Comparing the effectiveness of commercial obfuscators against MATE attacks

Ramya Manikyam, J. Todd McDonald, William R. Mahoney, Todd R. Andel, Samuel H. Russ

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.

Original languageEnglish (US)
Title of host publicationProceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450348416
DOIs
StatePublished - Dec 5 2016
Event6th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2016 - Los Angeles, United States
Duration: Dec 5 2016Dec 6 2016

Publication series

NameACM International Conference Proceeding Series
Volume05-06-December-2016

Other

Other6th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2016
CountryUnited States
CityLos Angeles
Period12/5/1612/6/16

Fingerprint

Reverse engineering
Copying
Static analysis
Dynamic analysis
Industry

Keywords

  • Anti-tamper
  • Commercial obfuscators
  • Cracked programs
  • Dynamic analysis
  • Malicious reverse engineering
  • Manat-the-end (MATE) attacks
  • Obfuscation
  • Software protection
  • Static analysis

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Manikyam, R., McDonald, J. T., Mahoney, W. R., Andel, T. R., & Russ, S. H. (2016). Comparing the effectiveness of commercial obfuscators against MATE attacks. In Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016 [a8] (ACM International Conference Proceeding Series; Vol. 05-06-December-2016). Association for Computing Machinery. https://doi.org/10.1145/3015135.3015143

Comparing the effectiveness of commercial obfuscators against MATE attacks. / Manikyam, Ramya; McDonald, J. Todd; Mahoney, William R.; Andel, Todd R.; Russ, Samuel H.

Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016. Association for Computing Machinery, 2016. a8 (ACM International Conference Proceeding Series; Vol. 05-06-December-2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Manikyam, R, McDonald, JT, Mahoney, WR, Andel, TR & Russ, SH 2016, Comparing the effectiveness of commercial obfuscators against MATE attacks. in Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016., a8, ACM International Conference Proceeding Series, vol. 05-06-December-2016, Association for Computing Machinery, 6th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2016, Los Angeles, United States, 12/5/16. https://doi.org/10.1145/3015135.3015143
Manikyam R, McDonald JT, Mahoney WR, Andel TR, Russ SH. Comparing the effectiveness of commercial obfuscators against MATE attacks. In Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016. Association for Computing Machinery. 2016. a8. (ACM International Conference Proceeding Series). https://doi.org/10.1145/3015135.3015143
Manikyam, Ramya ; McDonald, J. Todd ; Mahoney, William R. ; Andel, Todd R. ; Russ, Samuel H. / Comparing the effectiveness of commercial obfuscators against MATE attacks. Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016. Association for Computing Machinery, 2016. (ACM International Conference Proceeding Series).
@inproceedings{aa1dcc33ec1746bb965b3ef42283d6a5,
title = "Comparing the effectiveness of commercial obfuscators against MATE attacks",
abstract = "The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.",
keywords = "Anti-tamper, Commercial obfuscators, Cracked programs, Dynamic analysis, Malicious reverse engineering, Manat-the-end (MATE) attacks, Obfuscation, Software protection, Static analysis",
author = "Ramya Manikyam and McDonald, {J. Todd} and Mahoney, {William R.} and Andel, {Todd R.} and Russ, {Samuel H.}",
year = "2016",
month = "12",
day = "5",
doi = "10.1145/3015135.3015143",
language = "English (US)",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
booktitle = "Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016",

}

TY - GEN

T1 - Comparing the effectiveness of commercial obfuscators against MATE attacks

AU - Manikyam, Ramya

AU - McDonald, J. Todd

AU - Mahoney, William R.

AU - Andel, Todd R.

AU - Russ, Samuel H.

PY - 2016/12/5

Y1 - 2016/12/5

N2 - The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.

AB - The ability to protect software from malicious reverse engineering remains a challenge faced by commercial software companies who invest a large amount of resources in the development of their software product. In order to protect their investment from potential attacks such as illegal copying, tampering, and malicious reverse engineering, most companies utilize some type of protection software, also known as obfuscators, to create variants of their products that are more resilient to adversarial analysis. In this paper, we report on the effectiveness of different commercial obfuscators against traditional man-at-the-end (MATE) attacks where an adversary can utilize tools such as debuggers, disassemblers, and de-compilers as a legitimate end-user of a binary executable. Our case study includes four benchmark programs that have associated adversarial goals categorized as either comprehension or change tasks. We use traditional static and dynamic analysis techniques to identify the adversarial workload and outcomes before and after each program is transformed by a set of three commercial obfuscators. Our results confirm what is typically assumed: an adversary with a reasonable background in the computing disciplines can both comprehend and make changes to any of our completely unprotected programs using standard tools. Additionally, given the same skill set and attack approach, protected programs can still be probed to leak certain information, but none could be successfully altered and saved to create a cracked version. As a contribution, our methodology is unique compared to prior studies on obfuscation effectiveness in that we categorize adversarial skill and delineate program goals into comprehension and change ability, while considering the load time and overhead of obfuscated variants.

KW - Anti-tamper

KW - Commercial obfuscators

KW - Cracked programs

KW - Dynamic analysis

KW - Malicious reverse engineering

KW - Manat-the-end (MATE) attacks

KW - Obfuscation

KW - Software protection

KW - Static analysis

UR - http://www.scopus.com/inward/record.url?scp=85008238133&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85008238133&partnerID=8YFLogxK

U2 - 10.1145/3015135.3015143

DO - 10.1145/3015135.3015143

M3 - Conference contribution

AN - SCOPUS:85008238133

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 6th Software Security, Protection, and Reverse Engineering Workshop 2016, SSPREW 2016

PB - Association for Computing Machinery

ER -