Assessment of Source Code Obfuscation Techniques

Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.Comment: Post-print, SCAM 201

Reactive attestation : automatic detection and reaction to software tampering attacks

Anti-tampering is a form of software protection conceived to detect and avoid the execution of tampered programs. tamper detection assesses programs’ integrity with load- or execution-time checks. Avoidance reacts to tampered programs by stopping or rendering them unusable. General purpose reactions (such as halting the execution) stand out like a lighthouse in the code and are quite easy to defeat by an attacker. More sophisticated reactions, which degrade the user experience or the quality of service, are less easy to locate and remove but are too tangled with the program’s business logic, and are thus difficult to automate by a general purpose protection tool. In the present paper, we propose a novel approach to antitampering that (i) fully automatically applies to a target program, (ii) uses Remote Attestation for detection purposes and (iii) adopts a server-side reaction that is difficult to block by an attacker. By means of Client/Server Code Splitting, a crucial part of the program is removed from the client and executed on a remote trusted server in sync with the client. If a client program provides evidences of its integrity, the part moved to the server is executed. Otherwise, a server-side reaction logic may (temporarily or definitely) decide to stop serving it. Therefore, a tampered client application can not continue its execution. We assessed our automatic protection tool on a case study Android application. Experimental results show that all the original and tampered executions are correctly detected, reactions are promptly applied, and execution overhead is on an acceptable level

Remotely assessing integrity of software applications by monitoring invariants: Present limitations and future directions

Invariants monitoring is a software attestation technique that aims at proving the integrity of a running application by checking likely invariants, which are predicates built on variables’ values. Being very promising in literature, we developed a software protection that remotely checks invariants. However, we faced a series of issues and limitations. This paper, after presenting an extensive background on invariants and their use, reports, analyses, and categorizes the identified limitations. Our work suggests that, even if it is still promising, further studies are needed to decree if invariants monitoring could be practically used as a remote protection of software applications