Full Program »
Dynamic Taint Analysis versus Obfuscated Self-Checking
Software protection in practice addresses the yearly loss of tens of billion USD for software manufacturers, a result of malicious end-users tampering with the software ("software cracking"). Software protection is prevalent in the gaming and license checking industries, and also relevant in the embedded and other industries. State of the art research in the area of software tamper protection against man-at-the-end (MATE) attackers focuses on the localization of integrity checks. The goal of this paper is a general assessment of the resilience of software self-checking, protected themselves by obfuscations against (1) (automated) detection and (2) (automated) bypass, without deobfuscating the code. Using dynamic taint analysis on a benchmark set of programs, we study how easy it is to detect and bypass combinations of self-checking and various obfuscation transformations. We aim at generalizing these findings across different programs rather than focusing on one particular program instance. To this end, we perform a set of controlled experiments using a data set of real-world programs, the MiBench suite and open-source games, and show that all of these can be broken by dynamic taint analysis attacks. To counter such attacks, we propose and implement improvements to an existing obfuscation implementation. We evaluate the implemented improvement and discuss the security-performance trade-offs.