefuscation, and a more powerful security definition is presented that is able to effectively capture code obfuscations security.
Code Obfuscation Against Abstract Model Checking Attacks
TLDR
A measure of the quality of the obfuscation obtained by model deformation is given together with a corresponding best obfuscation strategy for abstract model checking based on partition refinement.
Code obfuscation against abstraction refinement attacks
TLDR
The concept of model deformation inducing an effective code obfuscation against attacks performed by abstract model checking is introduced, to make the removal of spurious counterexamples by abstraction refinement maximally inefficient.
The current state of art in program obfuscations: definitions of obfuscation security
TLDR
A survey of various definitions of obfuscation security and basic results that establish possibility or impossibility of secure program obfuscation under certain cryptographic assumptions are given.
Flexible Software Protection
...
...

References

SHOWING 1-10 OF 65 REFERENCES
Control code obfuscation by abstract interpretation
  • M. Preda, R. Giacobazzi
  • Computer Science
    Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05)
  • 2005
TLDR
It is proved that abstract interpretation provides the adequate setting to measure the potency of an obfuscation algorithm by comparing the degree of abstraction of the most abstract domains which are able to disclose opaque predicates.
Semantic-Based Code Obfuscation by Abstract Interpretation
TLDR
A general theory based on abstract interpretation is derived, where the potency of code obfuscation can be measured by comparing hidden properties in the lattice of abstract interpretations.
A Taxonomy of Obfuscating Transformations
TLDR
It is argued that automatic code obfuscation is currently the most viable method for preventing reverse engineering and the design of a code obfuscator is described, a tool which converts a program into an equivalent one that is more diicult to understand and reverse engineer.
On the (im)possibility of obfuscating programs : (Extended abstract)
Informally, an obfuscator O is an (efficient, probabilistic) compiler that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is
Manufacturing cheap, resilient, and stealthy opaque constructs
TLDR
The design of a Java code obfuscator is described, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.
Opaque Predicates Detection by Abstract Interpretation
Code obfuscation and software watermarking are well known techniques designed to prevent the illegal reuse of software. Code obfuscation prevents malicious reverse engineering, while software
Deobfuscation: reverse engineering obfuscated code
TLDR
This paper examines techniques for automatic deobfuscation of obfuscated programs, as a step towards reverse engineering such programs, and indicates that much of the effects of code obfuscation can be defeated using simple combinations of straightforward static and dynamic analyses.
Manufacturing opaque predicates in distributed systems for code obfuscation
TLDR
A novel method of combining the open problems of distributed global state detection with a well-known hard combinatorial problem to manufacture opaque predicates is proposed, capable of withstanding most known forms of automated static analysis attacks and a restricted class of dynamic analysis attack that could be mounted by adversaries.
Deobfuscation: Improving reverse engineering of obfuscated code
TLDR
In the context of software engineering, it is shown how dynamic analyses can be used to enhance reverse engineering, even for code that has been designed to be difficult to reverse engineer.
Breaking abstractions and unstructuring data structures
TLDR
This paper shows how to obfuscate classes, arrays, procedural abstractions and built-in data types like strings, integers and booleans in a control flow obfuscator for Java.
...
...