Advertisement

Replacement Attacks on Behavior Based Software Birthmark

  • Zhi Xin
  • Huiyu Chen
  • Xinche Wang
  • Peng Liu
  • Sencun Zhu
  • Bing Mao
  • Li Xie
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7001)

Abstract

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics-equivalent system calls to unlock the high frequent dependency between the system calls in an original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Keywords

software birthmark replacement attack 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Collberg, C., Thomborson, C.: Software watermarking: models and dynamic embeddings. In: POPL 1999: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York (1999)Google Scholar
  2. 2.
    Collberg, C., Carter, E., Debray, S., Huntwork, A., Kececioglu, J., Linn, C., Stepp, M.: Dynamic path-based software watermarking. SIGPLAN Not. (2004)Google Scholar
  3. 3.
    Myles, G., Collberg, C.S.: Detecting Software Theft via Whole Program Path Birthmarks. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 404–415. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Schuler, D., Dallmeier, V., Lindig, C.: A dynamic birthmark for java. In: ASE 2007: Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering. ACM, New York (2007)Google Scholar
  5. 5.
    Tamada, H., Nakamura, M., Monden, A.: Design and evaluation of birthmarks for detecting theft of Java programs, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.98.7502;http://se.naist.jp/jbirth/papers/tamada04iasted.pdf
  6. 6.
    Tamada, H., Okamoto, K., Nakamura, M., Monden, A., Matsumoto, K.-i.: Dynamic software birthmarks to detect the theft of Windows applications. In: Proc. Int. Symp. on Future Software Technology 2004 (2004)Google Scholar
  7. 7.
    Collberg, C., Thomborson, C.: A taxonomy of obfuscating transformations. Technical report 148, The University of Auckland (1999)Google Scholar
  8. 8.
    Males, G., Collberg, C.: K-gram based software birthmarks. In: SAC 2005: Proceedings of the 2005 ACM Symposium on Applied Computing. ACM, New York (2005)Google Scholar
  9. 9.
    Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: ESEC-FSE 2007: Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering. ACM, New York (2007)Google Scholar
  10. 10.
    Garey, M.R.: Practical Graph Isomorphism. Congressus Numerantium, Canberra (1981)Google Scholar
  11. 11.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)Google Scholar
  12. 12.
    Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: A (Sub)Graph Isomorphism Algorithm for Matching Large Graphs. IEEE Transactions on Pattern Analysis and Machine Intelligence 26(10) (October 2004)Google Scholar
  13. 13.
    Collberg, C., Thomborson, C.: On the Limits of Software Watermarking, http://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborson98e/index.html
  14. 14.
    Richard Stevens, W.: Advanced Programming in the Unix Environment. Addison Wesley Longman Inc., Amsterdam (1992) ISBN: 0-201-56317-7zbMATHGoogle Scholar
  15. 15.
    Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Behavior based software theft detection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, New York (2009)Google Scholar
  16. 16.
    Zelix Pty Ltd: The Zelix KlassMaster Java obfuscator, http://www.zelix.com/klassmaster/
  17. 17.
    Ullmann, J.R.: An Algorithm for Subgraph Isomorphism. Journal of the Association for Computing Machinery (1976)Google Scholar
  18. 18.
    ERESI team, the ERESI Reverse Engineering Software Interface (2011), http://www.eresi-project.org/
  19. 19.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM, New York (2002)Google Scholar
  20. 20.
    Foggia, P., Sansone, C., Vento, M.: A Performance Comparison of Five Algorithms for Graph Isomorphism. Journal of the Association for Computing Machinery (1999)Google Scholar
  21. 21.
    Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Detecting Software Theft via System Call Based Birthmarks. In: Annual Computer Security Applications Conference, ACSAC 2009, December 7-11, pp. 149–158 (2009)Google Scholar
  22. 22.
    Zhang, X., Tallam, S., Gupta, R.: Dynamic slicing long running programs through execution fast forwarding. In: Processing of 14th ACM SIGSOFT Symposium on Foundations of Software Engineering (2006)Google Scholar
  23. 23.
    Networkx, the Python package for the creation, manipulation, and the study of complex networks (2011), http://networkx.lanl.gov/
  24. 24.
    Parrack, D.: Microsoft accuses Mexican drug cartel La Familia of selling bootleg Office software, http://vista.blorge.com/2011/02/05/microsoft-accuses-mexican-drug-cartel-la-familia-of-selling-bootleg-office-software/
  25. 25.
    International Planning and Research Corporation: Seventh annual BSA and IDC global software piracy study, http://portal.bsa.org/globalpiracy2009/studies/09_Piracy_Study_Report_A4_final_111010.pdf
  26. 26.
    Zhu, W., Thomborson, C., Wang, F.-Y.: A Survey of Software Watermarking. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 454–458. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Collberg, C.S., Thomborson, C.: Watermarking, Tamper-Proofing, and Obfuscation - Tools for Software Protection. IEEE Transactions on Software Engineering, 735–746 (2002)Google Scholar
  28. 28.
    Aucsmith, D.: Tamper Resistant Software: An Implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  29. 29.
    Forrest, S., Hofmeyr, S., Somayaji, A.: The Evolution of System-Call Monitoring. In: Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC 2008), pp. 418–430. IEEE Computer Society, Washington, DC, USA (2008)CrossRefGoogle Scholar
  30. 30.
    Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: Evaluating Performance of the VF Graph Matching Algorithm. Journal of the Association for Computing Machinery (1999)Google Scholar
  31. 31.
    Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Detecting Software Theft via System Call Based Birthmarks. In: Proc. of the 25th Annual Computer Security Applications Conference, ACSAC (December 2009)Google Scholar
  32. 32.
    Collberg, C., Myles, G., Huntwork, A.: SandMark - A Tool for Software Protection Research. IEEE Security and Privacy 1(4) (2003)Google Scholar
  33. 33.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman & co., New York (1979)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Zhi Xin
    • 1
  • Huiyu Chen
    • 1
  • Xinche Wang
    • 1
  • Peng Liu
    • 2
  • Sencun Zhu
    • 2
  • Bing Mao
    • 1
  • Li Xie
    • 1
  1. 1.State Key Laboratory for Novel Software Technology, Department of Computer Science and TechnologyNanjing UniversityNanjingChina
  2. 2.The Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations