The legal status of reverse engineering of computer software

Reverse engineering of computer software has assumed greater importance in recent years because of the need to examine legacy code to remove the year 2000 bug. There are different types of reverse engineering based on the level of abstraction of the code to be reengineered; machine code, assembly code, source code or even CASE code. We describe the different types of reverse engineering and the extent of copyright protection for software. The most common uses of reverse engineering are described. This provides for a comparative overview of the legal standing on reverse engineering at the international level. We propose challenges to the global electronic community in relation to existing and future legislation in the area of reverse engineering and protection of digital works. This revised version was published online in June 2006 with corrections to the Cover Date.     

代码混淆算法有效性评估

代码混淆是一种能够有效增加攻击者逆向分析和攻击代价的软件保护技术.然而,混淆算法的有效性评价和验证是代码混淆研究中亟待解决的重要问题.目前,对代码混淆有效性的研究大都是基于软件复杂性度量的,然而代码混淆作为一种保护软件安全的技术,更需要从逆向攻击的角度进行评估.将面向逆向工程的思想引入到代码混淆算法评估中,通过理论证明和具体实验验证了其可行性,该评估方法能够为混淆算法提供有效证明,并对判别和选择代码混淆算法具有指导意义,同时也有助于寻求更有效的代码混淆方法.     

用于软件保护的代码混淆技术

对软件的盗版、篡改和逆向工程使软件的安全受到了严重威胁。攻击者通过静态分析和动态跟踪来分析编程者的思想,获取机密数据和核心算法。因此,保护程序在未知环境下正常运行,防止逆向工程和静态分析的攻击,成为软件保护的一个重要问题。文章从软件保护的方法出发,介绍和分析代码混淆技术的方法和目标,并指出了代码混淆技术的优势和发展趋势。     

基于自封闭代码块的软件保护技术研究

针对传统的基于垃圾指令插入的花指令技术在软件保护应用中的不足,提出了一种基于自封闭代码块的软件反静态分析和动态调试的软件保护技术。重点介绍了自封闭代码块的相关概念,阐述了自封闭代码块的自动生成技术,包括基于指令编码表的随机指令序列生成技术和基于指令逆向思想的逆指令序列生成技术,并给出了相关算法和实例分析。     

多层次的软件演化追踪关系逆向恢复

软件资产追踪关系逆向恢复是软件维护和逆向工程领域的一个重要研究内容。然而,大多数现有的资产追踪研究都是针对同一软件版本内的追踪关系。与已有的研究工作不同,文中主要关注多个层次(变更文档层、配置管理层、实现代码层)上的演化信息之间的追踪关系逆向恢复。这些演化信息之间追踪关系的恢复对于理解软件演化和维护过程、学习并借鉴软件维护知识都具有重要的意义。针对不同层次演化信息的特点,提出了一种结合关键字检索和启发式规则的演化信息追踪关系逆向恢复方法,并针对一个开源软件系统的演化过程进行了实验分析。     

基于控制流混淆转换的代码保护技术

混淆转换作为一种防止逆向工程的代码保护技术伴随着Java,语言的迅速发展应运而生。以保护软件代码、提高逆向工程代价为目标,从破解与反破解的角度对控制流混淆转换技术进行了研究,提出了重构程序整体控制结构及隐藏用于控制转换的短暂变量的方法,并通过试验对控制流混淆转换给程序带来的时间和空间上的过载进行了客观评析。     

Fast extraction of high-quality framework-specific models from application code

Framework-specific models represent the design of application code from the framework viewpoint by showing how framework-provided concepts are instantiated in the code. Retrieving such models quickly and precisely is necessary for practical model-supported software engineering, in which developers use design models for development tasks such as code understanding, verifying framework usage rules, and round-trip engineering. Also, comparing models extracted at different times of the software lifecycle supports software evolution tasks. We describe an experimental study of the static analyses necessary to automatically retrieve framework-specific models from application code. We reverse engineer a number of applications based on three open-source frameworks and evaluate the quality of the retrieved models. The models are expressed using framework-specific modeling languages (FSMLs), each designed for an open-source framework. For reverse engineering, we use prototype implementations of the three FSMLs. Our results show that for the considered frameworks and a large body of application code rather simple code analyses are sufficient for automatically retrieving framework-specific models with high precision and recall. Based on the initial results, we refine the static analyses and repeat the study on a larger set of applications to provide more evidence and confirm the results. The refined static analyses provide precision and recall of close to 100% for the analyzed applications. This paper is an extended version of the paper “Automatic extraction of framework-specific models from framework-based application code”, which was published in the proceedings of the Twenty-Second ACM/IEEE International Conference on Automated Software Engineering, 2007.     

