Evaluation Models for the Resilience and Stealth of Software Protections and Malware

The project EMRESS (Evaluation Models for the Resilience and Stealth of Software Protections and Malware) deals with the problem of quantification of software protection techniques which are used both in commercial programs as well as malicious software (malware). Despite the fact that software protection techniques have been researched and used in practice since over two decades, no models for the strength of different protections exist. The lack of models is highly problematic for software vendors, because it prevents automated decision support for the optimal protection strategy for their software, as well as for malware analysts as no automated support for selecting the optimal malware analysis techniques given an incoming sample that needs to be analysed exists. With this project, we aim to improve this situation dramatically by developing quantitative models and analysis techniques for the strength of software protections based on the two properties resilience (strength of a protection against different analysis techniques) and stealth. The quantification of resilience will be achieved through novel models and metrics to predict which software representations attackers and their tools obtain after they used tools, heuristics, and assumptions to circumvent, to undo, or to neglect deployed protections. Stealth of software will be made quantifiable by developing novel techniques to identify and match components with (to some extent) known semantics in larger software packages. In both research areas comprehensive literature surveys will build the foundation of our research which describes the scientific knowledge of the arms race between software protection and code analysis in theory. Based on the results from the surveys, we derive properties of program code which can be used for (a) the quantification of the strength of applied protections and (b) in the context of malware the identification of its type. The results from this research will be used as the foundation for model generation. Next, prototype implementations of software protections and analysis concepts will be used in controlled experiments in order to verify our hypothesis in the model generation process. We will study how professional software penetration testers and malware analysts deal with different types of protections and compare the results with our survey works. The results of the project EMRESS will improve the scientific state-of-the-art in quantification of software protection techniques with respect to theory but also practice. Both companies wanting to protect benign software through obfuscation and other protections, as well as malware analysts will be able to use our results for selecting the best available technologies for their use cases. Additionally, we expect positive effects in the research field of software testing and software assurance.

The EMRESS project dealt with the quantification of software protection techniques, which are used in commercial programs as well as in malware. Although these techniques have been researched for a long time and are widely used in practice, until now no robust models for the strength of different protections existed. The lack of such models was highly problematic for malware analysts, who must determine a suitable analysis strategy depending on the protection techniques used by the malware. The project explored methodologies for determining the strength of the two key properties of a protection technique, stealth (covertness of the protection) and resilience (strength of the protection against automated undoing). To this end, we have created two comprehensive software frameworks that allow us to conduct empirical research on software protection and program analysis, and subsequently to derive predictive models for the strength of software protection techniques. To model stealth properties, we extracted patterns from a set of code complexity metrics and measured how uniquely they can be assigned to specific protection techniques. The existence of unique patterns reduces the stealth of a protection technique since it can be identified by the pattern. To quantify resilience properties, we determined the quality of reconstructions of basic program structures by a variety of analysis programs in the context of individual software protection techniques or the combination of techniques. The worse structures such as the control flow graph of a program can be reconstructed, the higher the resilience can be valued. Another research focus of the project was the identification of functionality in protected programs. We developed a novel methodology that uniquely identifies functionality based on its characteristic input-output behavior, independent of the exact implementation and the presence of obfuscation techniques. Combined, our frameworks serve as a decision support system for malware analysts by automatically identifying the protection techniques contained in potential malware, suggesting suitable analysis methods and tools, and automatically detecting the presence of typical malware functionality. Complementing the empirical research, the scientific state-of-the-art as well as methodological weaknesses in the research area of software protection were identified on the basis of more than 570 publications, and strategies to improve the status-quo were integrated in our frameworks. The results of the EMRESS project contribute significantly to the advancement of the scientific state-of-the-art in the field of software protection research, both in theory and in practice. Furthermore, we see positive effects for further research fields such as software testing and software assurance.