System, method, and service for detecting improper manipulation of an application
First Claim
1. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:
- executing the application using a secret input to obtain a trace of the application;
identifying, from the trace, a set of deterministic branch instructions;
selecting at least one of the branch instructions from the set of deterministic branch instructions;
converting the selected branch instruction to a control transfer instruction that calls upon a fingerprint branch function;
adding a watermark to the application in order to identify an authorized user;
generating a fingerprint mark to the application;
generating a fingerprint key associated with the fingerprint mark;
as the application is executing, upon encountering a call to the fingerprint branch function, executing the fingerprint branch function to evolve the fingerprint key and an integrity check value associated with the evolved fingerprint key;
replacing at least one branch instruction corresponding to a conditional jump and at least one branch instruction corresponding to an unconditional jump in the application to alter control flow of the application; and
calculating a hash function responsive to a return address of the at least one branch instruction corresponding to the conditional jump and the at least one branch instruction corresponding to the unconditional jump and a starting address of the fingerprint branch function;
wherein the fingerprint branch function corresponds the evolved fingerprint key with a location in a displacement table to locate a displacement for a target instruction at the location in the displacement table within the application and subsequently a return location of the target instruction is computed within the application by adding the displacement to a return address of the control transfer function that calls upon the fingerprint branch function, and execution control is returned to the target instruction at the computed return location within the application, andwherein upon improper manipulation of the application, the fingerprint branch function evolves a wrong key that prevents a normal execution of the application by corresponding the wrong key with an incorrect location within the displacement table, thereby causing an incorrect return location to be calculated by adding an incorrect displacement retrieved from the incorrect location to the return address and causing the execution control to be returned to the target instruction at the incorrect return location within the application.
1 Assignment
0 Petitions
Accused Products
Abstract
A piracy protection system incorporates tamper detection capabilities into a protected copy of an application by disassembling a statically linked binary of the application, modifying some of the instructions in the application, and then rewriting all of the modified and unmodified instructions to a new executable file, a protected copy. The piracy protection system comprises an offline tamper detection technique in which the software itself detects the tampering and causes the program to fail, therefore protecting itself from malicious attacks. The system further comprises a dynamic software-watermarking process that incorporates code obfuscation to prevent reverse engineering.
23 Citations
12 Claims
-
1. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:
-
executing the application using a secret input to obtain a trace of the application; identifying, from the trace, a set of deterministic branch instructions; selecting at least one of the branch instructions from the set of deterministic branch instructions; converting the selected branch instruction to a control transfer instruction that calls upon a fingerprint branch function; adding a watermark to the application in order to identify an authorized user; generating a fingerprint mark to the application; generating a fingerprint key associated with the fingerprint mark; as the application is executing, upon encountering a call to the fingerprint branch function, executing the fingerprint branch function to evolve the fingerprint key and an integrity check value associated with the evolved fingerprint key; replacing at least one branch instruction corresponding to a conditional jump and at least one branch instruction corresponding to an unconditional jump in the application to alter control flow of the application; and calculating a hash function responsive to a return address of the at least one branch instruction corresponding to the conditional jump and the at least one branch instruction corresponding to the unconditional jump and a starting address of the fingerprint branch function; wherein the fingerprint branch function corresponds the evolved fingerprint key with a location in a displacement table to locate a displacement for a target instruction at the location in the displacement table within the application and subsequently a return location of the target instruction is computed within the application by adding the displacement to a return address of the control transfer function that calls upon the fingerprint branch function, and execution control is returned to the target instruction at the computed return location within the application, and wherein upon improper manipulation of the application, the fingerprint branch function evolves a wrong key that prevents a normal execution of the application by corresponding the wrong key with an incorrect location within the displacement table, thereby causing an incorrect return location to be calculated by adding an incorrect displacement retrieved from the incorrect location to the return address and causing the execution control to be returned to the target instruction at the incorrect return location within the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for detecting improper manipulation of an application containing a plurality of executable branch instructions, comprising:
-
selecting at least some of the branch instructions; converting the selected branch instructions to control transfer instructions that call upon an integrity check branch function; constructing a static structure comprising a displacement entry for each of the selected branch instructions and a corresponding target instruction; using a hash function to assign a unique identifier to a location of each of the selected branch instructions; embedding a fingerprint mark and an authorship mark into the selected branch instructions; as the application is executing, upon encountering a call to the integrity check branch function, generating a value used to obtain information from the static structure about an instruction to execute after the integrity check branch function completes; identifying the integrity check branch function as fingerprinted with the fingerprint mark; and identifying if the application has been subjected to a semantic-preserving transform or a debugger was used during the executing; and preventing normal execution of the application if said generation results in a wrong value based on an integrity value associated with the fingerprint mark, thereby causing an incorrect displacement entry located at a location within the static structure that corresponds with the wrong value to be retrieved from the static structure and an incorrect return location within the application to be computed based on the incorrect displacement entry that would cause the application to jump to the incorrect return location within the application, wherein the information obtained from the static structure is used to compute a return location within the application of the instruction to be executed after the integrity check branch function completes. - View Dependent Claims (12)
-
Specification