検索 - みる会図書館

検索対象: Surreptitious software obfuscation watermarking and tamperproofing for software protection

Surreptitious software obfuscation watermarking and tamperproofing for software protectionから 360件ヒットしました。

Surreptitious software obfuscation watermarking and tamperproofing for software protection


0 ド 下 A 震 を を ( リ 月 一 了 す E を 一 を 5 SURREPTITIOUS SO TWARE 0 を 口 0 △ ヤ を 02. A70 ) ャ ム を 、 0 を 0 物 日 0 丁 報 △ FREE Online Edition 翫 ⅲ 朝 II も 町 You 「 purchase of Su 「 「 ep io リ 5S0 代 ル a 「 e includes access to a f 「 ee online edition fo 「 45 daysthrough the Safa 「 i Books 0nline subsc 「 iption service. NearlyeveryAddison- WesIey P 「 ofessionalbook isavailable onlinethrough safari Books ()nline, along with morethan 5.000 othe 「 technical books and videos from publisherssuch as Cisco press. Exam C 「 a ). IBM Press, O ・ Reilly, P 「 entice Hall$ Que, and Sams. SAFARI BOOKS ONLINE allowsyou to sea 「 ch fora specificanswe 「 , cutand paste code, download chapters, and stay cur 「 ent with emerging technologies 、 Activate your FREE Online Edition at WWW. informit.com/safarifree 。 ) ー STEP 1 : Ente 「 the coupon code: XAVHAZG. ′ = STEP 2 : New Safa 「 i users, complete the b 「 ief 「 egist 「 ation fo 「 rn. Safa 「 i subsc 「 ibers. jus い 09 in. Safarl 日 00k5 0 ine lfyou havedifficultyregisteringonSafarioraccessing theonlineedilion, please e ・ •mail custome 「 -se 「 vice(asafaribooksonline.com 0 00 を を

Surreptitious software obfuscation watermarking and tamperproofing for software protection


Try Safari B00ks OnIine FREE Get online access t0 5 , 000 + B00ks and Videos REPAIRING PC UPGRADING 5C0 端 u を の 、 J00 「 T ・ 1 日 A R R ー E M 、 0 良 THE RAILS WAY も に ま 第 に 饐 NL EASHED CCENT/CCNA ー C201 れ こ E “ 0 物 材 :jønG ー ・ Safarl. B00 0 献 ine Ad 3 FREE TRIAL—GET STARTED TODAY! WWW. informit.com/safaritrial Find trusted answers, fast OnIySafa 「 i letsyou search ac 「 oss thousandsof best-selling b00ks f 「 om the t0P technologypublishe 「 s. including Addison-Wesley P 「 ofessional. Cisco P 「 0 ・ ReiIIy, Prentice Hall, Que. and Sams. Master the latest tO 5 and techniques 旧 addition tO gaining accessto an inc 「 edible invento 「 yoftechnical bOOks, safari ・ s extensive collection Of video tutorials lets you lea 「 n f 「 om the leading video training expe 「 tS. WAIT, THERE'S MORE! Keep your competitive edge With Rough cuts. getaccesstothe developing manuscriptand be among the first tO lea 「 n the newesttechnologies. Stay current with emerging technologies Sho 「 t Cutsand Quick Reference Sheets a 「 e shO 「 t. concise. focused content created to getyou up-to-speed quickly on newand cutting-edge technologies. 0 ー 500 P ′ 053

Surreptitious software obfuscation watermarking and tamperproofing for software protection