Watermarking, tamper-proofing, and obfuscation - tools for software protection

We identify three types of attack on the intellectual property contained in software and three corresponding technical defenses. A defense against reverse engineering is obfuscation, a process that renders software unintelligible but still functional. A defense against software piracy is watermarking, a process that makes it possible to determine the origin of software. A defense against tampering is tamper-proofing, so that unauthorized modifications to software (for example, to remove a watermark) will result in nonfunctional code. We briefly survey the available technology for each type of defense.     

基于JAVAC与JVM特征的代码保护

代码反编译和逆向工程使软件安全受到严重威胁。针对该问题,根据Java编译器(JAVAC)与Java虚拟机(JVM)的语法特征差异,提出一种基于JAVAC与JVM特征的代码保护方案。给出修改标识符名和中断赋值2种混淆技术,加大程序的复杂度,降低程序的可读性,阻止反编译和逆向工程的自动进行。安全性与性能分析结果表明,该方案可行、有效。     

Shimba—an environment for reverse engineering Java software systems

Shimba is a reverse engineering environment to support the understanding of Java software systems. Shimba integrates the Rigi and SCED tools to analyze and visualize the static and dynamic aspects of a subject system. The static software artifacts and their dependencies are extracted from Java byte code and viewed as directed graphs using the Rigi reverse engineering environment. The run‐time information is generated by running the target software under a customized SDK debugger. The generated information is viewed as sequence diagrams using the SCED tool. In SCED, statechart diagrams can be synthesized automatically from sequence diagrams, allowing the user to investigate the overall run‐time behavior of objects in the target system. Shimba provides facilities to manage the different diagrams and to trace artifacts and relations across views. In Shimba, SCED sequence diagrams are used to slice the static dependency graphs produced by Rigi. In turn, Rigi graphs are used to guide the generation of SCED sequence diagrams and to raise their level of abstraction. We show how the information exchange among the views enables goal‐driven reverse engineering tasks and aids the overall understanding of the target software system. The FUJABA software system serves as a case study to illustrate and validate the Shimba reverse engineering environment. Copyright © 2001 John Wiley & Sons, Ltd.     

路径分支混淆研究综述

代码混淆是一种便捷、有效的软件保护方法,能够较好地对抗以逆向分析为基础的MATE攻击,随着以符号执行为基础的自动程序分析技术的发展,出现了能够抵抗符号执行的新代码混淆方法——路径分支混淆。依据路径分支信息的构成,以及分支信息在对抗符号执行分析上的差异,对分支混淆技术进行了分类,并给出了分支信息泄露与符号执行的联系;按照分支混淆的分类,对当前分支混淆的研究进展进行了介绍和总结,分析了各类分支混淆的优缺点;最后,对分支混淆技术的发展进行了展望。     

NAV3000卫星导航仪偏航报警功能的改进

本文利用软件反向工程的方法分析了NAV3000 GPS卫星导航仪的监控软件,并采用直接修改目标代码的方法实现了对监控软件的偏航报警功能的改进。在概述软件反向工程和目标代码修改的基础上,给出了对卫星导航仪监控软件的偏航报警功能改进的具体过程。文章最后给出了对监控软件改进前后的报警效果的比较图,证明了基于目标代码修改方法的有效性,对相关应用具有一定的参考价值。     

A language-independent approach to the extraction of dependencies between source code entities

ContextSoftware networks are directed graphs of static dependencies between source code entities (functions, classes, modules, etc.). These structures can be used to investigate the complexity and evolution of large-scale software systems and to compute metrics associated with software design. The extraction of software networks is also the first step in reverse engineering activities.ObjectiveThe aim of this paper is to present SNEIPL, a novel approach to the extraction of software networks that is based on a language-independent, enriched concrete syntax tree representation of the source code.MethodThe applicability of the approach is demonstrated by the extraction of software networks representing real-world, medium to large software systems written in different languages which belong to different programming paradigms. To investigate the completeness and correctness of the approach, class collaboration networks (CCNs) extracted from real-world Java software systems are compared to CCNs obtained by other tools. Namely, we used Dependency Finder which extracts entity-level dependencies from Java bytecode, and Doxygen which realizes language-independent fuzzy parsing approach to dependency extraction. We also compared SNEIPL to fact extractors present in language-independent reverse engineering tools.ResultsOur approach to dependency extraction is validated on six real-world medium to large-scale software systems written in Java, Modula-2, and Delphi. The results of the comparative analysis involving ten Java software systems show that the networks formed by SNEIPL are highly similar to those formed by Dependency Finder and more precise than the comparable networks formed with the help of Doxygen. Regarding the comparison with language-independent reverse engineering tools, SNEIPL provides both language-independent extraction and representation of fact bases.ConclusionSNEIPL is a language-independent extractor of software networks and consequently enables language-independent network-based analysis of software systems, computation of design software metrics, and extraction of fact bases for reverse engineering activities.     

