Skip to main content
SpringerLink
Log in

Replacement attacks: automatically evading behavior-based software birthmark

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics equivalent system calls to unlock the high frequency dependencies between the system calls in the victim’s original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aucsmith, D.: Tamper resistant software: an implementation. In: Anderson, R.J. (ed.) Proceedings of the First International Workshop on Information Hiding, pp. 317–333. Springer (1996)

  2. Bayer, U., Milani, P., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: The 16th Annual Network and Distributed System Security Symposium (2009)

  3. Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and ACM SIGSOFT Symposium on The Foundations of Software Engineering (2007)

  4. Collberg C., Thomborson C.: A Taxonomy of Obfuscating Transformations. Technical Report 148. The University of Auckland, New Zealand (1997)

    Google Scholar 

  5. Collberg, C., Thomborson, C.: On the Limits of Software Watermarking. The University of Auckland. Accessed 10 June 2012. https://researchspace.auckland.ac.nz/handle/2292/3498(1998)

  6. Collberg C., Thomborson C.: Watermarking, tamper-proffing, and obfuscation: tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)

    Article  Google Scholar 

  7. Collberg, C., Thomborson, C.: Software watermarking: models and dynamic embeddings. In: Proceedings of the 26th ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (2009)

  8. Collberg, C., Carter, E., Debray, .S, Huntwork, A., Kececioglu, J., Linn, C., Stepp, M.: Dynamic path-based software watermarking. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (2004)

  9. Collberg C., Myles G., Huntwork A.: Sandmark—A tool for software protection research. IEEE Secur. Priv. 1(4), 40–49 (2003)

    Article  Google Scholar 

  10. Cordella, L., Foggia, P., Sansone, C., Vento, M.: Performance evaluation of the VF graph matching algorithm. In: Proceedings of the Proc. 10th International Conference on Image Analysis and Processing (1998)

  11. Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: A (sub)graph isomorphism algorithm for matching large graphs. In: IEEE Trans. Pattern Anal. Mach. Intell., vol. 26, p. 10 (2004)

  12. David, W., Paolo, S.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)

  13. ERESI Team.: The ERESI Reverse Engineering Software Interface. Accessed 10 June 2012. http://www.eresi-project.org/ (2011)

  14. Foggia, P., Sansone, C., Vento, M.: A performance comparison of five algorithms for graph isomorphism. In: Proceedings of the 3rd IAPR TC-15 Workshop on Graph-based Representations in Pattern Recognition, pp. 188–199 (2001)

  15. Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: Proceedings of the Annual Computer Security Applications Conference (2008)

  16. Garey M.R.: Practical Graph Isomorphism. Congressus Numerantium, Canberra (1981)

    Google Scholar 

  17. Hagberg, A., Schult, D., Swart, P.: Networkx, the Python Package for the Creation, Manipulation, and the Study of Complex Networks. Accessed 10 June 2012. http://networkx.lanl.gov/ (2005)

  18. International Planning and Research Corporation.: Seventh Annual BSA and IDC Global Software Piracy Study. Accessed 10 June 2012. http://portal.bsa.org/globalpiracy2009/studies/09_Piracy_Study_Report_A4_final_111010.pdf (2009)

  19. Myles, G., Collberg, C.: Detecting software theft via whole program path birthmarks. In: Information Security, Lecture Notes in Computer Science, pp. 404–415. Springer, Heidelberg (2004)

  20. Myles, G., Collberg, C.: K-gram based software birthmarks. In: Proceedings of the ACM Symposium on Applied Computing (2005)

  21. Parrack, D.: Microsoft Accuses Mexican Drug Cartel La Familia of Selling Bootleg Office software. Accessed 10 June 2012 (2011). http://vista.blorge.com/2011/02/05/microsoft-accuses-mexican-drug-cartel-la-familia-of-selling-bootleg-office-software/

  22. Schuler, D., Dallmeier, V., Lindig, C.: A dynamic birthmark for java. In: Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering (2007)

  23. Stevens W.R., Rago S.A.: Advanced Programming in the Unix Environment. 2nd edn. Addison-Wesley Professional, Reading (1992)

    MATH  Google Scholar 

  24. Tamada, H., Nakamura, M., Monden, A.: Design and evaluation of birthmarks for detecting theft of Java programs. In: Proceedings of the International Conference on Software Engineering (2004)

  25. Tamada, H., Okamoto, K., Nakamura, M., Monden, A., Matsumoto, K.: Dynamic software birthmarks to detect the theft of Windows applications. In: Proceedings of International Symposium on Future Software Technology (2004)

  26. Tamada, H., Nakamura, M., Monden, A., Matsumoto, K.: Design and evaluation of birthmarks for detecting theft of java programs. In: Proceedings of the International Conference on Software Engineering (2004)

  27. Tamada, H., Okamoto, K., Nakamura, M., Monden, A., Matsumoto, K.: Design and Evaluation of Dynamic Software Birthmarks Based on Api Calls. Technical report. Nara Institute of Science and Technology (2007)

  28. Ullmann J.R.: An algorithm for subgraph isomorphism. J. Assoc. Comput. Mach. 23(1), 31–42 (1976)

    Article  MathSciNet  Google Scholar 

  29. Wang, X, Jhi, Y.C., Zhu, S., Liu, P.: Behavior based software theft detection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)

  30. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Detecting software theft via system call based birthmarks. In: Proceedings of Annual Computer Security Applications Conference (2009)

  31. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Detecting Software theft via system call based birthmarks. In: Proceedings of the 25th Annual Computer Security Applications Conference (2009)

  32. Xin, Z., Chen, H., Wang, X., Liu, P., Zhu, S., Mao, B., Xie, L.: Replacement attacks on behavior based software birthmark. In: Lai, X., Zhou, J., Li, H. (eds.) Proceedings of the 14th International Conference on Information security, pp. 1–16. Springer, Heidelberg

  33. Zelix Pty Ltd.: The Zelix KlassMaster Java obfuscator. Accessed 10 June 2012. http://www.zelix.com/klassmaster/

  34. Zhu, W., Thomborson, C., Wang, F.: A survey of software watermarking. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D., Wang, F. (eds.) Proceedings of the 2005 IEEE International Conference on Intelligence and Security Informatics, pp. 454–458. Springer, Heidelberg

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Department of Computer Science and Technology, Nanjing University, Nanjing, 210093, China

    Zhi Xin, Huiyu Chen, Xinche Wang, Bing Mao & Li Xie

  2. College of Information Science and Technology, The Pennsylvania State University, University Park, PA, USA

    Peng Liu & Sencun Zhu

Authors
  1. Zhi Xin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huiyu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xinche Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sencun Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Bing Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Li Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhi Xin.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Xin, Z., Chen, H., Wang, X. et al. Replacement attacks: automatically evading behavior-based software birthmark. Int. J. Inf. Secur. 11, 293–304 (2012). https://doi.org/10.1007/s10207-012-0170-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0170-9

Keywords

Search

Navigation