486 Software Waterm arklng Algorithm 83 convert between an integer V and a permutation 0f く 0 , 1 , 1 ー 1 〉 . len should be at least 〃 , where V <= 〃 !. Ad 叩 ted from reference に 02 ]. int2perm(), len): , len ー 1 〉 perm = く 0 , 1 , 2 , . for(r = 2 ; r く = len; r + + ) swap perm[r-l] perm[V % r] V = V / r return perm. pem2int(perm, le ) : for(r = len; r > = 2 ; r--) ① ; S く r ; S 十 十 ) for(s if(perm[s] break ; swap perm[r V = f + r *V return V 1 ] perm[f] words, each user gets his own umque version Of the program' and as a result' you can trace an illegal copy back t0 whoever bought it first. The problem with this scenario is that you leave yourself open tO 0 〃 4 立 ツ に 4 〃 4 た ゞ : The attacker can buy several differently marked programs and find the location of the marks through the programs' differences. we model this as は ( P 。 ) and 4 ( (w) , where Pw is the set Of programs that the attacker has access tO. 8.4 Watermarking by Permutation ln his book D な 叩 磁 i ツ g C Ⅳ og ′ 叩 の 卩 67 ] , Peter Wayner shows how you can embed a secret message in any ordered list, such as a shopping list' a t0P-10 list and SO on. 4 ln this sectlon, we're going tO show you that the same idea can be used tO embed a watermark in any list Of programmmg language constructs that can be reordered, renumbered, renamed. The fundamental insight is that you can easily convert between an integer and a permutation. Algorithm 83 gives the details• TO embed the watermark 6 , you com- pute int2perm(6) = く 20 , 1 , 0 〉 , find some part 0f your program that has four "items that can be reordered without changing the meaning 0f the program' perform the reordering, and you're done. There are plenty Of such ln most programs. 4. On PeterWayner's site, http : //www.wayner. org/books/discrypt2/sorted.PhP, you can experment with embedding a message ln an arbitrary list ⅲ this way.

Surreptitious software obfuscation watermarking and tamperproofing for software protection


Addison WesIey 、 、 REGISTER 。 THIS P 日 ODUCT informit.com/registe[ Register the Addison-Wesley, Exam Cram, Prentice HaII, Que, and Sams products you own tO unlock great benefits. TO begin the registration process, simply go tO informit.com/register tO Sign in 0 「 create an aCCOUnt. You will then be prompted t0 enter the 10-0 「 13-digit ISBN that appears on the back cover 0f your product. Registering your products can unlock the following benefits: ・ Access tO supplemental content, including bonus chapters, source COde, 0 「 project files. ・ A coupon tO be used on your next purchase. Registration benefits vary by product. Benefits will be listed on your Account page under Registered Products. About lnformlT ー THE TRUSTED TECHNOLOGY LEARNING SOURCE F 〇 日 M げ 旧 HOMETO THE LEADING TECHNOLOGY PUBLISHING IMPRINTS Addison-WesIey professional, CiSCO Pressj Exam 旧 M Press' Prentice 日 訓 ProfessionaIi Que, and sams. Here you will gain access tO quality and trusted content and resources from the authorsj creators, innovators, and leaders Of technology. Whether you're IOOking for a bOOk on a new technology, a helpful article' timely newsletters' 0 「 access tO the safari B00ks Online digital library,lnfo 「 mlT has a solution fO 「 you. THE TRUSTED TECHNOLOGY LEARNING SOURCE inform T.C ① m Addison-WesIey ー CiSCO Press ー Exarn Cram 旧 M Press 第 Que ー Prentice HaII 箋 Sams SAFARI BOOKS ONLINE

Surreptitious software obfuscation watermarking and tamperproofing for software protection


113 Encrypted Execution 691 This 0 ノ 4 / 4 尸 に x 戸 0 〃 〃 / z 加 z わ 〃 routine is commonly used in RSA and Diffie-Hellman public key algorithms, where x is the private key, w bits long. ln the XOM archi- tecture, code and data don't move, i. e. , while every block of code is encrypted, it resides ⅲ the same locatlon in memory throughout execution. SO if your encrypted blocks are laid out like this in memory 000 100 200 300 400 600 500 ( お 0 ) ( お 1 ) Ek(B2) 厚 ( あ ) 厚 ( お 4 ) 厚 ( ) 厚 ( お 6 ) an adversary whO is able to monitor the address bus while a secret message is being decrypted might see something like this : (000, 0 0 0 C O O C O っ ) っ ) -4 っ ) - フ 」 フ 」 フ 」 フ 」 O C O O O C O O 1 1 -1 1 100, 600 〉 From thiS address trace, he can draw several conclusions. First, ObviOt1S 100P involving お 1 and お 5. Second, from お 2 , control either goes to お う or お 4 , and from お ろ and お 4 we always proceed to B5. This is the telltale signature of an if-then-else statement. Given this information, the adversary can now completely reconstruct the control flow graph. He still has no clue what should go inside each block, of course, since each individual block is encrypted. However, if he's able to figure out that this is, in fact, the modular exponentiation routine of a public key crypto- system, he can deduce the key simply by examining the trace! A branch お 2 ー み お ろ indicates a O and a branch . B2 → お 4 indicates a 1 ()r possibly the opposite). Finding out that this routine is the modular exponentiatlon routine might not be that hard—the structure of the control flow graph makes for a pretty accurate fingerprint. This is a form of a 立 イ る 4 〃 〃 e / 4 〃 4 び 走 . some variants use executlon time [ 2() う ] to distinguish between B3 and お 4 , while others use energy consumption. ln both cases, the measurements can be rather noisy, but this can be offset by running multiple experiments. You'll see more Of this in Section 11.4.4 、 705. Watching addresses go by on the address bus can also give the adversary noisy data. For example, if a routine is small enough to at least partially fit in on_chip

