The Superdiversifier: Peephole Individualization for Software Protection

  • Matthias Jacob
  • Mariusz H. Jakubowski
  • Prasad Naldurg
  • Chit Wei (Nick) Saw
  • Ramarathnam Venkatesan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5312)


We present a new approach to individualize programs at the machine- and byte-code levels. Our superdiversification methodology is based on the compiler technique of superoptimization, which performs a brute-force search over all possible short instruction sequences to find minimum-size implementations of desired functions. Superdiversification also searches for equivalent code sequences, but we guide the search by restricting the allowed instructions and operands to control the types of generated code. Our goal is not necessarily the shortest or most optimal code sequence, but an individualized sequence identified by a secret key or other means, as determined by user-specified criteria. Also, our search is not limited to commodity instruction sets, but can work over arbitrary byte-codes designed for software randomization and protection. Applications include patch obfuscation to complicate reverse engineering and exploit creation, as well as binary diversification to frustrate malicious code tampering. We believe that this approach can serve as a useful element of a comprehensive software-protection system.


Input Sequence Conjunctive Normal Form Instruction Sequence Code Fragment Conjunctive Normal Form Formula 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anckaert, B., Jakubowski, M., Venkatesan, R.: Proteus: Virtualization for diversified tamper-resistance. In: DRM 2006: Proceedings of the ACM Workshop on Digital Rights Management, pp. 47–58. ACM Press, New York (2006), doi:10.1145/1179509.1179521CrossRefGoogle Scholar
  2. 2.
    Anckaert, B., De Sutter, B., De Bosschere, K.: Software piracy prevention through diversity. In: DRM 2004: Proceedings of the 4th ACM Workshop on Digital Rights Management, pp. 63–71. ACM Press, New York (2004)Google Scholar
  3. 3.
    Aucsmith, D.: Tamper resistant software: An implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  4. 4.
    Bansal, S., Aiken, A.: Automatic generation of peephole superoptimizers. In: ASPLOS-XII: Proceedings of the 12th International Xonference on Architectural Support for Programming Languages and Operating Systems, pp. 394–403. ACM Press, New York (2006), doi:10.1145/1168857.1168906CrossRefGoogle Scholar
  5. 5.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)Google Scholar
  6. 6.
    Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications. In: Proceedings of the 2008 IEEE Security and Privacy Symposium (2008)Google Scholar
  7. 7.
    Chen, Y., Venkatesan, R., Cary, M., Pang, R., Sinha, S., Jakubowski, M.H.: Oblivious hashing: A stealthy software integrity verification primitive. In: Information Hiding (2002)Google Scholar
  8. 8.
    Cohen, F.: Operating system protection through program evolution (1992),
  9. 9.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, The University of Auckland, New Zealand (July 1997)Google Scholar
  10. 10.
    Collberg, C., Thomborson, C., Low, D.: Breaking abstractions and unstructuring data structures. In: International Conference on Computer Languages, pp. 28–38 (1998)Google Scholar
  11. 11.
    Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages, POPL 1998, pp. 184–196 (1998)Google Scholar
  12. 12.
    Dedic, N., Jakubowski, M.H., Venkatesan, R.: A graph game model for software tamper protection. In: 2007 Information Hiding Workshop (2007)Google Scholar
  13. 13.
    eEye Digital Security. eEye Binary Diffing Suite (2007),
  14. 14.
    El-khalil, R., Keromytis, A.D.: Hydan: Hiding information in program binaries. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 187–199. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Geer, D., Bace, R., Gutmann, P., Pfleeger, C.P., Quarterman, J.S., Schneier, B.: CyberInsecurity: The cost of monopoly–how the dominance of Microsoft’s products poses a risk to security (2003),
  16. 16.
    Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: Proceedings of the 46th IEEE Symposium on Foundations of Computer Science (FOCS 2005) (2005)Google Scholar
  17. 17.
    Jacob, M., Jakubowski, M.H., Venkatesan, R.: Towards integral binary execution: Implementing oblivious hashing using overlapped instruction encodings. In: 2007 ACM Multimedia and Security Workshop, Dallas, TX (2007)Google Scholar
  18. 18.
    Jakubowski, M.H., Venkatesan, R.: Protecting digital goods using oblivious checking, US Patent No. 7,080,257, filed on August 30, 2000, granted on July 18 (2006)Google Scholar
  19. 19.
    Joshi, R., Nelson, G., Randall, K.: Denali: a goal-directed superoptimizer. In: PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, pp. 304–314. ACM Press, New York (2002)CrossRefGoogle Scholar
  20. 20.
    Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Massalin, H.: Superoptimizer: A look at the smallest program. In: ASPLOS-II: Proceedings of the Second International Conference on Architectual Support for Programming Languages and Operating Systems, pp. 122–126. IEEE Computer Society Press, Los Alamitos (1987)Google Scholar
  22. 22.
    The Metasploit Project. Metasploit,
  23. 23.
    SABRE Security and Zynamics. Using SABRE BinDiff for malware analysis (2007),
  24. 24.
    Tan, G., Chen, Y., Jakubowski, M.H.: Delayed and controlled failures in tamper-resistant software. In: Proceedings of the 2006 Information Hiding Workshop (2006)Google Scholar
  25. 25.
    Tseitin, G.S.: On the complexity of derivation in propositional calculus. In: Studies in Constructive Mathematics and Mathematical Logic, pp. 115–125 (1968)Google Scholar
  26. 26.
    Princeton University. zChaff,
  27. 27.
    Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: Obstructing static analysis of programs. Technical Report CS-2000-12, University of Virginia (December 2000)Google Scholar
  28. 28.
    Wee, H.: On obfuscating point functions. In: STOC 2005: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, pp. 523–532. ACM Press, New York (2005)CrossRefGoogle Scholar
  29. 29.
    Wikipedia. Metamorphic code,

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Matthias Jacob
    • 1
  • Mariusz H. Jakubowski
    • 2
  • Prasad Naldurg
    • 3
  • Chit Wei (Nick) Saw
    • 2
  • Ramarathnam Venkatesan
    • 2
    • 3
  1. 1.NokiaFinland
  2. 2.Microsoft ResearchIndia
  3. 3.Microsoft ResearchIndia

Personalised recommendations