This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
In “Obfuscation of Executable Code to Improve Resistance to Static Disassembly”, 10th ACM Conference of Computer and Communications Security (CCS), pages 290-299, October 2003, Linn and Debray suggest confusing disassemblers using two main techniques. The first technique is the insertion of junk code bytes inserted in places that are unreachable during normal run-time execution. The second technique uses a branch function to modify regular procedure calls. Somewhat simplified, the branch function determines the target in dependence on the value of a function, such as the hash value over the location of the call instruction. At run-time, this location may be easily determined from the top of the stack. In addition, the branch function also modifies the return address by an offset, which makes it possible to fill the intervening space with junk code.
In “Proceedings of the 13th USENIX Security Symposium”, San Diego, Calif., USA, Aug. 9-13, 2004, Kruegel et al. proposed a solution to overcome the obfuscation presented by Linn and Debray. The authors observed that Linn and Debray's branch function essentially is a procedure that the address after the call instruction that is passed on top of the stack as input parameter. Then, the branch function is independent of dynamic input, it may be simulated, as its output depends on the single input parameter and some static lookup tables present in the binary's initialised data segment. The offset may thus be calculated, which enables the disassembler to skip the junk code and to continue from the next valid instruction.
The skilled person will appreciate that there is a need for an obfuscation method that is resistant against the disassembly technique provided by Kruegel et al.
In US 2006/0253687, Jakubowski and Jacob present a code obfuscation method that, among other things, uses branch functions to decide what instruction to jump to. A difference with regard to Linn and Debray is that Jakubowski and Jacob's method uses functions that take dynamic input, which makes it very difficult, if not impossible, to disassemble the code statically.
C. Collberg et al. presented a similar solution in Section 4 of “Dynamic Path-Based Software Watermarking”, ACM Sigplan Notices, ACM, Association for Computing Machinery, New York, N.Y., US, XP009084970. Their solution uses nested branch functions where the ‘innermost’ function is dynamic as it uses hashing of the return address to generate the new return address.
US 2008/0148061 presents, as prior art, another similar solution in which jumps are replaced by calls to an integrity functions that accesses an entry in a table of data, and hashes the value of the entry to determine the return address.
The present invention provides an improvement upon the method of Linn and Debray that at the same time is an alternative to the other prior art methods. As code obfuscation becomes more effective if a plurality of methods may be used, advantageously combined, the skilled person will appreciate that there is a need for such an alternative solution.