Formal Aspects of Computing

, Volume 30, Issue 6, pp 685–711 | Cite as

Code obfuscation against abstraction refinement attacks

  • Roberto Bruni
  • Roberto Giacobazzi
  • Roberta GoriEmail author
Original Article


Code protection technologies require anti reverse engineering transformations to obfuscate programs in such a way that tools and methods for program analysis become ineffective. We introduce the concept of model deformation inducing an effective code obfuscation against attacks performed by abstract model checking. This means complicating the model in such a way a high number of spurious traces are generated in any formal verification of the property to disclose about the system under attack.We transform the program model in order to make the removal of spurious counterexamples by abstraction refinement maximally inefficient. Because our approach is intended to defeat the fundamental abstraction refinement strategy, we are independent from the specific attack carried out by abstract model checking. A measure of the quality of the obfuscation obtained by model deformation is given together with a corresponding best obfuscation strategy for abstract model checking based on partition refinement.


Code obfuscation Verification Model checking Refinement 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



We are very grateful to Alberto Lluch-Lafuente for the fruitful discussions we had on the subject of this paper. Research partially supported by University of Pisa PRA-2016-64 Project Through the fog.


  1. BCGNP16.
    Banescu S, Collberg CS, Ganesh V, Newsham Z, Pretschner A., (2016) Code obfuscation against symbolic execution attacks. In: Schwab S, Robertson WK, Balzarotti D (eds) Proc. 32nd annual conference on computer security applications, ACSAC 2016. ACM, pp. 189–200Google Scholar
  2. BGIRSV12.
    Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S., Yang K.: On the (im)possibility of obfuscating programs. J ACM 59(2), 6 (2012)MathSciNetCrossRefGoogle Scholar
  3. BGO18.
    Bruni R, Giacobazzi R, Gori R (2018) Code obfuscation against abstract model checking attacks. In: Dillig I, Palsberg J., (eds) Verification, model checking, and abstract interpretation—19th international conference, VMCAI 2018, LosAngeles, CA, USA, January 7-9, 2018. Proceedings, volume 10747 of lecture notes in computer science. Springer, pp. 94–115Google Scholar
  4. CGJLV03.
    Clarke E., Grumberg O., Jha S., Lu Y., Veith H.: Counter example-guided abstraction refinement for symbolic model checking. J ACM 50(5), 752–794 (2003)MathSciNetCrossRefGoogle Scholar
  5. CGL92.
    Clarke E, Grumberg O, Long D (1992) Model checking and abstraction. In: Proc. of the 19th ACM symp. on principles of programming languages (POPL ’92). ACM Press, pp. 343–354Google Scholar
  6. CGL94.
    Clarke E., Grumberg O., Long D.: checking and abstraction. ACM Trans Program Lang Syst 16(5), 1512–1542 (1994)CrossRefGoogle Scholar
  7. CGP99.
    Clarke E., Grumberg O., Long D.: Model checking and abstraction. ACM Trans Program Lang Syst 16(5), 1512–1542 (1994)CrossRefGoogle Scholar
  8. CDGGHW11.
    Collberg C., Davidson J., Giacobazzi R., Gu Y., Herzberg A., Wang F.: Toward digital asset protection. IEEE Intell Syst 26(6), 8–13 (2011)CrossRefGoogle Scholar
  9. CN09.
    Collberg C., Nagra J.: Surreptitious software: obfuscation, watermarking, and tamperproofing for software protection. Addison-Wesley Professional, Boston (2009)Google Scholar
  10. CC77.
    Cousot P, Cousot R (1977) Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of the 4th ACM symp. on principles of programming languages (POPL ’77). ACM Press, pp. 238–252Google Scholar
  11. CC04.
    Cousot P, Cousot R (2004) An abstract interpretation-based framework for software watermarking. In: Proc. of the 31st ACM symp. on principles of programming languages (POPL ’04). ACM Press, New York, pp. 173–185Google Scholar
  12. DG09.
    Dalla Preda M., Giacobazzi R.: Semantics-based code obfuscation by abstract interpretation. J Comput Secur 17(6), 855–908 (2009)CrossRefGoogle Scholar
  13. Dav17.
    David R (2017) Formal approaches for automatic deobfuscation and reverse-engineering of protected codes. (Approches formelles de désobfuscation automatique et de rétro-ingénierie de codes protégés). PhD thesis, University of Lorraine, Nancy, FranceGoogle Scholar
  14. Eme90.
    Emerson EA., (1990) Temporal and modal logic. In: van Leeuwen J, (ed) Handbook of theoretical computer science, volume B: formal models and semantics. Elsevier, Amsterdam and The MIT Press, Cambridge, MasszbMATHGoogle Scholar
  15. FMP14.
