View in EDS

Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling.

Saved in:
Bibliographic Details
Title: Enhance virtual-machine-based code obfuscation security through dynamic bytecode scheduling.
Authors: Kuang, Kaiyuan1 kky@stumail.nwu.edu.cn, Tang, Zhanyong1 zytang@nwu.edu.cn, Gong, Xiaoqing1 gxq@nwu.edu.cn, Fang, Dingyi1 dyf@nwu.edu.cn, Chen, Xiaojiang1 xjchen@nwu.edu.cn, Wang, Zheng2 z.wang@lancaster.ac.uk
Source: Computers & Security. May2018, Vol. 74, p202-220. 19p.
Subject Terms: *VIRTUAL machine systems, *SOFTWARE protection, *PROTOTYPES, COMPUTER software security, REVERSE engineering
Abstract: Code virtualization built upon virtual machine (VM) technologies is emerging as a viable method for implementing code obfuscation to protect programs against unauthorized analysis. State-of-the-art VM-based protection approaches use a fixed scheduling structure where the program always follows a single, deterministic execution path for the same input. Such approaches, however, are vulnerable in certain scenarios where the attacker can reuse knowledge extracted from previously seen software to crack applications protected with the same obfuscation scheme. This paper presents D svmp , a novel VM-based code obfuscation approach for software protection. D svmp brings together two techniques to provide stronger code protection than prior VM-based approaches. Firstly, it uses a dynamic instruction scheduler to randomly direct the program to execute different paths without violating the correctness across different runs. By randomly choosing the program execution path, the application exposes diverse behavior, making it much more difficult for an attacker to reuse the knowledge collected from previous runs or similar applications to launch an attack. Secondly, it employs multiple VMs to further obfuscate the mapping from VM opcode to native machine instructions, so that the same opcode could be mapped to different native instructions at runtime, making code analysis even harder. We have implemented D svmp in a prototype system and evaluated it using a set of widely used applications. Experimental results show that D svmp provides stronger protection with comparable runtime overhead and code size, when it is compared to two commercial VM-based code obfuscation tools. [ABSTRACT FROM AUTHOR]
Copyright of Computers & Security is the property of Pergamon Press - An Imprint of Elsevier Science and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Business Source Index
Description
Abstract:Code virtualization built upon virtual machine (VM) technologies is emerging as a viable method for implementing code obfuscation to protect programs against unauthorized analysis. State-of-the-art VM-based protection approaches use a fixed scheduling structure where the program always follows a single, deterministic execution path for the same input. Such approaches, however, are vulnerable in certain scenarios where the attacker can reuse knowledge extracted from previously seen software to crack applications protected with the same obfuscation scheme. This paper presents D svmp , a novel VM-based code obfuscation approach for software protection. D svmp brings together two techniques to provide stronger code protection than prior VM-based approaches. Firstly, it uses a dynamic instruction scheduler to randomly direct the program to execute different paths without violating the correctness across different runs. By randomly choosing the program execution path, the application exposes diverse behavior, making it much more difficult for an attacker to reuse the knowledge collected from previous runs or similar applications to launch an attack. Secondly, it employs multiple VMs to further obfuscate the mapping from VM opcode to native machine instructions, so that the same opcode could be mapped to different native instructions at runtime, making code analysis even harder. We have implemented D svmp in a prototype system and evaluated it using a set of widely used applications. Experimental results show that D svmp provides stronger protection with comparable runtime overhead and code size, when it is compared to two commercial VM-based code obfuscation tools. [ABSTRACT FROM AUTHOR]
ISSN:01674048
DOI:10.1016/j.cose.2018.01.008