Abstract
Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.
Similar content being viewed by others
References
Aucsmith, D.: Tamper resistant software: an implementation. In: Anderson, R.J. (ed.) Proceedings of the First International Workshop on Information Hiding, pp. 317–333. Springer (1996)
Bayer, U., Milani, P., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: The 16th Annual Network and Distributed System Security Symposium (2009)
Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and ACM SIGSOFT Symposium on The Foundations of Software Engineering (2007)
Collberg C., Thomborson C.: A Taxonomy of Obfuscating Transformations. Technical Report 148. The University of Auckland, New Zealand (1997)
Collberg, C., Thomborson, C.: On the Limits of Software Watermarking. The University of Auckland. Accessed 10 June 2012. https://researchspace.auckland.ac.nz/handle/2292/3498(1998)
Collberg C., Thomborson C.: Watermarking, tamper-proffing, and obfuscation: tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)
Collberg, C., Thomborson, C.: Software watermarking: models and dynamic embeddings. In: Proceedings of the 26th ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (2009)
Collberg, C., Carter, E., Debray, .S, Huntwork, A., Kececioglu, J., Linn, C., Stepp, M.: Dynamic path-based software watermarking. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (2004)
Collberg C., Myles G., Huntwork A.: Sandmark—A tool for software protection research. IEEE Secur. Priv. 1(4), 40–49 (2003)
Cordella, L., Foggia, P., Sansone, C., Vento, M.: Performance evaluation of the VF graph matching algorithm. In: Proceedings of the Proc. 10th International Conference on Image Analysis and Processing (1998)
Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: A (sub)graph isomorphism algorithm for matching large graphs. In: IEEE Trans. Pattern Anal. Mach. Intell., vol. 26, p. 10 (2004)
David, W., Paolo, S.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)
ERESI Team.: The ERESI Reverse Engineering Software Interface. Accessed 10 June 2012. http://www.eresi-project.org/ (2011)
Foggia, P., Sansone, C., Vento, M.: A performance comparison of five algorithms for graph isomorphism. In: Proceedings of the 3rd IAPR TC-15 Workshop on Graph-based Representations in Pattern Recognition, pp. 188–199 (2001)
Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: Proceedings of the Annual Computer Security Applications Conference (2008)
Garey M.R.: Practical Graph Isomorphism. Congressus Numerantium, Canberra (1981)
Hagberg, A., Schult, D., Swart, P.: Networkx, the Python Package for the Creation, Manipulation, and the Study of Complex Networks. Accessed 10 June 2012. http://networkx.lanl.gov/ (2005)
International Planning and Research Corporation.: Seventh Annual BSA and IDC Global Software Piracy Study. Accessed 10 June 2012. http://portal.bsa.org/globalpiracy2009/studies/09_Piracy_Study_Report_A4_final_111010.pdf (2009)
Myles, G., Collberg, C.: Detecting software theft via whole program path birthmarks. In: Information Security, Lecture Notes in Computer Science, pp. 404–415. Springer, Heidelberg (2004)
Myles, G., Collberg, C.: K-gram based software birthmarks. In: Proceedings of the ACM Symposium on Applied Computing (2005)
Parrack, D.: Microsoft Accuses Mexican Drug Cartel La Familia of Selling Bootleg Office software. Accessed 10 June 2012 (2011). http://vista.blorge.com/2011/02/05/microsoft-accuses-mexican-drug-cartel-la-familia-of-selling-bootleg-office-software/
Schuler, D., Dallmeier, V., Lindig, C.: A dynamic birthmark for java. In: Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering (2007)
Stevens W.R., Rago S.A.: Advanced Programming in the Unix Environment. 2nd edn. Addison-Wesley Professional, Reading (1992)
Tamada, H., Nakamura, M., Monden, A.: Design and evaluation of birthmarks for detecting theft of Java programs. In: Proceedings of the International Conference on Software Engineering (2004)
Tamada, H., Okamoto, K., Nakamura, M., Monden, A., Matsumoto, K.: Dynamic software birthmarks to detect the theft of Windows applications. In: Proceedings of International Symposium on Future Software Technology (2004)
Tamada, H., Nakamura, M., Monden, A., Matsumoto, K.: Design and evaluation of birthmarks for detecting theft of java programs. In: Proceedings of the International Conference on Software Engineering (2004)
Tamada, H., Okamoto, K., Nakamura, M., Monden, A., Matsumoto, K.: Design and Evaluation of Dynamic Software Birthmarks Based on Api Calls. Technical report. Nara Institute of Science and Technology (2007)
Ullmann J.R.: An algorithm for subgraph isomorphism. J. Assoc. Comput. Mach. 23(1), 31–42 (1976)
Wang, X, Jhi, Y.C., Zhu, S., Liu, P.: Behavior based software theft detection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Detecting software theft via system call based birthmarks. In: Proceedings of Annual Computer Security Applications Conference (2009)
Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Detecting Software theft via system call based birthmarks. In: Proceedings of the 25th Annual Computer Security Applications Conference (2009)
Xin, Z., Chen, H., Wang, X., Liu, P., Zhu, S., Mao, B., Xie, L.: Replacement attacks on behavior based software birthmark. In: Lai, X., Zhou, J., Li, H. (eds.) Proceedings of the 14th International Conference on Information security, pp. 1–16. Springer, Heidelberg
Zelix Pty Ltd.: The Zelix KlassMaster Java obfuscator. Accessed 10 June 2012. http://www.zelix.com/klassmaster/
Zhu, W., Thomborson, C., Wang, F.: A survey of software watermarking. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D., Wang, F. (eds.) Proceedings of the 2005 IEEE International Conference on Intelligence and Security Informatics, pp. 454–458. Springer, Heidelberg
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Xin, Z., Chen, H., Wang, X. et al. Replacement attacks: automatically evading behavior-based software birthmark. Int. J. Inf. Secur. 11, 293–304 (2012). https://doi.org/10.1007/s10207-012-0170-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-012-0170-9