Understanding obfuscated code

Code obfuscation makes it harder for a security analyst to understand the malicious payload of a program. In most cases an analyst needs to study the program at the machine code level, with little or no extra information available, apart from his experience. An unexperienced analyst is confronted with a steep learning curve, as understanding unobfuscated machine code already requires some skills. We have built LOCO, a graphical, interactive environment to help a security analyst improving his skills in understanding obfuscated code. 1

Assessment of Source Code Obfuscation Techniques

Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.Comment: Post-print, SCAM 201

Looking for Criminal Intents in JavaScript Obfuscated Code

The majority of websites incorporate JavaScript for client-side execution in a supposedly protected environment. Unfortunately, JavaScript has also proven to be a critical attack vector for both independent and state-sponsored groups of hackers. On the one hand, defenders need to analyze scripts to ensure that no threat is delivered and to respond to potential security incidents. On the other, attackers aim to obfuscate the source code in order to disorient the defenders or even to make code analysis practically impossible. Since code obfuscation may also be adopted by companies for legitimate intellectual-property protection, a dilemma remains on whether a script is harmless or malignant, if not criminal. To help analysts deal with such a dilemma, a methodology is proposed, called JACOB, which is based on five steps, namely: (1) source code parsing, (2) control flow graph recovery, (3) region identification, (4) code structuring, and (5) partial evaluation. These steps implement a sort of decompilation for control flow flattened code, which is progressively transformed into something that is close to the original JavaScript source, thereby making eventual code analysis possible. Most relevantly, JACOB has been successfully applied to uncover unwanted user tracking and fingerprinting in e-commerce websites operated by a well-known Chinese company

When Are Opaque Predicates Useful?

Opaque predicates are a commonly used technique in program obfuscation, intended to add complexity to control flow and to insert dummy code or watermarks. However, there are many attacks known to detect opaque predicates and remove dummy code. We survey these attacks and argue that many types of programs cannot be securely obfuscated using opaque predicates. In particular we explain that most previous works on control flow obfuscation have introduced predicates that are easily distinguished from naturally occurring predicates in code, and hence easily removed by an attacker. We state two conditions that are necessary for a program to be suitable for control flow obfuscation. We give an integrated approach to control flow obfuscation that simultaneously obfuscates real predicates and introduces opaque predicates. The opaque predicates are indistinguishable from the obfuscated real predicates in the program. If an attacker applies the usual approaches (both static and dynamic) to identify and remove opaque predicates then they are likely to remove critical functionality and introduce errors. We have implemented our obfuscator in LLVM. We provide an analysis of the performance of the resulting obfuscated code

Development of a security framework for HTML5-based mobile agents

Mobile agent technology is a paradigm where a program can move autonomously in the different executable environment of a network. The program is the mobile agent, that can move its code, suspend and resume the execution in the new environment.The use of a mobile agent provides numerous benefits over the traditional paradigm like client-server. It reduces the network traffic, connection time and bandwidth consumption by the moving agent between the client and server. However, the security issue of the mobile agent makes difficult to acquire the benefits. The HTML5-based mobile agent framework was developed in Tampere University of Technology (TUT). The core of this thesis is to secure the mobile agent framework. The security threats to the mobile agent and agent platform are classified to design and implement a secure framework. These threats are the agent attacking platform, platform attacking agent, agent attacking agent and agent system attacked by external entities. This thesis focuses first two threats and provides a solution to protect mobile agent framework against them. The solution uses a signing method that involves salting and hashing of source address to generate signature. Furthermore, the RSA encryption using the static private key of an agent origin server to create a signature. The signature moves along with the agent and it is used to verify the agent source address using a static public key. This verification ensures that particular agent comes from the legitimate source and it is trusted as a non-malicious in the current platform. This solution overcomes the security issues like unauthorized access to the data, changing the agent and platform code, the misuse of others identity, eavesdropping and altering the important information, the excessive use of the resources etc. Also, the implementation helps to minimize the problems in agent mobility, agent and platform communication and identification of agents

Evaluation Methodologies in Software Protection Research

Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 572 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks

The analysis of the tools for program intelligibility variability conditioned by energy efficiency of execution

У овој докторској дисертацији анализиран је утицај једне од техника заштите софтвера, позната као маскирање (енг. obfuscation), на енергетску ефикасност извршавања кода. Циљ рада је да проучи колико овакви захвати утичу на промену профила потрошње електричне енергије, односно рангирање алата за промену разумљивости програма на основу енергетског профила за чије генерисање је развијена програмска подршка. Тестирање је реализовано коришћењем различитих комерцијалних алата над релевантним тест сценаријима и резултати су приказани уз одговарајућу анализу.U ovoj doktorskoj disertaciji analiziran je uticaj jedne od tehnika zaštite softvera, poznata kao maskiranje (eng. obfuscation), na energetsku efikasnost izvršavanja koda. Cilj rada je da prouči koliko ovakvi zahvati utiču na promenu profila potrošnje električne energije, odnosno rangiranje alata za promenu razumljivosti programa na osnovu energetskog profila za čije generisanje je razvijena programska podrška. Testiranje je realizovano korišćenjem različitih komercijalnih alata nad relevantnim test scenarijima i rezultati su prikazani uz odgovarajuću analizu.This doctoral dissertation analyze the influence of one of the software protection techniques known as obfuscation, to the power efficiency of code obfuscation. The aim of the dissertation is to study the effect of these techniques on the change of power profile consumption, i.e., ranking of tools for changing the program intelligibility based on energy profile for the generation of witch a program support has been developed. The testing is realized by using various commercial software for relevant test scenarious and the results are presented with the corresponding analysis

A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques

Context: code obfuscation is intended to obstruct code understanding and, eventually, to delay malicious code changes and ultimately render it uneconomical. Although code understanding cannot be completely impeded, code obfuscation makes it more laborious and troublesome, so as to discourage or retard code tampering. Despite the extensive adoption of obfuscation, its assessment has been addressed indirectly either by using internal metrics or taking the point of view of code analysis, e.g., considering the associated computational complexity. To the best of our knowledge, there is no publicly available user study that measures the cost of understanding obfuscated code from the point of view of a human attacker. Aim: this paper experimentally assesses the impact of code obfuscation on the capability of human subjects to understand and change source code. In particular, it considers code protected with two well-known code obfuscation techniques, i.e., identifier renaming and opaque predicates. Method: We have conducted a family of five controlled experiments, involving undergraduate and graduate students from four Universities. During the experiments, subjects had to perform comprehension or attack tasks on decompiled clients of two Java network-based applications, either obfuscated using one of the two techniques, or not. To assess and compare the obfuscation techniques, we measured the correctness and the efficiency of the performed task. Results: —at least for the tasks we considered—simpler techniques (i.e., identifier renaming) prove to be more effective than more complex ones (i.e., opaque predicates) in impeding subjects to complete attack tasks