Pinpointing and hiding surprising fragments in an obfuscated program

Yuichiro Kanzaki, Clark Thomborson, Akito Monden, Christian Collberg

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

Original languageEnglish
Title of host publicationProceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015
PublisherAssociation for Computing Machinery
Volume08-December-2015
ISBN (Electronic)9781450336420
DOIs
Publication statusPublished - Dec 8 2015
Event5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Los Angeles, United States
Duration: Dec 8 2015 → …

Other

Other5th Program Protection and Reverse Engineering Workshop, PPREW 2015
CountryUnited States
CityLos Angeles
Period12/8/15 → …

Fingerprint

Camouflage
Semantics

Keywords

  • Code obfuscation
  • Code stealth
  • N-gram
  • Program analysis
  • Software protection

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Kanzaki, Y., Thomborson, C., Monden, A., & Collberg, C. (2015). Pinpointing and hiding surprising fragments in an obfuscated program. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015 (Vol. 08-December-2015). [2843862] Association for Computing Machinery. https://doi.org/10.1145/2843859.2843862

Pinpointing and hiding surprising fragments in an obfuscated program. / Kanzaki, Yuichiro; Thomborson, Clark; Monden, Akito; Collberg, Christian.

Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015 Association for Computing Machinery, 2015. 2843862.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kanzaki, Y, Thomborson, C, Monden, A & Collberg, C 2015, Pinpointing and hiding surprising fragments in an obfuscated program. in Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. vol. 08-December-2015, 2843862, Association for Computing Machinery, 5th Program Protection and Reverse Engineering Workshop, PPREW 2015, Los Angeles, United States, 12/8/15. https://doi.org/10.1145/2843859.2843862
Kanzaki Y, Thomborson C, Monden A, Collberg C. Pinpointing and hiding surprising fragments in an obfuscated program. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015. Association for Computing Machinery. 2015. 2843862 https://doi.org/10.1145/2843859.2843862
Kanzaki, Yuichiro ; Thomborson, Clark ; Monden, Akito ; Collberg, Christian. / Pinpointing and hiding surprising fragments in an obfuscated program. Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015 Association for Computing Machinery, 2015.
@inproceedings{b9016067e9ff4cbfaa424ba319ee6bc1,
title = "Pinpointing and hiding surprising fragments in an obfuscated program",
abstract = "In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.",
keywords = "Code obfuscation, Code stealth, N-gram, Program analysis, Software protection",
author = "Yuichiro Kanzaki and Clark Thomborson and Akito Monden and Christian Collberg",
year = "2015",
month = "12",
day = "8",
doi = "10.1145/2843859.2843862",
language = "English",
volume = "08-December-2015",
booktitle = "Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Pinpointing and hiding surprising fragments in an obfuscated program

AU - Kanzaki, Yuichiro

AU - Thomborson, Clark

AU - Monden, Akito

AU - Collberg, Christian

PY - 2015/12/8

Y1 - 2015/12/8

N2 - In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

AB - In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

KW - Code obfuscation

KW - Code stealth

KW - N-gram

KW - Program analysis

KW - Software protection

UR - http://www.scopus.com/inward/record.url?scp=85007607636&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85007607636&partnerID=8YFLogxK

U2 - 10.1145/2843859.2843862

DO - 10.1145/2843859.2843862

M3 - Conference contribution

VL - 08-December-2015

BT - Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015

PB - Association for Computing Machinery

ER -