The nature of software renders it susceptible to analysis and copying by third parties. There have been considerable efforts to enhance software security, see for instance U.S. Pat. No. 6,668,325 assigned to Intertrust Technologies Inc. There have been several efforts to provide technical protection for software. A well-known protection approach is called obfuscation, which typically relies on a rearrangement of the source code. Computer code (software or programs) comes in two chief types; the first is source code, which is as written by a human being (programmer) in a particular computer language. The source code itself is often then obfuscated. The other chief type is called object code or compiled code or binary code or machine code. This is the source code after having being processed by a special type of computer software program called a compiler; a compiler is routinely provided for each computer language. The compiler takes as input the alphanumeric character strings of the source code as written by the programmer, and processes them into a string of binary ones and zeros, which can then be operated on by a computer processor.
It is also known to obfuscate the compiled (binary) code. The term “code morphing” is also applied to obfuscating compiled code. This is typically achieved by completely replacing a section of the compiled code with an entirely new block of compiled code that expects the same machine (computer or processor) state when it begins execution as a previous code section and will leave with the same machine state after execution as does the original code (thereby being semantically equivalent code). However, typically a number of additional operations compared to those of the original code will be completed, as well as some operations with an equivalent effect, by the morphed code. Code morphing makes disassembly or decompiling of such a program much more difficult. This is typically the act of taking the machine code and transforming it back into source code, and is done by reverse engineers or “hackers” who wish to penetrate the compiled code, using a special decompiler program. A drawback with code morphing is that by unnecessarily complicating operations and hindering compiler-made optimizations, the execution time of the obfuscated code is increased. Thus typically code morphing is limited to critical portions of a program and so is often not used on the entire computer program application. Code morphing is also well known for obfuscating copy protection or other checks that a program makes to determine whether it is a valid, authentic installation or a pirated copy, for security purposes.
Therefore, typically the goal of obfuscation is to start with the original code and arrive at a second form of the code, which is semantically or logically equivalent from an input/output point of view. As pointed out above, this means that for any input to the code in the field of possible inputs, the output value of the code is the same for both the original code and the obfuscated code. Thus a requirement of successful obfuscation is to produce a semantically equivalent (but also protected) code to the original (unprotected) code.
As well known, computer programs called obfuscators or tools may perform the obfuscating; they transform a particular software application (program) in source or compiled code form into one that is functionally identical to the original, but is much more difficult for a hacker to penetrate, that is to decompile. Note that the level of security from obfuscation depends on the sophistication of the transformations employed by the obfuscator, the power of the available deobfuscation algorithms as used by the hacker, and the amount of resources available to the hacker. The goal in obfuscating is to provide many orders of difference between the cost (difficulty) of obfuscating vs. deobfuscating.
Hence it is conventional that the obfuscation process is performed at one location or in one computer (machine) after the source code has been written. The obfuscated code is compiled and then transferred to a second computer/processor where it is to be executed after installation in associated memory at the second computer. (Note that the normal execution does not include any disassembling since there is no need on a machine-level basis to reassemble the code. Disassembly is strictly done for reverse engineering purposes.) At the second (recipient) computer, the obfuscated code is installed and then can be routinely executed by the processor at the second computer. The obfuscated code is executed as is. The obfuscated code is often slower to execute than the original code.
Implementations of security related computer code running on “open platform” systems are often subject to attack in order to recover cryptographic materials (keys, etc.), cryptographic algorithms, etc. The attack are mostly designated here by the term “reverse-engineering”, which is the way to recover code internals from a software binary (compiled code). Open platform means that internal operations of the computing system are observable by an attacker. This also means that under some circumstances the attacker can break into the computer program, modify values, modify instructions, or inject his own code.
Several solutions are known to protect computer software code against reverse-engineering. They are implemented to make more complex the work of attackers in understanding the process, or to hide cryptographic data or operation.
In obfuscation, the code is typically re-written by a software “tool,” in a very complex way. Then, an attacker must provide substantial additional work to recover something (humanly) understandable from the compiled code. This obfuscation includes—for instance—re-writing loops, splitting basic blocs of instructions (adding jump in the code, using predicates), flattening the control flow (not executing linear blocks of code), etc.
However, in some circumstances, attackers try to determine the aim of one (or a set) buffers in memory in the whole process. This is called memory tracing and uses other easily available software called a memory tracing tool or a debugger. Memory tracing that occurs only on small identified parts of the program is often the simplest approach for an attacker.