Assessment of Source Code Obfuscation Techniques

Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.Comment: Post-print, SCAM 201

Automatic generation of opaque constants based on the k-clique problem for resilient data obfuscation

Data obfuscations are program transformations used to complicate program understanding and conceal actual values of program variables. The possibility to hide constant values is a basic building block of several obfuscation techniques. For example, in XOR Masking a constant mask is used to encode data, but this mask must be hidden too, in order to keep the obfuscation resilient to attacks. In this paper, we present a novel technique based on the k-clique problem, which is known to be NP-complete, to generate opaque constants, i.e. values that are difficult to guess by static analysis. In our experimental assessment we show that our opaque constants are computationally cheap to generate, both at obfuscation time and at runtime. Moreover, due to the NP-completeness of the k-clique problem, our opaque constants can be proven to be hard to attack with state-of-the-art static analysis tools

The DiAGRA User Guide

DiAGRA (Distributed AGgRegator of Annotation) is essentially a component that can be plugged in existing web-servers which provide information on real world items that belong to a fixed domain. Such web-sites generally offer two kinds of services: an item catalog and a item annotation list. The item catalog provides information about items, while the annotation list is a collection of the annotations posted by the users on various items. DiAGRA helps such cooperating web-sites to exchange annotations on items among themselves. This plug-in promotes heterogeneity and specifies the minimal set of requirements needed for interoperability among different servers. Hence it requires very little changes to be done on the web server part. This document describes the overall architecture of the system which deploys DiAGRA. It then describes the development, deployment and Administration details for successful implementation of such a plug-in. Though the DiAGRA component can be used by web servers of any domain, examples provided in this document refer to the specific domain of ski-mountaineering, where items correspond to ski-route and annotations are posted on ski-trip

Measuring the Impact of Different Categories of Software Evolution

Software evolution involves different categories of interventions, having variable impact on the code. Knowledge about the expected impact of an intervention is fundamental for project planning and resource allocation. Moreover, deviations from the expected impact may hint for areas of the system having a poor design. In this paper, we investigate the relationship between evolution categories and impacted code by means of a set of metrics computed over time for a subject system

FSMC+, a tool for the generation of Java code from statecharts

ProVotE is a two-phase pro ject aiming at actuating art. 84 of law 2 - 5/3/2003 of the Autonomous Province of Trento (Italy), which promotes the introduction of e-voting systems for the next provincial elections in Trentino, which will be held in November 2008. During the first phase of the ProVotE pro ject we built jprovote, a Java/Linux e-voting system. The jprovote system has been used with experimental value by more than 11000 vot- ers during local elections held in various municipalities of Trentino (Italy). A critical component of jprovote is its core logic, that is re- sponsible of controlling the overall behavior of the e-voting machine during an election. In order to simplify its devel- opment and to allow for formal verification of this critical component we developed FSMC+. FSMC+ is a compiler that takes as input a subset of UML statecharts and produces the corresponding Java and NuSMV code (NuSMV is a model checker developed at ITC-irst). Support for parameters in events, complex expressions in guards, and support to nested states are some of the distin- guishing features of FSMC+. In this paper we present FSMC+ and we show how we used it for the development and the verification of the ProVotE e- voting machine. Even though FSMC+ has been specifically created to ease the development of jprovote, we believe the approach and the tool we developed to be general enough to be used in other applications

Assessment of Data Obfuscation with Residue Number Coding

Software obfuscation was proposed as a technique to mitigate the problem of malicious code tampering, by making code more difficult to understand and consequently more difficult to alter. In particular, "residue number coding" encodes program variables to hide their actual values, while supporting operations in the encoded domain. Some computations on encoded variables can proceed without the need to decode them back in the clear. Despite the obvious benefits of this approach, to the best of our knowledge, no implementation is available. In this paper, we describe our implementation of data obfuscation based on residue number coding. Moreover, we present an assessment of this obfuscation scheme in terms of performance overhead, when more and more program variables are subject to obfuscation

Accounting and billing of wireless internet services in 3G networks

Abstract: The development of the wireless internet market and its structure is driven by differing industry fundamentals, and the revenue derived from content and content-related services is expected to increase significantly for all players within the wireless industry. Providing flexible and scalable accounting and billing systems will be essential for success when offering wireless services to end customers. The third-generation wireless service providers have difficulties in billing their customers due to their inability to associate customer transactions with network usage, correlate data from multiple sources and flexibly support the emerging billing models. In this paper, an accounting and billing model for two wireless services is presented. The evaluation of the service proved that the number of roles and partners in the wireless services is huge and that an architectural framework including components like accounting agents and billing mediation servers is needed for tracking customer transactions and directing the accounting and billing between the partners