Skip to main content
SpringerLink
Log in

On the possibility of practically obfuscating programs towards a unified perspective of code protection

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Barak et al. gave a first formalization of obfuscation, describing an obfuscator \({\mathcal{O}}\) as an efficient, probabilistic “compiler” that takes in input a program P and produces a new program \({\mathcal{O}(P)}\) that has the same functionality as P but is unintelligible. This means that any result an obfuscated program can compute is actually computable given only an input/output access (called oracle access) to the program P: we call such results trivial results. On the basis of this informal definition, they suggest a formal definition of obfuscation based on oracle access to programs and show that no obfuscator can exist according to this definition. They also try to relax the definition and show that, even with a restriction to some common classes of programs, there exists no obfuscator. In this work, we show that their definition is too restrictive and lacks a fundamental property, that we formalize by the notion of oracle programs. Oracle programs are an abstract notion which basically refers to perfectly obfuscated programs. We suggest a new definition of obfuscation based on these oracle programs and show that such obfuscators do not exist either. Considering the actual implementations of “obfuscators”, we define a new kind of obfuscators, \({\tau}\) -obfuscators. These are obfuscators that hide non trivial results at least for time \({\tau}\) . By restricting the \({\tau}\) -requirement to deobfuscation (that is outputting an intelligible program when fed with an obfuscated program in input), we show that such obfuscators do exist. Practical \({\tau}\) -obfuscation methods are presented at the end of this paper: we focus more specifically on code protection techniques in a malware context. Based on the fact that a malware may fulfill its action in an amount of time which may be far larger than the analysis time of any automated detection program, these obfuscation methods can be considered as efficient enough to greatly thwart automated analysis and put check on any antivirus software.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. GOST 28147-89. Cryptographic protection for data processing systems, 1980. White paper, available from http://www.cisco.com/warp/public/732/netflow

  2. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Proceedings of CRYPTO, pp. 1 – 18, November 2001

  3. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997

  4. Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: the bradley virus. In: Broucek, V. (ed.) Proceedings of the 14th EICAR Conference, pp. 201–217, May 2005

  5. Filiol, E.: Techniques virales avancées. Springer, France (2006). An English translation is pending and will be in print at the beginning of 2007

  6. Goldwasser S., Micali S. (1984): Probabilistic encryption. J. Comp. Syst. Scie. 28, 270–299

    Article  MATH  MathSciNet  Google Scholar 

  7. Kleene S.C. (1938): On notation for ordinal numbers. J. Symbolic Logic 3(4): 150–155

    Article  MATH  MathSciNet  Google Scholar 

  8. Lenstra A.K. (2000): Integer factoring. Des. Codes Cryptograp. 19, 101–128

    Article  MATH  MathSciNet  Google Scholar 

  9. Morain, F.: Thirty years of integer factorization. In: Chyzak F. (ed.) Proceedings of the Algorithms Seminar 2000–2001, p. 77–80, April 2002

  10. Micali S., Rackoff C., Sloan B. (1988): The notion of security for probabilistic cryptosystems. SIAM J. Comput. 17, 412–426

    Article  MATH  MathSciNet  Google Scholar 

  11. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1997)

  12. Papadimitriou C. (1995): Complexity Theory. Addison Wesley, Reading

    Google Scholar 

  13. Pomerance C. (1984): The quadratic sieve factoring algorithm. In: Beth T., Cot N., Ingemarsson I. (eds) Advances in Cryptology—Eurocrypt’84. LNCS vol. 209, Springer Berlin Heidelberg, Newyork, pp. 169–182

    Google Scholar 

  14. Shannon C.E. (1949): Communication theory of secrecy systems. Bell Syst. Tech. J., 28, 656–715

    MathSciNet  Google Scholar 

  15. Zuo Z., Zhou M. (2005): On the time complexity of computer viruses. IEEE Trans. Informat. Theory 51(8): 2962–2966

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Ecoles des Mines de Nancy, Parc de Saurupt, CS 14 234, 54042, Nancy Cédex, France

    Philippe Beaucamps

  2. Ecole Supérieure et d’Application des Transmissions, Laboratoire de virologie et de cryptologie, B.P. 18, 35998, Rennes Armées, France

    Eric Filiol

Authors
  1. Philippe Beaucamps
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Filiol
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Filiol.

Additional information

This research has been conducted while on stay at the Laboratoire de virologie et de cryptologie.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Beaucamps, P., Filiol, E. On the possibility of practically obfuscating programs towards a unified perspective of code protection. J Comput Virol 3, 3–21 (2007). https://doi.org/10.1007/s11416-006-0029-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-006-0029-6

Keywords

Search

Navigation