scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Program Fragmentation as a Metamorphic Software Protection

TL;DR: Assessment of the performance overhead of a program fragmentation engine and analysis of its effectiveness against reverse-engineering techniques show that program fragmentation has low overhead and is an effective technique to complicate disassembly of programs using two common disassembler/debugger tools.
Abstract: Unauthorized reverse-engineering of programs and algorithms is a major problem for the software industry. Reverse-engineers search for security holes in the program to exploit or try to steal competitors' vital algorithms. To discourage reverse-engineering, developers use a variety of static software protections to obfuscate their programs. Metamorphic software protections add another layer of protection to traditional static obfuscation techniques, forcing reverse-engineers to adjust their attacks as the protection changes. Program fragmentation combines two obfuscation techniques, outlining and obfuscated jump tables, into a new, metamorphic protection. Sections of code are removed from the main program flow and placed throughout memory, reducing the program's locality. These fragments move and are called using obfuscated jump tables, making program execution difficult to follow. This research assesses the performance overhead of a program fragmentation engine and provides analysis of its effectiveness against reverse-engineering techniques. Results show that program fragmentation has low overhead and is an effective technique to complicate disassembly of programs using two common disassembler/debugger tools.

Content maybe subject to copyright    Report

Citations
More filters
Journal ArticleDOI
TL;DR: An IRS taxonomy based on design parameters to classify existing schemes is presented and the essential response design parameters for IRS to mitigate attacks in real time and obtain a robust output are investigated.

94 citations

Proceedings ArticleDOI
01 Apr 2008
TL;DR: Fuzzy Logic Controllers are developed to estimate the various risk(s) that are dependent on several other variables based on the inputs from HMM modules and the DIDS agents to develop the fuzzy risk expert system.
Abstract: A Distributed Intrusion Prediction and Prevention Systems (DIPPS) not only detects and prevents possible intrusions but also possesses the capability to predict possible intrusions in a distributed network. Based on the DIPS sensors, instead of merely preventing the attackers or blocking traffic, we propose a fuzzy logic based online risk assessment scheme. The key idea of DIPPS is to protect the network(s) linked to assets, which are considered to be very risky. To implement DIPPS we used a Distributed Intrusion Detection System (DIDS) with extended real time traffic surveillance and online risk assessment. To model and predict the next step of an attacker, we used a Hidden Markov Model (HMM) that captures the interaction between the attacker and the network. The interaction between various DIDS and integration of their output are achieved through a HMM. The novelty of this paper is the detailed development of Fuzzy Logic Controllers to estimate the various risk(s) that are dependent on several other variables based on the inputs from HMM modules and the DIDS agents. To develop the fuzzy risk expert system, if-then fuzzy rules were formulated based on interviews with security experts and network administrators. Preliminary results indicate that such a system is very practical for protecting assets which are prone to attacks or misuse, i.e. highly at risk.

44 citations

Proceedings ArticleDOI
15 Apr 2011
TL;DR: This paper presents the approach to contrast reverse engineering by defeating static and dynamic analysis, and discusses its effectiveness.
Abstract: Software protection aims at protecting the integrity of software applications deployed on un-trusted hosts and being subject to illegal analysis. Within an un-trusted environment a possibly malicious user has complete access to system resources and tools in order to analyze and tamper with the application code. To address this research problem, we propose a novel binary obfuscation approach based on the deployment of an incomplete application whose code arrives from a trusted network entity as a flow of mobile code blocks which are arranged in memory with a different customized memory layout. This paper presents our approach to contrast reverse engineering by defeating static and dynamic analysis, and discusses its effectiveness.

27 citations


Cites background from "Program Fragmentation as a Metamorp..."

  • ...[7] provide metamorphic binary code by means of program fragmentation....

    [...]

Proceedings ArticleDOI
31 Oct 2008
TL;DR: This paper uses a hidden Markov model (HMM) to model sensors for an intrusion prevention system (IPS) and shows how the model can be applied to an IPS architecture based on intrusion detection system (IDS) sensors, real-time traffic surveillance and online risk assessment.
Abstract: In this paper we propose to use a hidden Markov model (HMM) to model sensors for an intrusion prevention system (IPS). Observations from different sensors are aggregated in the HMM and the intrusion frequency security metric is estimated. We use a Markov model that captures the interaction between the attacker and the network to model and predict the next step of an attacker. A new HMM is created and used for updating the estimated system state for each observation, based on the sensor trustworthiness and the time since last observation processed. Our objective is to calculate and maintain a state probability distribution that can be used for intrusion prediction and prevention. We show how our sensor model can be applied to an IPS architecture based on intrusion detection system (IDS) sensors, real-time traffic surveillance and online risk assessment. Our approach is illustrated by a small case study.