Surreptitious software obfuscation watermarking and tamperproofing for software protection


74 Methods of Attack and Defense You already know that the executable is 立 ″ pp and み 加 ノ . This means that it should be possible to find many library functions by name. Most likely, the program implements the use-by check by calling the time ( ) function ⅲ the standard library and then comparing the result to a predefined value. So your goal has to be to find the assembly code equivalent of if (time ( の > e ん の ・ The idea we're going to use is to set a breakpoint on time ( ) , run the program until the breakpoint is hit, go up one level ⅲ the call stack ()o see who called time ( ) ) , and 100k at the code ⅲ the vicinity of the call to time ( ) for a suspicious check. Once we find it, we can replace the branch with if (time ( の く = ゞ 0 e ん の ・ As luck would have it, this strategyworks out nicely. You find that the instruction at location Ox4008bc ()n light gray) is the offending conditional branch: > g db ー w r i t e ー s i 1 e n t (gdb) break time Breakpoint 1 at ① x4 ① ① 68 ① ( g db ) run P 1 e a S e e n t e r a C t i v a t i 0 Ⅱ c 0 d e : 4 2 B r e a kp 0 i n t 1 , ① x 4 ① ① 6 8 ① i n t ime ( ) (gdb) where 2 # ① ① x 4 ① ① 6 8 ① i n t i m e # 1 ① x 4 ① ① 8 b 6 i ? ? (gdb) up # 1 ① x 4 ① ① 8b 6 in ? ? ( g db ) d i s a s s e mb 1 e $p c ー 5 $ p c + 7 ① x 4 ① ① 8 b 1 c a 11 q ① x 4 ① ① 8 b 6 cmp ① x 4 ① ① 8 b c jle ① x 4 ① ① 6 8 ① $ ① x 4 8 c 7 2 8 1 ① , % r ax ① x 4 ① ① 8 c 8 Now all that's le 丘 to do is to patch the executable by replacing the j le with a j g ( X86 opcode 0x7f). You can use gdb's set command to patch the instruction: (gdb) set {unsigned char}@[email protected]@8bc (gdb) disassemble ① x4 ① ① 8bc ① x4 ① ① 8be ① x4 ① ① 8bc ① x4 ① ① 8C8 @x7f ln this case, you were lucky ⅲ that the executable still had dynanuc symbols left. If the program had been statically linked and stripped, it would not have been SO easy tO break on the time ( ) function. lt's still not impossible, of course ! Alternative strategies include finding the time ( ) function by pattern matching on some unlque signature Of its code, or breaking on the gettimeofday ( ) system call

Surreptitious software obfuscation watermarking and tamperproofing for software protection


68 Dynamic Obfuscation The top cell, the light gray Co, is in cleartext—this is where execution will start. Cells 1 , 4 , and う are SO ⅲ the clear, but some Of them are not in the same location as in the unobfuscated code. C2 and C3 , however, are 〃 0 / in cleartext; they are the xored version Of tWO cells. This is why they are striped in the example above' tO indicate they are a mixture 0f the two cells 0f the corresponding shading. Keep ⅲ mind that because Ofthe nature Ofthe xor operation, ifyou xor a "striped dark gray¯ medium gray" cell with a cleartext dark gray cell' you get the cleartext dark gray E ① F E O F Have a 100k at this example executlon Of the function above: EOF cell! Or, ⅲ general: ロ E F A O B ロ ロ EOF C O D IIID O B Ⅷ C O D の B Ⅷ ロ E F ロ C D ロ E ① F ロ 刄 ① B ロ C D = Mo E F 刄 〇 B When the function is called, execution starts at the cleartext cell 0, CO. When C() has finished executmg, ev 戮 化 〃 4 々 戸 e 尸 0 バ XO 尾 ノ ル it る ve 化 〃 in あ ル 尸 0 戮 , leading tO configuration MI. ln this case' C() is xored intO C3' CI is xored intO C4 , and C2 is xored intO C5 , but a different schedule Of course' possible. Execution next Jumps tO C3 , and after it has finished executing the cells ⅲ lower memory are xored intO the corresponding cells in upper memory: C3 intO C()' C4 intO , C5 intO C2. cell CI is now in the clear and executlon contlnues there. Notice that after six rounds you're back tO where you started' i. e. configuration イ 6

