Replacement attacks against VM-protected applications

Ghosh, Sudeep; Hiser, Jason D.; Davidson, Jack W.

doi:10.1145/2151024.2151051

Cited by 13 publications

(14 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we first analyze DIVILAR's robustness against existing static and dynamic analysis, and countermeasures specific to VM-based protection in particular [11,20,57,59]. We also evaluate the performance overhead introduced by DIVILAR.…”

Section: Discussionmentioning

confidence: 99%

“…Ghosh et al propose to replace the protecting VM with an attacking VM in order to render the application amicable to analysis and modification [20]. Frequency analysis [68] is often used to break classical ciphers by studying the frequency of letters or groups of letters to disclose the mapping between plaintext and ciphertext.…”

Section: Virtualization Specific Analysismentioning

confidence: 99%

“…However, this attack is not effective against systems where virtual machine is sufficiently anchored to the execution environment [20]. DIVILAR's in-app hooking mechanism allows it to deeply hook into Dalvik VM and merge the execution of virtual and Dalvik instructions.…”

Section: Virtualization Specific Analysismentioning

confidence: 99%

“…Moreover, Ghosh et al propose to use an attacking VM to replace the protecting VM to subject the protected software to analysis. It assumes that the protecting VM is not tightly bound to the execution environment [20]. DIVILAR leverages virtualization to protect Android apps from repackaging.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Divilar

Zhou

Wang

Zhou

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

App repackaging remains a serious threat to the emerging mobile app ecosystem. Previous solutions have mostly focused on the postmortem detection of repackaged apps by measuring similarity among apps. In this paper, we propose DIVILAR, a virtualizationbased protection scheme to enable self-defense of Android apps against app repackaging. Specifically, it re-encodes an Android app in a diversified virtual instruction set and uses a specialized execute engine for these virtual instructions to run the protected app. However, this extra layer of execution may cause significant performance overhead, rendering the solution unacceptable for daily use. To address this challenge, we leverage a lightweight hooking mechanism to hook into Dalvik VM, the execution engine for Dalvik bytecode, and piggy-back the decoding of virtual instructions to that of Dalvik bytecode. By compositing virtual and Dalvik instruction execution, we can effectively eliminate this extra layer of execution and significantly reduce the performance overhead. We have implemented a prototype of DIVILAR. Our evaluation shows that DIVILAR is resilient against existing static and dynamic analysis, including these specific to VM-based protection. Further performance evaluation demonstrates its efficiency for daily use (an average of 16.2% and 8.9% increase to the start time and run time, respectively).

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Virtualization Specific Analysismentioning

confidence: 99%

Section: Virtualization Specific Analysismentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Divilar

Zhou

Wang

Zhou

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…An adversary can attempt to alter key functionalities of the PVM itself, thereby invalidating protection features such as knots. Ghosh et al proposed a replacement attack on PVMs, which involves replacing a PVM applying protections with a benign VM [16]. Knots do not protect the PVM from such attacks.…”

Section: Effectiveness Against Pvm Attacksmentioning

confidence: 99%

Software protection for dynamically-generated code

Ghosh

Hiser

Davidson

2013

Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop

Self Cite

View full text Add to dashboard Cite

Process-level Virtual machines (PVMs) often play a crucial role in program protection. In particular, virtualization-based tools like VMProtect and CodeVirtualizer have been shown to provide desirable obfuscation properties (i.e., resistance to disassembly and code analysis). To be efficient, many tools cache frequently-executed code in a code cache. This code is run directly on hardware and consequently may be susceptible to unintended, malicious modification after it has been generated.To thwart such modifications, this work presents a novel methodology that imparts tamper detection at run time to PVM-protected applications. Our scheme centers around the run-time creation of a network of software knots (an instruction sequence that checksums portions of the code) to detect tamper. These knots are used to check the integrity of cached code, although our techniques could be applied to check any software-protection properties. Used in conjunction with established static techniques, our solution provides a mechanism for protecting PVM-generated code from modification.We have implemented a PVM system that automatically inserts code into an application to dynamically generate polymorphic software knots. Our experiments show that PVMs do indeed provide a suitable platform for extending guard protection, without the addition of high overheads to run-time performance and memory. Our evaluations demonstrate that these knots add less than 10% overhead while providing frequent integrity checks.

show abstract