Research And Implementation Of A Time Diversity Virtual Machine Software Protection Method

Persistent and high-insensitive software protection has become an insistent demand for the research of software security and even for the whole software industry. Virtual machine based software protection has been widely used to protect the core algorithm. However, it is hard to fight against cumulative attack and cannot provide long-term effective protection. Time diversity provides a possible solution for that. Time diversity is used to fight against cumulative attack to make software executed along variant paths in different running time.Aiming at the inefficiently defend to the cumulative attack of the current VM-based software protection, a VM-based software protection method with time diversity, called TDVMP, is proposed in the paper. The key point of the method is to construct multiple execution paths with equivalent semantics leading to dynamically variant execution paths in running time, in order to provide the long-term protection.The research of TDVMP includes following four parts:1) The construction method of diversity. It means to construct the variant handler sequences, including obfuscating the KeyCode, inserting the VHC into handler sequences and construction the multiple handler sets with equivalent semantics.2) The dynamical scheduling on diversity. On the one hand, choose the code block to explain an instruction of KeyCode as the scheduling unit, based on the VM architecture with crossing multi-dispatchers and the chain. On the other hand, implement the dynamical scheduling on diversity by constructing the NFA to control the choosing on sub-paths.3) The evaluation of Time diversity. The differences of the instruction sequences of execution are mainly by cause of the differences of handler sequences. So a metric named variation of execution paths to evaluate the effectiveness of time diversity is proposed and the methods to measure and compute the metric are also presented.4) A prototype of TDVMP is implemented and upon which the experiments are carried out with a set of practical use cases. Experiment results show that our TDVMP is effective and applicable for software protection.