Yuichiro Kanzaki

Exploiting self-modification mechanism for program protection

In this paper, we present a new method to protect software against illegal acts of hacking. The key idea is to add a mechanism of self-modifying codes to the original program, so that the original program becomes hard to be analyzed. In the binary program obtained by the proposed method, the original code fragments we want to protect are camouflaged by dummy instructions. Then, the binary program autonomously restores the original code fragments within a certain period of execution, by replacing the dummy instructions with the original ones. Since the dummy instructions are completely different from the original ones, code hacking fails if the dummy instructions are read as they are. Moreover, the dummy instructions are scattered over the program, therefore, they are hard to be identified. As a result, the proposed method helps to construct highly invulnerable software without special hardware.

Queue-based cost evaluation of mental simulation process in program comprehension

We present a method to estimate the cost of mental (hand) simulation of programs. In mental simulation, human short term memory is extensively used to recall and memorize values of variables. When the simulation reaches a variable reference, the simulation can be performed easily if the value is still remembered. However, if not, we have to backtrack the simulation until the value is obtained, which is time consuming. Taking the above observation into consideration, we first present a model, called virtual mental simulation model (VMSM), which exploits a queue representing short term memory. The VMSM takes one of the abstract processes recall or backtrack, depending on whether the variable is currently stored in the queue or not. Then, applying cost functions to the VMSM, we derive four dynamic metrics reflecting the cost of mental simulation. In our empirical study, the proposed VMSM metrics reveal that the backtrack process for nonconstant variables gives a significant impact on the cost of mental simulation. Since the proposed method can be fully automated, it can provide a practical means to estimate the cost of mental simulation, which can be also used as a program comprehension measure.

Code artificiality: a metric for the code stealth based on an N-gram model

This paper proposes a method for evaluating the artificiality of protected code by means of an N-gram model. The proposed artificiality metric helps us measure the stealth of the protected code, that is, the degree to which protected code can be distinguished from unprotected code. In a case study, we use the proposed method to evaluate the artificiality of programs that are transformed by well-known obfuscation techniques. The results show that static obfuscating transformations (e.g., Control flow flattening) have little effect on artificiality. However, dynamic obfuscating transformations (e.g., Code encryption), or a technique that inserts junk code fragments into the program, tend to increase the artificiality, which may have a significant impact on the stealth of the code.

A SOFTWARE PROTECTION METHOD BASED ON TIME-SENSITIVE CODE AND SELF-MODIFICATION MECHANISM

This paper proposes a systematic method for protecting software against malicious reverse engineering attacks. Our method aims to increase the cost of obtaining secret information in a program on the assumption that the adversaries have the ability to perform dynamic analysis as much as static analysis. A program protected by our method contains many time-sensitive codes, which are overwritten with fake (dummy) codes. Each time-sensitive code is modified during execution via self-modification according to the time taken to execute a designated block of the program. If the execution time of the block is within the predetermined range, the time-sensitive code becomes the original one. On the other hand, if the execution time is out of the range, the time-sensitive code becomes the other fake one. In order to obtain the secret information by static analysis, the adversary must find the routines that modify timesensitive codes which are scattered over the program, and must guess the predetermined valid execution time of the target blocks. In order to obtain the secret information by dynamic analysis, the adversary must make the execution reach the restricted points of the program without stopping the execution. As a result, our method helps to construct highly invulnerable software.

Pinpointing and Hiding Surprising Fragments in an Obfuscated Program

In this paper, we propose a pinpoint-hide defense method, which aims to improve the stealth of obfuscated code. In the pinpointing process, we scan the obfuscated code in a few small code fragment level and identify all surprising fragments, that is, very unusual fragments which may draw the attention of an attacker to the obfuscated code. In the hiding process, we transform the pinpointed surprising fragments into unsurprising ones while preserving semantics. The obfuscated code transformed by our method consists only by unsurprising code fragments, therefore is more difficult for attackers to be distinguished from unobfuscated code than the original. In the case study, we apply our pinpoint-hide method to some programs transformed by well-known obfuscation techniques. The result shows our method can pinpoint surprising fragments such as dummy code that does not fit in the context of the program, and instructions used in a complicated arithmetic expression. We also confirm that instruction camouflage can make the pinpointed surprising fragments unsurprising ones, and that it runs correctly.

An Instruction Folding Method to Prevent Reverse Engineering in Java Platform

To improve tamper resistance of programs against illegal modification, this paper proposes instruction folding applicable to Java platform. In the proposed method, at first, similar methods are selected in a Java program. Next, these methods are merged into one method and diffs among these methods are stored in the program. Then, at runtime, when one of the merged methods is executed, diffs are restored by self-modification, which is realized by the Java instrumentation mechanism. The proposed method is resilient against tampering of folded method. Even if an adversary modifies the folded method, the program goes crash because the method is repeatedly modified at runtime.