3rd International ICST Symposium on Information Assurance and Security

Research Article

Program Fragmentation as a Metamorphic Software Protection

  • @INPROCEEDINGS{10.1109/IAS.2007.28,
        author={Bobby  D. Birrer and Richard  A. Raines and Rusty  O. Baldwin and Barry  E. Mullins and Robert  W. Bennington},
        title={Program Fragmentation as a Metamorphic Software Protection},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        publisher={IEEE},
        proceedings_a={IAS},
        year={2007},
        month={9},
        keywords={Assembly  Computer industry  Computer security  Cryptography  Engines  Information security  Laboratories  Software algorithms  Software debugging  Software protection},
        doi={10.1109/IAS.2007.28}
    }
    
  • Bobby D. Birrer
    Richard A. Raines
    Rusty O. Baldwin
    Barry E. Mullins
    Robert W. Bennington
    Year: 2007
    Program Fragmentation as a Metamorphic Software Protection
    IAS
    IEEE
    DOI: 10.1109/IAS.2007.28
Bobby D. Birrer1,*, Richard A. Raines1,*, Rusty O. Baldwin1,*, Barry E. Mullins1,*, Robert W. Bennington2,*
  • 1: Center for Cyberspace Research Air Force Institute of Technology
  • 2: Anti-Tamper Software Protection Technology Office Air Force Research Laboratory
*Contact email: bobby.birrer@afit.edu, richard.raines@afit.edu, rusty.baldwin@afit.edu, barry.mullins@afit.edu, Robert.bennington@wpafb.af.mil

Abstract

Unauthorized reverse-engineering of programs and algorithms is a major problem for the software industry. Reverse-engineers search for security holes in the program to exploit or try to steal competitors' vital algorithms. To discourage reverse-engineering, developers use a variety of static software protections to obfuscate their programs. Metamorphic software protections add another layer of protection to traditional static obfuscation techniques, forcing reverse-engineers to adjust their attacks as the protection changes. Program fragmentation combines two obfuscation techniques, outlining and obfuscated jump tables, into a new, metamorphic protection. Sections of code are removed from the main program flow and placed throughout memory, reducing the program's locality. These fragments move and are called using obfuscated jump tables, making program execution difficult to follow. This research assesses the performance overhead of a program fragmentation engine and provides analysis of its effectiveness against reverse-engineering techniques. Results show that program fragmentation has low overhead and is an effective technique to complicate disassembly of programs using two common disassembler/debugger tools.