Exploiting code mobility for dynamic binary obfuscation

Question

1. What have the authors contributed in "Exploiting code mobility for dynamic binary obfuscation" ?

2. What future works have the authors mentioned in the paper "Exploiting code mobility for dynamic binary obfuscation" ?

3. What can be done to prevent the attacker from interpreting the code?

4. What is the main contribution of this work?

Accepted Answer

To address this research problem, the authors propose a novel binary obfuscation approach based on the deployment of an incomplete application whose code arrives from a trusted network entity as a flow of mobile code blocks which are arranged in memory with a different customized memory layout.. This paper presents their approach to contrast reverse engineering by defeating static and dynamic analysis, and discusses its effectiveness.

Accepted Answer

Further research will be devoted to integrate program splitting with other techniques like selfmodifying code and remote attestation in order to integrate tamper-detection techniques to improve the level of protection ; furthermore the authors plan to to evaluate the increased effort necessary to reverse engineer a binary-obfuscated program ( with respect to the effort necessary for a non-obfuscated one ) by means of empirical experiments, extending a previous work [ 8 ] made on source-code obfuscation.

Accepted Answer

Bogus blocks can be periodically sent to the program in order to continuously confuse the attacker, and to overwrite portions of the empty code section thus reducing the time the attacker has to understand a given portion of code.

Accepted Answer

The main contribution of their work is the definition of a new kind of binary obfuscation relying on code mobility and binary code splitting.

Accepted Answer

In order to implement the proposed program execution schema it is mandatory to be able to split a program binary into a set of different blocks, and to instrument each block in order to insert calls to the binder.

Accepted Answer

Bogus block may include, unelectable blocks that generate errors when executed (e.g., they contain illegal microprocessor instructions), and no-effect blocks containing code performing computations that do not produce any useful result for the program.

Accepted Answer

The random bytes causes disassembler to shift instruction boundaries (which have variable length in Intel architecture), and displays wrong assembly instructions to the attacker.

Accepted Answer

An attacker usually tries to reach his goal by disassembling the executable file with tools like IDA [1] and then identifying and removing software protections using debuggers.

Accepted Answer

In order to encrypt the communication between the two nodes, and therefore to prevent manin-the-middle attacks, the channel have been secured using the AES encryption algorithm.

Accepted Answer

Code mobility shows many features which are helpful to improve tamper resistance:• Protection of code against static and dynamic analysis, as the whole code is not completely available when running on the hostile host;•

Accepted Answer

The main idea, highlighted in this paper, is to use code mobility to make it more difficult for an attacker to tamper with the code.

Accepted Answer

In the free memory area, if the user places a breakpoint on one of the random data bytes, thinking it is a valid instruction, the breakpoint is never met and does not stop the execution.

Accepted Answer

since the trusted node has all the information regarding where the different code blocks are mapped, calculating the target address is a trivial task.

Accepted Answer

The network communication between the trusted server and the program to be protected (running on the remote host), created through a network socket, includes two logical channels: a bidirectional control channel used to exchange control information, and a unidirectional channelused to send blocks of code to the program.

Accepted Answer

Many software-based protection techniques have been proposed in latest years both to prevent reverse engineering and code analysis (like obfuscation), or to detect at run-time if the program integrity has been violated by means of additional code bundled in the application.

Accepted Answer

In order to continue the execution, each time it is called the binder has to:• Retrieve the position inside the block where the call was issued (this is always possible looking at the ap-plication stack);•

Accepted Answer

Sailer et al. [15] build software protections on top of a tamper-proof hardware component, e.g., the Trusted Platform Module [4], which is situated locally on the motherboard.

Accepted Answer

Any time the application needs to jump outside the block, either because the execution reaches the end of the block or, control flow instructions need to modify the sequential execution flow, a call to the binder is inserted.

Accepted Answer

Fig. 3 shows the automated instrumentation flow able to start with a stand alone application and to automatically generate the related pool of code blocks.

Accepted Answer

This paper presents their approach to contrast reverse engineering by defeating static and dynamic analysis, and discusses its effectiveness.

Accepted Answer

The generation is tuned by a set of parameters aiming at defining the optimal length of the blocks to avoid the generation of blocks that are too small or too big.

Accepted Answer

Every time a block is sent to the binder, its target location in the code section is decided by the trusted host (e.g., randomly) and sent to the program through the control channel.

Exploiting code mobility for dynamic binary obfuscation

Chat with Paper

AI Agents for this Paper

Most frequently asked questions

1. What have the authors contributed in "Exploiting code mobility for dynamic binary obfuscation" ?

2. What future works have the authors mentioned in the paper "Exploiting code mobility for dynamic binary obfuscation" ?

3. What can be done to prevent the attacker from interpreting the code?

4. What is the main contribution of this work?

5. What is the way to implement the proposed program execution schema?

6. What are some of the types of blocks that can be sent to the binder?

7. What is the effect of disassembly on the code block?

8. How does an attacker achieve his goal?

9. What is the purpose of the AES encryption algorithm?

10. What are the main features of code mobility?

11. What is the main idea of this paper?

12. What is the effect of disabling code blocks in the free memory area?

13. What is the way to calculate the target address?

14. What is the definition of a network communication between the trusted server and the program to be protected?

15. What are the main reasons why the security of software is so important?

16. What is the function of the binder?

17. What is the problem with software protections?

18. What is the definition of a binder?

19. What is the function of the automated instrumentation flow?

20. What is the purpose of this paper?

21. What is the way to generate a block?

22. What is the process of sending a block to the binder?

Figures

Citations

Diversification and Obfuscation Techniques for Software Security: a Systematic Literature Review

Software Protection with Code Mobility

Diversification of System Calls in Linux Binaries

Branch Obfuscation Using Code Mobility and Signal

Control Flow Obfuscation using Neural Network to Fight Concolic Testing

References

Design and implementation of a TCG-based integrity measurement architecture

Obfuscation of executable code to improve resistance to static disassembly

Tamper Resistant Software: An Implementation

Revisiting Software Protection

Strengthening software self-checksumming via self-modifying code

Related Papers (5)

Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection

A Taxonomy of Obfuscating Transformations

Operating system protection through program evolution

On the (Im)possibility of Obfuscating Programs

Obfuscation of executable code to improve resistance to static disassembly