It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering. We then describe the design of a code obfuscator, a tool which converts a program into an equivalent one that is more diicult to understand and reverse engineer. The obfuscator is based on the application of code transformations, in many cases similar to those used by compiler optimizers. We describe a large number of such transformations, classify them, and evaluate them with respect to their potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), and cost (How much overhead is added to the application?). We nally discuss some possible deobfuscation techniques (such as program slicing) and possible countermeasures an obfuscator could employ against them.

A Taxonomy of Obfuscating Transformations

Malicious code is an increasingly important problem that threatens the security of computer systems. The traditional line of defense against malware is composed of malware detectors such as virus and spyware scanners. Unfortunately, both researchers and malware authors have demonstrated that these scanners, which use pattern matching to identify malware, can be easily evaded by simple code transformations. To address this shortcoming, more powerful malware detectors have been proposed. These tools rely on semantic signatures and employ static analysis techniques such as model checking and theorem proving to perform detection. While it has been shown that these systems are highly effective in identifying current malware, it is less clear how successful they would be against adversaries that take into account the novel detection mechanisms. The goal of this paper is to explore the limits of static analysis for the detection of malicious code. To this end, we present a binary obfuscation scheme that relies on the idea of opaque constants, which are primitives that allow us to load a constant into a register such that an analysis tool cannot determine its value. Based on opaque constants, we build obfuscation transformations that obscure program control flow, disguise access to local and global variables, and interrupt tracking of values held in processor registers. Using our proposed obfuscation approach, we were able to show that advanced semantics-based malware detectors can be evaded. Moreover, our opaque constant primitive can be applied in a way such that is provably hard to analyze for any static code analyzer. This demonstrates that static analysis techniques alone might no longer be sufficient to identify malware.

/pdf/limits-of-static-analysis-for-malware-detection-2mrakaqmj6.pdf

Limits of Static Analysis for Malware Detection

The Internet of Things (IoT) envisages a future in which digital and physical things or objects (e.g., smartphones, TVs, cars) can be connected by means of suitable information and communication technologies, to enable a range of applications and services. The IoT’s characteristics, including an ultra-large-scale network of things, device and network level heterogeneity, and large numbers of events generated spontaneously by these things, will make development of the diverse applications and services a very challenging task. In general, middleware can ease a development process by integrating heterogeneous computing and communications devices, and supporting interoperability within the diverse applications and services. Recently, there have been a number of proposals for IoT middleware. These proposals mostly addressed wireless sensor networks (WSNs), a key component of IoT, but do not consider RF identification (RFID), machine-to-machine (M2M) communications, and supervisory control and data acquisition (SCADA), other three core elements in the IoT vision. In this paper, we outline a set of requirements for IoT middleware, and present a comprehensive review of the existing middleware solutions against those requirements. In addition, open research issues, challenges, and future research directions are highlighted.

/pdf/middleware-for-internet-of-things-a-survey-5b3i33k9fm.pdf

Middleware for Internet of Things: A Survey

Finding and exploiting vulnerabilities in binary code is a challenging task. The lack of high-level, semantically rich information about data structures and control constructs makes the analysis of program properties harder to scale. However, the importance of binary analysis is on the rise. In many situations binary analysis is the only possible way to prove (or disprove) properties about the code that is actually executed. In this paper, we present a binary analysis framework that implements a number of analysis techniques that have been proposed in the past. We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches. In addition, the implementation of these techniques in a unifying framework allows for the direct comparison of these apporaches and the identification of their advantages and disadvantages. The evaluation included in this paper is performed using a recent dataset created by DARPA for evaluating the effectiveness of binary vulnerability analysis techniques. Our framework has been open-sourced and is available to the security community.

/pdf/sok-state-of-the-art-of-war-offensive-techniques-in-binary-38j8ap7yio.pdf

SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the decompilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.

/pdf/obfuscation-of-executable-code-to-improve-resistance-to-4whlwja8qk.pdf

Obfuscation of executable code to improve resistance to static disassembly

Reverse engineering of executable code is a growing area of software engineering research and technology development due to a variety of reasons, including the porting of programs to newer and faster machines. In this paper we discuss three core object code reverse engineering technologies: emulation, decompilation, and binary translation, and present their uses in the last decades. These uses point at an economic need for such techniques to the benefit of users of the technology. We then present the extent of copyright protection for binary code and its implications on the development of binary code manipulation tools. Further, we argue that copyright laws should not hinder the development of computer and software technology at a time when hardware is developing at increasingly fast rates and software needs to be made available on such new machines; i.e. economic considerations need to be taken into account.

The impact of copyright on the development of cutting edge binary reverse engineering technology

A method for overflow detection using partial evaluations. The method includes obtaining a section of code from a source code file stored on a storage device, analyzing the section of code to identify a buffer with an index, determining a plurality of statements that are statically-computable and dependent on the index of the buffer, and generating a code segment including the plurality of statements. The method further includes replacing an access statement of the plurality of statements with a conditional statement returning true when bounds of the buffer are exceeded, where the access statement uses the index to access the buffer, adding an unconditional statement returning false to the code segment, and executing the code segment on a computer processor to obtain a determination of whether the bounds of the buffer are exceeded.

System and method for overflow detection using partial evaluations

Since the 1980s most countries worldwide have introduced laws which extend copyright protection to computer software. In the first Australian case to consider copyright in a shareware computer program distributed on the Internet, the court held that the Internet service provider OzEmail had infringed Trumpet Software?s copyright in Trumpet Winsock 2.OB by arranging for the program and a set of altered data files to be distributed with other software on diskette as a give-away inserted in copies of computer magazines. The implications of this case for software developers, distributors, and users are presented.

Copyright in shareware software distributed on the Internet—the Trumpet Winsock case

Our most sensitive and important software systems are written in programming languages that are inherently insecure, making the security of the systems themselves extremely challenging. It is often said that these systems were written with the best tools available at the time, so over time with newer languages will come more security. But we contend that all of today's mainstream programming languages are insecure, including even the most recent ones that come with claims that they are designed to be "secure". Our real criticism is the lack of a common understanding of what "secure" might mean in the context of programming language design. We propose a simple data-driven definition for a secure programming language: that it provides first-class language support to address the causes for the most common, significant vulnerabilities found in real-world software. To discover what these vulnerabilities actually are, we have analysed the National Vulnerability Database and devised a novel categorisation of the software defects reported in the database. This leads us to propose three broad categories, which account for over 50% of all reported software vulnerabilities, that as a minimum any secure language should address. While most mainstream languages address at least one of these categories, interestingly, we find that none address all three. 
Looking at today's real-world software systems, we observe a paradigm shift in design and implementation towards service-oriented architectures, such as microservices. Such systems consist of many fine-grained processes, typically implemented in multiple languages, that communicate over the network using simple web-based protocols, often relying on multiple software environments such as databases. In traditional software systems, these features are the most common locations for security vulnerabilities, and so are often kept internal to the system. In microservice systems, these features are no longer internal but external, and now represent the attack surface of the software system as a whole. The need for secure programming languages is probably greater now than it has ever been.

https://drops.dagstuhl.de/opus/volltexte/2019/10546/pdf/LIPIcs-SNAPL-2019-3.pdf/

Cristina Cifuentes

Papers

The impact of copyright on the development of cutting edge binary reverse engineering technology

System and method for overflow detection using partial evaluations

Copyright in shareware software distributed on the Internet—the Trumpet Winsock case

What is a Secure Programming Language

Software maintenance - Preface