Surreptitious software obfuscation watermarking and tamperproofing for software protection


72 Methods of Attack and Defense or less general. lt may only work to crack a particular program, or it may crack 4 ″ ァ program protected with a particular technique. lt's interesting to note that there's a definite difference ln social standing between the "real" cracker who did the initial analysis and wrote the attack script and the so-called "script-kiddies" who merely use it. The kiddies have no programming skills and just download the script and use it to crack their favorite game. 2.1.5 What Tools Does the Adversary Use? From what we know of attackers these days, they use fairly unsophisticated gen- eral tools (chiefly debuggers) , along with specialized tools they build for attacking a particular class Of protection mechanisms, augmented by a near-infinite supply Of personal time, energy, and motivation for reaching their goals. ln the research community there exist many powerful t001S (such as the slicing and tracing t001S we'll talk about in Ch 叩 ter う (Program Analysis)) that would be very useful to an attacker. ・ We believe they are not currently ⅲ use, however, because, being research prototypes, they are not stable enough, fast enough, or precise enough; they don't run on the right operating system; or they are simply unknown in the cracker com- munity,. We are still going tO assume, however, that our adversaries る 4 e access t0 such t001S , because if they don't today, they might tomorrow. 2.1.6 What Techniques Does the Adversary Use? Let's for a moment invert the C010r of our hats, from white to black, and play like we're crackers ! The goal Of this section isn t to turn you into a full-fledged attacker but for you to get a feel for the types of techmques that are typically used. Our example cracking target will be the DRM player in Listing 2.1 62. ln most of the attacks, we'll assume that we've been glven an executable that's been compiled for the X86 running Linux and then dynamically linked and stripped of 10Ca1 symbols. Our chief cracking t001 will be the gdb debugger. The details of an attack will vary depending on the operating system, the t001S the attacker has available, and the nature ofthe protection techniques he's wanting to subvert. The basic techniques will be the the same, however. Other books [ う 6 , 118 ] deal more directly with the t001S and techniques that are specific to particular operating systems, such as Windows. 2.1.6.1 Learning About the Executable Before you can start cracking, you need to learn a few basic things about the executable itself. ls it statically linked, are there any symbols present, what's the starting address for the varlous sections, and so on.

Surreptitious software obfuscation watermarking and tamperproofing for software protection


246 Code Obfus cation Problem 4.10 lt seems like it will be difficult to build stealthy branch functions; their dynamic behavior is Just t00 distinct from ordinary functions. lnstead, to en- hance stealth, would it be possible to make every ordinary function behave like a branch function? Failing that, could you introduce enough complicated side effects ⅲ the branch function to prevent automatic removal? How about having multi- ple branch functions, the correct behavior of each one depending on the correct behavior of the others? ln Section 9.4 592 in Ch 叩 ter 9 (DynamicWatermarking), you will see a dynamc watermarking algorithm WMCCDKHLSbf, where the watermark is embedded by adding bogus entries into the branch function. Algorithm wMCCDKHLSbf attempts to overcome the REMASB attack by making the program s control flow depend on the branch function being left ⅲ place. SpecificalIy, the branch function is extended tO compute an address that is later used as the target of a jump. This means that any attack that blindly removes the branch function will cause the program to break. ProbIem 4.11 Can you think of an antidote against REMASB-styIe dynamic attacks that makes use of the fact that the attack is nonconservative? Specifically, can you protect your program ln such a way that there are regions that are very rarely executed (and hence unlikely to show up on a dynamic trace by an adversary who has an incomplete input data set) but that are highly likely to show up e 怩 厩 加 ~ If SO, can you insert tamperproofing code (such as the code we'll show you in Chapter 7 , Software Tamperproofing) into these regions that will trigger if the branch function is tampered with? 4.4 Opaque Predicates When we first started looking for opaque predicates, we went to the library, found a few books on number theory, and looked ⅲ the 戸 ro み な sections for statements such as "Show that Vx, ッ e Z : 戸 (), の , ' where 戸 is a predicate over the integers. Assuming that the author wasn't playing a trick on his readers, trying to make them prove a false statement, we'd found another opaque predicate! And we'd found a predicate, one would hope, that would be moderately hard to break, at least for number-theory graduate students. During this search we found some cute inequalities (such as Vx, ッ e 7L : x2 ー 4 舅 / 1 ) and many statements on divisibility (VxeZ:21x2 + x). There are, however, serious problems with these number-theoretlc predicates. First, you have to assume that if your obfuscator keeps a table of such predicates,

