Obfuscation of executable code to improve resistance to static disassembly

Cullen Linn, Saumya K Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

393 Citations (Scopus)

Abstract

A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the de-compilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
EditorsV. Atluri, P. Liu
Pages290-299
Number of pages10
StatePublished - 2003
EventProceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003 - Washington, DC, United States
Duration: Oct 27 2003Oct 31 2003

Other

OtherProceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003
CountryUnited States
CityWashington, DC
Period10/27/0310/31/03

Fingerprint

Computer crime
Reverse engineering
Intellectual property
Engineers

Keywords

  • Code obfuscation
  • Disassembly

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Linn, C., & Debray, S. K. (2003). Obfuscation of executable code to improve resistance to static disassembly. In V. Atluri, & P. Liu (Eds.), Proceedings of the ACM Conference on Computer and Communications Security (pp. 290-299)

Obfuscation of executable code to improve resistance to static disassembly. / Linn, Cullen; Debray, Saumya K.

Proceedings of the ACM Conference on Computer and Communications Security. ed. / V. Atluri; P. Liu. 2003. p. 290-299.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Linn, C & Debray, SK 2003, Obfuscation of executable code to improve resistance to static disassembly. in V Atluri & P Liu (eds), Proceedings of the ACM Conference on Computer and Communications Security. pp. 290-299, Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, DC, United States, 10/27/03.
Linn C, Debray SK. Obfuscation of executable code to improve resistance to static disassembly. In Atluri V, Liu P, editors, Proceedings of the ACM Conference on Computer and Communications Security. 2003. p. 290-299
Linn, Cullen ; Debray, Saumya K. / Obfuscation of executable code to improve resistance to static disassembly. Proceedings of the ACM Conference on Computer and Communications Security. editor / V. Atluri ; P. Liu. 2003. pp. 290-299
@inproceedings{f3ce9d44b31b4823a675dae6fedfc762,
title = "Obfuscation of executable code to improve resistance to static disassembly",
abstract = "A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the de-compilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.",
keywords = "Code obfuscation, Disassembly",
author = "Cullen Linn and Debray, {Saumya K}",
year = "2003",
language = "English (US)",
pages = "290--299",
editor = "V. Atluri and P. Liu",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Obfuscation of executable code to improve resistance to static disassembly

AU - Linn, Cullen

AU - Debray, Saumya K

PY - 2003

Y1 - 2003

N2 - A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the de-compilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.

AB - A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application. The process of reverse engineering an executable program typically begins with disassembly, which translates machine code to assembly code. This is then followed by various decompilation steps that aim to recover higher-level abstractions from the assembly code. Most of the work to date on code obfuscation has focused on disrupting or confusing the de-compilation phase. This paper, by contrast, focuses on the initial disassembly phase. Our goal is to disrupt the static disassembly process so as to make programs harder to disassemble correctly. We describe two widely used static disassembly algorithms, and discuss techniques to thwart each of them. Experimental results indicate that significant portions of executables that have been obfuscated using our techniques are disassembled incorrectly, thereby showing the efficacy of our methods.

KW - Code obfuscation

KW - Disassembly

UR - http://www.scopus.com/inward/record.url?scp=14344262813&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=14344262813&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:14344262813

SP - 290

EP - 299

BT - Proceedings of the ACM Conference on Computer and Communications Security

A2 - Atluri, V.

A2 - Liu, P.

ER -