What's the PointiSA?

Abstract

Software watermarking, fingerprinting, digital content identification, and many other desirable security properties can be improved with software protection techniques such as tamper resistance and obfuscation. Previous research has demonstrated software protection can be significantly enhanced using a Process-level Virtual Machine (PVM). They can provide robust program protections, particularly at run time, which many other software protection techniques lack. PVMs have been used to provide tamper detection, dynamic code obfuscation, and resistance to static disassembly. Over-all, the presence of PVMs makes it more difficult for the adversary to achieve their goals. Recently, a new attack methodology, called Replacement Attacks, was described that successfully targeted PVM-protected applications. This methodology circumvents execution of the protective PVM instance through the use of another virtual machine to execute the program. The replacement occurs dynamically and allows execution of the application without any PVM-based protections. In this work, we formalize the notion of a replacement attack using a novel model. We then present a defense against such attacks. To the best of our knowledge, this technique is the first defense against replacement attacks. The technique relies on software interpretation of instructions, which forms the basis of PVMs. By carefully modifying the semantics of some individual instructions, it is possible to make the application unusable without the presence of the protective PVM instance. The technique is called PointISA, named after a point function|a function which returns true for only one given input. We provide a formal description of PointISAs and an evaluation of the strength of the approach.