Journal of KIISE:Software and Applications (한국정보과학회논문지:소프트웨어및응용)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Functional Unit Dynamic API Birthmark for Windows Programs Code Theft Detection

Windows 프로그램 도용 탐지를 위한 기능 단위 동적 API 버스마크

  • Published : 2009.09.15
Download PDF
⟨ Previous Next ⟩

Abstract

A software birthmark is a set of characteristics that are extracted from a program itself to detect code theft. A dynamic API birthmark is extracted from the run-time API call sequences of a program. The dynamic Windows API birthmarks of Tamada et al. are extracted from API call sequences during the startup period of a program. Therefore. the dynamic birthmarks cannot reflect characteristics of main functions of the program. In this paper. we propose a functional unit birthmark(FDAPI) that is defined as API call sequences recorded during the execution of essential functions of a program. To find out that some functional units of a program are copied from an original program. two FDAPIs are extracted by executing the programs with the same input. The FDAPIs are compared using the semi-global alignment algorithm to compute a similarity between two programs. Programs with the same functionality are compared to show credibility of our birthmark. Binary executables that are compiled differently from the same source code are compared to prove resilience of our birthmark. The experimental result shows that our birthmark can detect module theft of software. to which the existing birthmarks of Tamada et al. cannot be applied.

소프트웨어 버스마크란 코드 도용 탐지를 위해 프로그램 자체에서 추출된 프로그램의 특징이다. 동적 API 버스마크는 실행 시간 API 호출 시퀀스로부터 추출된다. Tamada가 제안한 Windows 프로그램을 위한 동적 API 버스마크는 프로그램 실행 시작 부분의 API 시퀀스만을 추출하여 프로그램의 중요한 특성을 반영하지 못하였다. 이 논문에서는 프로그램의 핵심 기능을 실행할 때의 API 시퀀스에서 추출한 기능 단위 동적 API 버스마크를 제안한다. 기능 단위 동적 API 버스마크를 이용해 코드 도용을 탐지하기 위해서 먼저 두 프로그램을 실행하여 버스마크를 추출한다. 두 프로그램의 유사도는 프로그램에서 추출한 버스마크를 준전체 정렬 방식을 이용하여 비교하여 측정한다. 버스마크의 신뢰성을 평가하기 위하여 같은 기능을 가진 프로그램들을 대상으로 실험하였다. 강인성을 평가하기 위하여 동일한 소스 코드를 다양한 컴파일 방법으로 만들어 실험하였다. 실험 결과 본 논문에서 제안하는 기능 단위 동적 API 버스마크가 기존의 버스마크에서 탐지할 수 없었던 모듈 단위 도용을 탐지할 수 있음을 보였다.

Keywords

References

  1. G. Myles and C. S. Collberg, 'Software theft detection through program identification,' PhD. thesis. University of Arizona, 2006
  2. C. Linn and S. Debray, 'Obfuscation of executable code to improve resistance to static disassembly,' in Proceedings of the 10th ACM conference on Computer and communications security, pp.290-299, 2003 https://doi.org/10.1145/948109.948149
  3. S. Choi, H. Park, H. Lim, and T. Han, 'A static birthmark of binary executables based on API call structure,' Lecture Notes in Computer Science, vol.4846, pp.2-16, 2007 https://doi.org/10.1007/978-3-540-76929-3_2
  4. H. Tamada, K. Okamoto, M. Nakamura, A. Monden, and K. Matsumoto, 'Dynamic software birthmarks to detect the theft of windows applications,' Proc. International Symposium on Future Software Technology, pp.20-22, 2004
  5. C. S. Collberg and C. Thomborson, 'Watermarking, tamper-proofing, and obfuscation-tools for software protection,' IEEE Transactions on software engineering, vol.28, pp.735-746, 2002 https://doi.org/10.1109/TSE.2002.1027797
  6. H. Tamada, M. Nakamura, A. Monden, and K. I. Matsumoto, 'Java Birthmarks-Detecting the Software Theft,' IEICE Transactions on Information and Systems, pp.2148-2158, 2005
  7. G. Myles and C. Collberg, 'K-gram based software birthmarks,' Proceedings of the 2005 ACM symposium on Applied computing (SAC'05), 2005
  8. Hyun-il Lim, Heewan Park, Seokwoo Choi, and Taisook Han, 'Detecting Theft of Java Applications via a Static Birthmark Based on Weighted Stack Patterns,' IEICE Trans. On Information and Systems, vol.91, no.9, September 2008
  9. Heewan Park, Seokwoo Choi, Hyun-il Lim, and Taisook Han, 'Detecting Java Theft Based on Static API Trace Birthmark,' Third International Workshop on Security (IWSEC 2008), LNCS 5312-0121, November 25-27, 2008
  10. Ginger Myles and Christian S. Collberg, Detecting software theft via whole program path birthmarks, In Proc. of the 7th Int. Conf. on Information Security, vol.3225 of LNCS, Springer, pp.404-415, 2004
  11. D. Schuler, V. Dallmeier, and C. Lindig, 'A Dynamic Birthmark for Java,' in Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering, 2007
  12. G. Hunt and D. Brubacher, 'Detours: Binary interception of Win32 functions,' Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135-143, 1999
  13. C. Wang, 'A security architecture for survivability mechanisms,' PhD thesis. University of Virginia, 2000