Pinpointing and hiding surprising fragments in an obfuscated program

Yuichiro Kanzaki; Clark Thomborson; Akito Monden; Christian Collberg

doi:10.1145/2843859.2843862

Pinpointing and hiding surprising fragments in an obfuscated program

Yuichiro Kanzaki, Clark Thomborson, Akito Monden, Christian Collberg

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

Original language	English (US)
Title of host publication	Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450336420
DOIs	https://doi.org/10.1145/2843859.2843862
State	Published - Dec 8 2015
Event	5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Los Angeles, United States Duration: Dec 8 2015 → …

Publication series

Name	ACM International Conference Proceeding Series
Volume	08-December-2015

Other

Other	5th Program Protection and Reverse Engineering Workshop, PPREW 2015
Country/Territory	United States
City	Los Angeles
Period	12/8/15 → …

Keywords

Code obfuscation
Code stealth
N-gram
Program analysis
Software protection

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/2843859.2843862

Cite this

Kanzaki, Y., Thomborson, C., Monden, A., & Collberg, C. (2015). Pinpointing and hiding surprising fragments in an obfuscated program. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015 Article 2843862 (ACM International Conference Proceeding Series; Vol. 08-December-2015). Association for Computing Machinery. https://doi.org/10.1145/2843859.2843862

Pinpointing and hiding surprising fragments in an obfuscated program. / Kanzaki, Yuichiro; Thomborson, Clark; Monden, Akito et al.
Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Association for Computing Machinery, 2015. 2843862 (ACM International Conference Proceeding Series; Vol. 08-December-2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kanzaki, Y, Thomborson, C, Monden, A & Collberg, C 2015, Pinpointing and hiding surprising fragments in an obfuscated program. in Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015., 2843862, ACM International Conference Proceeding Series, vol. 08-December-2015, Association for Computing Machinery, 5th Program Protection and Reverse Engineering Workshop, PPREW 2015, Los Angeles, United States, 12/8/15. https://doi.org/10.1145/2843859.2843862

Kanzaki Y, Thomborson C, Monden A, Collberg C. Pinpointing and hiding surprising fragments in an obfuscated program. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Association for Computing Machinery. 2015. 2843862. (ACM International Conference Proceeding Series). doi: 10.1145/2843859.2843862

Kanzaki, Yuichiro ; Thomborson, Clark ; Monden, Akito et al. / Pinpointing and hiding surprising fragments in an obfuscated program. Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Association for Computing Machinery, 2015. (ACM International Conference Proceeding Series).

@inproceedings{1e0c7b625ba64b8ea4755e54b7badd01,

title = "Pinpointing and hiding surprising fragments in an obfuscated program",

abstract = "In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.",

keywords = "Code obfuscation, Code stealth, N-gram, Program analysis, Software protection",

author = "Yuichiro Kanzaki and Clark Thomborson and Akito Monden and Christian Collberg",

note = "Publisher Copyright: {\textcopyright} 2015 ACM.; 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 ; Conference date: 08-12-2015",

year = "2015",

month = dec,

day = "8",

doi = "10.1145/2843859.2843862",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015",

}

TY - GEN

T1 - Pinpointing and hiding surprising fragments in an obfuscated program

AU - Kanzaki, Yuichiro

AU - Thomborson, Clark

AU - Monden, Akito

AU - Collberg, Christian

PY - 2015/12/8

Y1 - 2015/12/8

N2 - In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

AB - In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

KW - Code obfuscation

KW - Code stealth

KW - N-gram

KW - Program analysis

KW - Software protection

UR - http://www.scopus.com/inward/record.url?scp=85007607636&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85007607636&partnerID=8YFLogxK

U2 - 10.1145/2843859.2843862

DO - 10.1145/2843859.2843862

M3 - Conference contribution

AN - SCOPUS:85007607636

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015

PB - Association for Computing Machinery

T2 - 5th Program Protection and Reverse Engineering Workshop, PPREW 2015

Y2 - 8 December 2015

ER -

Pinpointing and hiding surprising fragments in an obfuscated program

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this