Surreptitious software obfuscation watermarking and tamperproofing for software protection


Bibliography は 」 Hofstadter and Douglas R. Basic Books, Godel, Escher, お 4 訪 : ス 〃 E 翔 4 / Go / 〃 Braid, January 1999. ISBN 0465026 う 67. に ] Sandmark. www. cs. arizona.edu/sandmark/. け 」 Zelix klassmaster. www.zelix.com/klassmaster/index.html. 目 」 D. Abramson and R. Sosic. Relative debugging using multiple program versions. ln & る ル た 、 新 竊 0 〃 レ 〃 g g た 房 / 夜 川 わ 〃 4 / programming, sydney, May 1995. ] AIfred V. Aho, Ravi Sethi, and Jeffery D. Ullman. 朝 2 Ⅳ 怦 加 ゆ / , 訪 〃 ツ 4 ノ % 。 な . Addison-WesIey, 1988. [ 6 」 Alex Aiken. Moss—a system for detecting software plagiarism. www. cs. berkeley. edu/rvaiken/moss.html. [7] AIex Aiken, SauI SchIeimer, Joel Auslander, Daniel Wilkerson, Anthony Tomasic, and Steve Fink. Method and apparatus for indexing document content and content comparison with World Wide Web search service. U. S. patent 6757675 , June 2004. Assigned to the Regents of the University of California. [8 」 AIaddin. HASP4 programmer's guide. ftp: 〃 ftp.aladdin.com/pub/hasp/new-releases/ docsHASP-Manual-EN. zip, 2007. [9 」 B. Anckaert, M. Madou, and K. De Bosschere. A model for self-modifying code. ln & る ル ル 4 〃 〃 z ツ g , July 2006. Springer-Verlag. は 田 Bertrand Anckaert, MariuszJakubowski, and Ramarathnam Venkatesan. Proteus: V1r- tualization for diversified tamper-resistance. ln DRM ' 06. ・ P 化 ツ g ゞ イ ACM Ⅳ 0 紡 0 〃 Digital 〃 'g る な 4 〃 ag 夜 な , pages 47 ー 58 , New York, 2006. ACM press. ロ 1 」 Bertrand Anckaert, Mariusz Jakubowski, Ramarathnam Venkatesan, and Koen De Bosschere. Run-time randomization to mitigate tamperrng. ln A. Miyaji, H. Kikuchi, and K. Rannenberg, editors, pro 化 市 〃 g 、 「 e 立 。 〃 ノ ル 翔 4 〃 4 / Ⅳ 。 紡 0 〃 立 翩 〃 り , number 47.52 , pages 1 男 ー 168 , Berlin, October 2007. Springer-VerIag. [ 1 幻 Bertrand Anckaert, Bjorn De Sutter, and Koen De Bosschere. covert communica- tion through executables. ln Program ス び 化 な 朝 〃 坊 roug る ス pp / 朝 〃 明 ノ ス 尾 ん / “ 尾 D 〃 ツ に 〃 Co 7 〃 、 「 ル 尸 4 / あ . ・ 、 新 々 z ツ Proceedings, pages め ー め , Edegem, Sept. 2 ( ) 04. は 引 Bertrand Anckaert, Bjorn De Sutter, Dominique Chanet, and Koen De Bosschere. Steganography for executables and code transformation signatures. ln p.. Choosnik and C. Seongtaek, editors, わ " 4 〃 立 翩 ″ な ス 〃 ノ C 戮 Ⅳ 0 あ g ツ ー -IC ハ C2004 , number ろ う 06 , pages 4257 う 9 , Germany, April 2005. Springer-Verlag. 7 リ