Research On The Technology Of Behavior Based Software Birth- Mark

Along with the rapid developing software industry and the burst of open source projects, software theft (or plagiarism) has become a very serious threat to the healthi-ness of software industry. To protect software intellectual property rights, some schol-ars have proposed a software watermarking technique. Software watermarking can be used to identify the author of the software, the publisher, the owner of the software as well as the user information. It can be used to identify illegal copying behavior and the theft of software products. However, software watermarking needs to embed addition-al code and the it can be easily destroyed by obfuscation and compiler optimization. Following the software watermarking technology, Software birthmark, which repre-sents the unique characteristics of a program, can be used for software theft detection. The state-of-the-art software birthmark called system call dependence graph (SCDG) abstracts the unique signature according to the dynamic run-time behavior of the pro-gram. This new birthmark can detect the partial plagiarism case and is demonstrated the strength against various evasion techniques, including the no-ops system call in-sertion attack.This thesis focus on the research of system call dependency graph(SCDG) based software birthmark and obfuscation technology against this new signature. First, we complete the abstracting of the system call dependency graph based software birth-mark with the extension interface of Valgrind, which is a Dynamic Binary Instrumen-tation Frameworks and an existing tool called Hawk. We compare the classical graph-subgraph isomorphism algorithms and choose the VF2 algorithm to do the matching job of dependency graphs according to our experiment background. And we implement the checking tool in Python script using NetworkX library. Furthermore, we analyzed SCDG’s weakness and propose a new semantic-preserved transformation obfuscation technology which can be used to evade existing detection. We adopt the thought of replacing an original edge with a new vertex and two new edges to destroy the graph structure and to insert the new superfluous system call. This approach affects the na-ture of the graph. However, the embedded system calls must establish new dependence relationship with two original system calls and also not generate any side effect to original program semantics.We use a pair of programs which have been confirmed the presence of code reusing as input to verify the validation of our SCDG abstracting tool. And indeed, we recognize the plagiarism under our checking tool which is an implementation of VF2 algorithm. And this at the same time demonstrate the accuracy of our tools.In ad-dition, we evaluate the obfuscation system against the detecting system with effective-ness and performance overhead. The experiments show that our obfuscation scheme can effectively destroy the original software birthmark with low performance overhead. Although our obfuscation technology can be used to exploit a new attack against the plagiarism detection, we just aim to make new exploration in the software protection field with no intention to add new attacks. And our new method provides a new way to thinking for software diversity.