26 citations

Book ChapterDOI
01 Jan 2017
TL;DR: This chapter investigates the intrusion prediction systems to show the need for such system, the insufficiency of the current intrusion detection systems and how prediction will improve the security capabilities for defence systems.
Abstract: In recent years, cyberattacks have increased rapidly in huge volumes and diversity. Despite the existence of advanced cyber-defence systems, attacks and intrusions still occur. Defence systems tried to block previously known attacks, stop ongoing attacks and detect occurred attacks. However, often the damage caused by an attack is catastrophic. Consequently, the need for improved intrusion detection systems and proposed robust prediction system is more urgent these days. In this chapter, we investigate the intrusion prediction systems to show the need for such system, the insufficiency of the current intrusion detection systems and how prediction will improve the security capabilities for defence systems. A survey of intrusion prediction systems in cybersecurity, the concepts of work and methods used in these systems is presented.

26 citations

References
More filters
Journal ArticleDOI
Lawrence R. Rabiner1
01 Feb 1989
TL;DR: In this paper, the authors provide an overview of the basic theory of hidden Markov models (HMMs) as originated by L.E. Baum and T. Petrie (1966) and give practical details on methods of implementation of the theory along with a description of selected applications of HMMs to distinct problems in speech recognition.
Abstract: This tutorial provides an overview of the basic theory of hidden Markov models (HMMs) as originated by L.E. Baum and T. Petrie (1966) and gives practical details on methods of implementation of the theory along with a description of selected applications of the theory to distinct problems in speech recognition. Results from a number of original sources are combined to provide a single source of acquiring the background required to pursue further this area of research. The author first reviews the theory of discrete Markov chains and shows how the concept of hidden states, where the observation is a probabilistic function of the state, can be used effectively. The theory is illustrated with two simple examples, namely coin-tossing, and the classic balls-in-urns system. Three fundamental problems of HMMs are noted and several practical techniques for solving these problems are given. The various types of HMMs that have been studied, including ergodic as well as left-right models, are described. >

21,819 citations

01 Jul 1997
TL;DR: It is argued that automatic code obfuscation is currently the most viable method for preventing reverse engineering and the design of a code obfuscator is described, a tool which converts a program into an equivalent one that is more diicult to understand and reverse engineer.
Abstract: It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. In this paper we review several techniques for technical protection of software secrets. We will argue that automatic code obfuscation is currently the most viable method for preventing reverse engineering. We then describe the design of a code obfuscator, a tool which converts a program into an equivalent one that is more diicult to understand and reverse engineer. The obfuscator is based on the application of code transformations, in many cases similar to those used by compiler optimizers. We describe a large number of such transformations, classify them, and evaluate them with respect to their potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), and cost (How much overhead is added to the application?). We nally discuss some possible deobfuscation techniques (such as program slicing) and possible countermeasures an obfuscator could employ against them.

1,019 citations


Additional excerpts

  • ...[1] Collberg, Christian, Clark Thomborson, and Douglas Low....

    [...]

  • ...Current protections methods primarily consist of static protections such as encryption, obfuscated control paths, outlining, and opcode shifts [1]....

    [...]

Book
03 Feb 2005
TL;DR: Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware.
Abstract: "Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."-Halvar Flake, Reverse Engineer, SABRE Security GmbHSymantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.Szor also offers the most thorough and practical primer on virus analysis ever published-addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes Discovering how malicious code attacks on a variety of platforms Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic Mastering empirical methods for analyzing malicious code-and what to do with what you learn Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more Using worm blocking, host-based intrusion prevention, and network-level defense strategies © Copyright Pearson Education. All rights reserved.

925 citations

Proceedings ArticleDOI
27 Oct 2003
TL;DR: Experimental results indicate that significant portions of executables that have been obfuscated using the techniques described are disassembled incorrectly, thereby showing the efficacy of the methods.
Abstract: A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the decompilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.

694 citations

Book
01 Jan 2005
TL;DR: This book provides readers with practical, in-depth techniques for software reverse engineering, including computer internals, operating systems, and assembly language.
Abstract: Beginning with a basic primer on reverse engineering, including computer internals, operating systems, and assembly language, this book provides readers with practical, in-depth techniques for software reverse engineering.

328 citations


Additional excerpts

  • ...[3] Eilam, Eldad....

    [...]