    Feist J., Mounier L., Potet M.: Statically detecting use after free on binary code. J Comput Virol Hack Tech 10(3), 211–217 (2014)CrossRefGoogle Scholar
  16. Gia08.
    Giacobazzi R (2008) Hiding information in completeness holes—new perspectives in code obfuscation and watermarking. In: Proc. of the 6th IEEE int conferences on software engineering and formal methods (SEFM’08). IEEE Press, pp. 7–20Google Scholar
  17. GJM12.
    Giacobazzi R., Jones ND., Mastroeni I., (2012) Obfuscation by partial evaluation of distorted interpreters. In: Proc. of the ACM SIGPLAN symp. on partial evaluation and semantics-based program manipulation (PEPM’12), pp. 63–72. ACM PressGoogle Scholar
  18. GQ01.
    Giacobazzi R,Quintarelli E (2001) Incompleteness, counterexamples and refinements in abstract model-checking. In: Proc. of the 8th int. static analysis symp. (SAS’01), volume 2126 of lecture notes in computer science. Springer, pp 356–373Google Scholar
  19. GRS00.
    Giacobazzi R., Ranzato F., Scozzari F.: Making abstract interpretation complete. J ACM 47(2), 361–416 (2000)MathSciNetCrossRefGoogle Scholar
  20. Kin12.
    Kinder J (2012) Towards static analysis of virtualization-obfuscated binaries. In: 19th working conference on reverse engineering, WCRE 2012, Kingston, ON, Canada, October 15–18, 2012, pp. 61–70. IEEE Computer SocietyGoogle Scholar
  21. KKSV05.
    Kinder J, Katzenbeisser S, Schallhart C, Veith H, (2005) Detecting malicious code by model checking. In: Julisch K, Krügel C (eds) Detection of intrusions and malware, and vulnerability assessment, second international conference, DIMVA2005, Vienna, Austria, July 7–8, 2005, proceedings, volume 3548 of lecture notes in computer science. Springer, pp. 174–187Google Scholar
  22. Löw17.
    Löwe S (2017) Effective approaches to abstraction refinement for automatic software verification. PhD thesis, University of Passau, GermanyGoogle Scholar
  23. Mic17.
    Microsoft. Static driver verifier website (last consulted november 2017), 2017.
  24. NTC02.
    Nagra J., Thomborson CD., Collberg C.: A functional taxonomy for software watermarking. Aust Comput Sci Commun 24(1), 177–186 (2002)Google Scholar
  25. RT07.
    Ranzato F., Tapparo F.: Generalized strong preservation by abstract interpretation. J Logic Comput 17(1), 157–197 (2007)MathSciNetCrossRefGoogle Scholar
  26. Ric53.
    Rice H.: Classes of recursively enumerable sets and their decision problems. Trans Am Math Soc 74, 358–366 (1953)MathSciNetCrossRefGoogle Scholar
  27. RA00.
    Ritchey RW, Ammann P (2000) Using model checking to analyze network vulnerabilities. In: 2000 IEEE symposium on security and privacy, Berkeley, California, USA, May 14–17, 2000. IEEE Computer Society, pp. 156–165Google Scholar
  28. Sch98.
    Schmidt DA (1998) Data flow analysis is model checking of abstract interpretations. In: MacQueen DB, Cardelli L (eds) POPL ’98, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on principles of programming languages, San Diego, CA, USA, January 19–21, 1998. ACM, pp. 38–48Google Scholar
  29. SS98.
    Schmidt DA, Steffen B (1998) Program analysis as model checking of abstract interpretations. In: Levi G (ed) Static analysis, 5th international symposium, SAS ’98, Pisa, Italy, September 14–16, 1998, proceedings, volume 1503 of lecture notes in computer science. Springer, pp 351–380Google Scholar
  30. TCI18.
    TCIPG.ORG. Vulnerability assessment tool using model checking, fact sheet (last consulted march 2018), 2018. https://
  31. VVS01.
    Venkatesan R,Vazirani V, Sinha S (2001) A graph theoretic approach to software watermarking. In: Proc. 4th int.workshop on information hiding (IHW ’01), volume 2137 of lecture notes in computer science. Springer, pp. 157–168Google Scholar
  32. WHKD01.
    Wang C, Hill J, Knight JC, Davidson JW (2001) Protection of software-based survivability mechanisms. In: 2001 international conference on dependable systems and networks (DSN 2001) (formerly: FTCS), 1-4 July 2001, Göteborg, Sweden, Proceedings. IEEE Computer Society, pp. 193–202Google Scholar
  33. Yad16.
    Yadegari B (2016) Automatic deobfuscation and reverse engineering of obfuscated code. PhD thesis, University of Arizona, Tucson, USAGoogle Scholar
  34. YJWD15.
    Yadegari B, Johannesmeyer B, Whitely B, Debray S (2015) A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE symposium on security and privacy, SP 2015, San Jose, CA, USA,May 17–21, 2015. IEEE Computer Society, pp 674–691Google Scholar

Copyright information

© British Computer Society 2018

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità di PisaPisaItaly
  2. 2.Dipartimento di InformaticaUniversità di VeronaVeronaItaly
  3. 3.IMDEA SW InstituteMadridSpain

Personalised recommendations