Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Tamper Resistance: Obstructing Static Analysis of Programs Chenxi Wang, Jonathan Hill, John Knight, Jack Davidson at university of Virginia This.

Published byBlanche Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Tamper Resistance: Obstructing Static Analysis of Programs Chenxi Wang, Jonathan Hill, John Knight, Jack Davidson at university of Virginia This."— Presentation transcript:

1 Software Tamper Resistance: Obstructing Static Analysis of Programs Chenxi Wang, Jonathan Hill, John Knight, Jack Davidson at university of Virginia This presentation consists of 4 parts:  Introduction  Techniques employed to hinder static analysis  Theoretical foundation and experimental results  Conclusion

2 Introduction Problem addressed: protecting trusted software against tampering on untrustworthy hosts. The solution: tamper resistant software. Why is access control infeasible? One aspect of software tamper resistance: prevention of static analysis of programs.

3 Static Analysis of Programs “Static analysis refers to techniques designed to extract [semantic] information from a static image of a computer program.” Entails two steps: control-flow analysis and data-flow analysis. Can be defeated by making the program control-flow data-dependent.

4 Control-flow Transformations Modify high-level control transfers to obstruct static detection of branch targets and call destinations. Two steps of transformation are illustrated in the following figures.

5 Dismantling of High-level Constructs int a,b; a=1; b=2; while(a 10) b--; a++; } use(b); a=1 b=2 b=a+b if(!(b>10)) goto L2 L2: a++ goto L1 L4: use (b) b-- L1: if(!(a<10)) goto L4

6 Transform to indirect control transfers L1: a=1; b=2; swVar=2; L3: b=b+a; if(!(b>10)) swVar=5; else swVar=4; L5: a++; swVar=2; goto switch switch(swVar) swVar=1 L2: if(!(a<10)) swVar=6; else swVar=3; L4: b--; swVar=5; L6: use(b);

7 Data-flow Transformations Dynamic computation of branch targets. The introduction of non-trivial aliases into the program.

8 dynamic computation of the switch variable L3: b=b+a; if(!(b>10)) swVar=5; else swVar=4; switch(swVar) goto switch; L3: b=b+a; if(!(b>10)) swVar=global_array[f1()]; else swVar=global_array[f2()]; switch(swVar) goto switch int global_array[];

9 Introducing aliases through pointers *p = a; a = a +b; *p = b b = 3; L2: *p = b; b = 3; swVar = f2(); L1: *p = a; a = a+b; swVar = f1(); A A

10 Complexity Evaluation Theorem 1: in the presence of general pointers, the problem of determining precise indirect branch target addresses is NP-hard. Proof: constructing a polynomial time reduction from 3SAT problem to it. Cannot be solved in polynomial time under the assumption that P!=NP.

11 Experimental Results Transformations considerably hindered the optimization that the compiler(gcc) is able to perform. Defeated PAF which is a static analysis tool from Rutgers university. Replacing 50% of the branches will result in an increase of a factor of 4 in the execution time and a factor of 2 in program size. Does the runtime cost justify the protection we gain?

12 Conclusion We have shown that static analysis can be defeated by making the control-flow analysis dependent on the data in the program. Future work includes establishing the practical lower bound on the time needed to analyze a transformed program. Thank you!

Download ppt "Software Tamper Resistance: Obstructing Static Analysis of Programs Chenxi Wang, Jonathan Hill, John Knight, Jack Davidson at university of Virginia This."

Similar presentations

Course Outline Traditional Static Program Analysis Software Testing

Course Outline Traditional Static Program Analysis Software Testing
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.

Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Chapter 9 – Network Theorems

Chapter 9 – Network Theorems
On the complexity of orthogonal compaction maurizio patrignani univ. rome III.

On the complexity of orthogonal compaction maurizio patrignani univ. rome III.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.

Software Uniqueness: How and Why? Puneet Mishra Dr. Mark Stamp Department of Computer Science San José State University, San José, California.
Overview of program analysis Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Overview of program analysis Mooly Sagiv html://
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Ben Livshits Based in part of Stanford class slides from

Ben Livshits Based in part of Stanford class slides from
BRASS Analysis of QuasiStatic Scheduling Techniques in a Virtualized Reconfigurable Machine Yury Markovskiy, Eylon Caspi, Randy Huang, Joseph Yeh, Michael.

BRASS Analysis of QuasiStatic Scheduling Techniques in a Virtualized Reconfigurable Machine Yury Markovskiy, Eylon Caspi, Randy Huang, Joseph Yeh, Michael.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google