System, method, and service for detecting improper manipulation of an application

US 8,056,138 B2
Filed: 02/26/2005
Issued: 11/08/2011
Est. Priority Date: 02/26/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:

executing the application using a secret input to obtain a trace of the application;

identifying, from the trace, a set of deterministic branch instructions;

selecting at least one of the branch instructions from the set of deterministic branch instructions;

converting the selected branch instruction to a control transfer instruction that calls upon a fingerprint branch function;

adding a watermark to the application in order to identify an authorized user;

generating a fingerprint mark to the application;

generating a fingerprint key associated with the fingerprint mark;

as the application is executing, upon encountering a call to the fingerprint branch function, executing the fingerprint branch function to evolve the fingerprint key and an integrity check value associated with the evolved fingerprint key;

replacing at least one branch instruction corresponding to a conditional jump and at least one branch instruction corresponding to an unconditional jump in the application to alter control flow of the application; and

calculating a hash function responsive to a return address of the at least one branch instruction corresponding to the conditional jump and the at least one branch instruction corresponding to the unconditional jump and a starting address of the fingerprint branch function;

wherein the fingerprint branch function corresponds the evolved fingerprint key with a location in a displacement table to locate a displacement for a target instruction at the location in the displacement table within the application and subsequently a return location of the target instruction is computed within the application by adding the displacement to a return address of the control transfer function that calls upon the fingerprint branch function, and execution control is returned to the target instruction at the computed return location within the application, andwherein upon improper manipulation of the application, the fingerprint branch function evolves a wrong key that prevents a normal execution of the application by corresponding the wrong key with an incorrect location within the displacement table, thereby causing an incorrect return location to be calculated by adding an incorrect displacement retrieved from the incorrect location to the return address and causing the execution control to be returned to the target instruction at the incorrect return location within the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A piracy protection system incorporates tamper detection capabilities into a protected copy of an application by disassembling a statically linked binary of the application, modifying some of the instructions in the application, and then rewriting all of the modified and unmodified instructions to a new executable file, a protected copy. The piracy protection system comprises an offline tamper detection technique in which the software itself detects the tampering and causes the program to fail, therefore protecting itself from malicious attacks. The system further comprises a dynamic software-watermarking process that incorporates code obfuscation to prevent reverse engineering.

23 Citations

View as Search Results

12 Claims

1. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:
- executing the application using a secret input to obtain a trace of the application;
  
  identifying, from the trace, a set of deterministic branch instructions;
  
  selecting at least one of the branch instructions from the set of deterministic branch instructions;
  
  converting the selected branch instruction to a control transfer instruction that calls upon a fingerprint branch function;
  
  adding a watermark to the application in order to identify an authorized user;
  
  generating a fingerprint mark to the application;
  
  generating a fingerprint key associated with the fingerprint mark;
  
  as the application is executing, upon encountering a call to the fingerprint branch function, executing the fingerprint branch function to evolve the fingerprint key and an integrity check value associated with the evolved fingerprint key;
  
  replacing at least one branch instruction corresponding to a conditional jump and at least one branch instruction corresponding to an unconditional jump in the application to alter control flow of the application; and
  
  calculating a hash function responsive to a return address of the at least one branch instruction corresponding to the conditional jump and the at least one branch instruction corresponding to the unconditional jump and a starting address of the fingerprint branch function;
  
  wherein the fingerprint branch function corresponds the evolved fingerprint key with a location in a displacement table to locate a displacement for a target instruction at the location in the displacement table within the application and subsequently a return location of the target instruction is computed within the application by adding the displacement to a return address of the control transfer function that calls upon the fingerprint branch function, and execution control is returned to the target instruction at the computed return location within the application, andwherein upon improper manipulation of the application, the fingerprint branch function evolves a wrong key that prevents a normal execution of the application by corresponding the wrong key with an incorrect location within the displacement table, thereby causing an incorrect return location to be calculated by adding an incorrect displacement retrieved from the incorrect location to the return address and causing the execution control to be returned to the target instruction at the incorrect return location within the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the watermark comprises an authorship mark in order to identify an owner of the application.
  - 3. The method of claim 1, further comprising performing an integrity check in order to determine whether the application has been improperly manipulated.
  - 4. The method of claim 1, wherein the fingerprint mark comprises one or more fingerprint keys;
    - andwherein each fingerprint key uniquely identifies an associated authorized user and application.
  - 5. The method of claim 1, wherein upon executing the control transfer instructions, each call instruction evolves a different fingerprint key.
  - 6. The method of claim 2, wherein the authorship mark comprises two or more prime factors to prevent improper discovery of the authorship mark.
  - 7. The method of claim 2, wherein the authorship mark is encoded in the fingerprint branch function.
  - 8. The method of claim 2, wherein the authorship mark proves ownership of the application through the use of an authorship key.
  - 9. The method of claim 4, further comprising assigning an initial value for the fingerprint keys upon registration of the application by an authorized user.
  - 10. The method of claim 1, wherein the fingerprint branch function locates a displacement in a displacement table, said displacement representing a difference in a location in code of the application from a selected branch instruction to the target instruction, andwherein the fingerprint branch function transfers an execution control to the target instruction.

11. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:
- selecting at least some of the branch instructions;
  
  converting the selected branch instructions to control transfer instructions that call upon an integrity check branch function;
  
  constructing a static structure comprising a displacement entry for each of the selected branch instructions and a corresponding target instruction;
  
  using a hash function to assign a unique identifier to a location of each of the selected branch instructions;
  
  embedding a fingerprint mark and an authorship mark into the selected branch instructions;
  
  as the application is executing, upon encountering a call to the integrity check branch function, generating a value used to obtain information from the static structure about an instruction to execute after the integrity check branch function completes;
  
  identifying the integrity check branch function as fingerprinted with the fingerprint mark; and
  
  identifying if the application has been subjected to a semantic-preserving transform or a debugger was used during the executing; and
  
  preventing normal execution of the application if said generation results in a wrong value based on an integrity value associated with the fingerprint mark, thereby causing an incorrect displacement entry located at a location within the static structure that corresponds with the wrong value to be retrieved from the static structure and an incorrect return location within the application to be computed based on the incorrect displacement entry that would cause the application to jump to the incorrect return location within the application,wherein the information obtained from the static structure is used to compute a return location within the application of the instruction to be executed after the integrity check branch function completes.
- View Dependent Claims (12)
- - 12. The method of claim 11, selecting the branch instructions comprises selected the branch instructions that are on a non-deterministic path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jin, Hongxia, Myles, Ginger
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
HOANG, DANIEL L

Application Number

US11/066,934
Publication Number

US 20060195906A1
Time in Patent Office

2,446 Days
Field of Search

726/26
US Class Current

726/26
CPC Class Codes

G06F 21/125   by manipulating the program...

G06F 21/14   against software analysis o...

G06F 21/16   Program or content traceabi...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/608   Watermarking

H04L 63/123   received data contents, e.g...

H04L 9/3236   using cryptographic hash fu...

System, method, and service for detecting improper manipulation of an application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and service for detecting improper manipulation of an application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links