A C++ data model supporting reachability analysis and dead codedetection

A software repository provides a central information source for understanding and reengineering code in a software project. Complex reverse engineering tools can be built by analyzing information stored in the repository without reparsing the original source code. The most critical design aspect of a repository is its data model, which directly affects how effectively the repository supports various analysis tasks. This paper focuses on the design rationales behind a data model for a C++ software repository that supports reachability analysis and dead code detection at the declaration level. These two tasks are frequently needed in large software projects to help remove excess software baggage, select regression tests and support software reuse studies. The language complexity introduced by class inheritance, friendship, and template instantiation in C++ requires a carefully designed model to catch all necessary dependencies for correct reachability analysis. We examine the major design decisions and their consequences in our model and illustrate how future software repositories can be evaluated for completeness at a selected abstraction level. Examples are given to illustrate how our model also supports variants of reachability analysis: impact analysis, class visibility analysis, and dead code detection. Finally, we discuss the implementation and experience of our analysis tools on a few C++ software projects     

一种基于混沌的软件水印算法框架及实现

针对现有软件水印算法中存在的一些不足,将反逆向工程技术和混沌系统与Easter Egg软件水印的思想相结合,提出了一个基于混沌的软件水印算法框架.该框架通过引入混沌系统,把水印信息散列编码到整个代码当中,以保护全部代码;通过引入反逆向工程技术来抵抗逆向工程攻击,算法框架与软硬件平台无关.在i386体系结构Windows平台下实现了该算法框架,并以该实现为例分析了水印的鲁棒性,讨论了水印的嵌入对程序性能的影响.分析表明,该算法可以有效地抵抗各种语义保持变换攻击,对逆向工程攻击具有较好的抵抗性,鲁棒性较高.     

A reverse engineering process for design level document production from ADA code

The paper describes a reverse engineering process for producing design level documents by static analysis of ADA code. The produced documents, which we call concurrent data flow diagrams, describe the task structure of a software system and the data flow between tasks. Firstly, concurrent data flow diagrams are defined and discussed and then the main characteristics and features of the reconstruction process are illustrated. The process has been used to support maintenance and reuse activities on existing real-time software and to check consistency between design and code.     

A compiler-hardware approach to software protection for embedded systems

Because of their rapid growth in recent years, embedded systems present a new front in vulnerability and an attractive target for attackers. Their pervasive use, including sensors and mobile devices, makes it easier for an adversary to gain physical access to facilitate both attacks and reverse engineering of the system. This paper describes a system - CODESSEAL - for software protection and evaluates its overhead. CODESSEAL aims to protect embedded systems from attackers with enough expertise and resources to capture the device and attempt to manipulate not only software, but also hardware. The protection mechanism involves both a compiler-based software tool that instruments executables and an on-chip FPGA-based hardware component that provides run-time integrity and control flow checking on the executable code. The use of reconfigurable hardware allows CODESSEAL to provide such security services as confidentiality, integrity and program-flow protection in a platform-independent manner without requiring a redesign of the processor. Similarly, the compiler instrumentation hides the security details from software developers. Software and data protection techniques are presented for our system and a performance analysis is provided using cycle accurate simulation. Our experimental results show that protecting instructions and data with a high level of security can be achieved with low performance penalty, in most cases less than 10%.     

Strongest postcondition semantics as the formal basis for reverse engineering

Reverse engineering of program code is the process of constructing a higher level abstraction of an implementation in order to facilitate the understanding of a system that may be in a “legacy” or “geriatric” state. Changing architectures and improvements in programming methods, including formal methods in software development and object-oriented programming, have prompted a need to reverse engineer and re-engineer program code. This paper describes the application of the strongest postcondition predicate transformer (sp) as the formal basis for the reverse engineering of imperative program code.     

Field experience with obfuscating million-user iOS apps in large enterprise mobile development

In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.