Data Sheet P r i d e I n P e r f o r m a n e

Information System Security Operation State-of-the-Art in Decompilation and Disassembly Protection Against - Study Of Means Available To Attackers Of Protection Schemes

Overview the investigation and provided an estimate of the tools currently available to adversaries and likely Reverse engineering is the process of deriving, to become available in the 5-7 year time frame. from a compiled program, a higher-level engineering description of its function, in the Research Approach form of or other specification. The main tools for software reverse engineers Traditionally, the government has sought to come from the class of and protect its software property by limiting access to disassembly/decompilation tools. These tools the powerful computers the software runs on, change into but cheap computers have made this strategy or high-level language, and can be used to less effective. If the software is to be protected provide insight into the execution plan and by other means, it is necessary to have an idea structure of a program and the algorithms used of the means available to reverse engineers and in the program. As software becomes more the possible countermeasures to these means. sophisticated and improved capabilities for We performed a study of this critical area and software protection are developed, the produced a report on the State of the Art in importance of disassembly and decompilation Disassembly and Decompilation. This tools will increase, since they are the best investigation into the state of the art in means the attacker has for locating and decompilation and disassembly was designed to assessing software protection techniques as provide comprehensive information relevant to well as analyzing the software being attacked. protecting Government software from reverse We surveyed the field of reverse engineering, engineering by a determined, well-equipped including both academic research and practical adversary equipped with the best tools available. experience, and created a framework for We developed and reported on a framework for evaluation of reverse engineering tools. The analysis of static and dynamic reverse resulting framework had separate sets of engineering tools. We then systematically attributes for evaluating static and investigated available decompilers and disassemblers, dynamic decompilation and disassemblers for multiple languages and program observation tools, and auxiliary tools. platforms. We evaluated 14 tools in depth, We constructed a standard set of test cases, employing a total of over 1000 test cases. We chosen to exercise the features of decompilers also analyzed six tools that didn’t fit into the and disassemblers, including obfuscated formal framework in a less structured fashion. programs. Our framework gave weight to both These results were described in a second the theoretical and practical aspects of the field, report. Our final report assessed the results of based on our experience. We published a report describing our evaluation framework and sought This work sponsored by the Air Force Research Laboratory comment from tool producers, knowledgeable (AFRL), through the Advanced Technology Software researchers, and industry colleagues. Protection Initiative (AT-SPI) program, Contract Number F33615-02-C-1296, with McAfee Research, which is now the Security Research Division of SPARTA.

http://www.isso.sparta.com/research P r i d e I n P e r f o r m a n c e State-of-the-Art in Decompilation and Disassembly Protection Against Reverse Engineering - Study Of Means Available To Attackers Of Software Protection Schemes

We evaluated dynamic analysis in addition to and supporting work, including a comprehensive decompilation because some of the defenses bibliography and references. against static analysis suggested by an Conclusions evaluation of decompilers alone would be insufficient to defend against dynamic methods. We found that most current decompilation and Effective defenses must address both static and disassembly tools are designed to deal with dynamic reverse engineering techniques. well-formed programs, and are intended for use in program maintenance. Elementary Our final report on “State of the Art in countermeasures often cause such tools to fail Decompilation and Disassembly” drew completely. Existing tools also require highly conclusions about the state of the art from the trained operators to use or understand the data observed, including a description of areas output. There are several areas where tools that where tools are not available, and the extent to would assist reverse engineering are not which reverse engineering can be hindered by available at all; there is no intrinsic barrier to use of countermeasures such as obfuscation. construction of such tools other than cost. This report includes an evaluation and critique of each approach, a discussion of proven and The tools we examined, however, were built for possible countermeasures for each approach, other purposes than defeating anti-tamper and an assessment of the computer languages measures. An adversary who wishes to that have the best defensive capabilities against overcome the protection on Government disassembly and decompilation. It also includes software and either steal the technology an assessment of processor sophistication (i.e., embodied in the program, or use the program in machine instruction set) versus an unauthorized way, could use tools that capability, and a demonstration of pertinent represent the current state of the art for disassembler and software if it purposes other than those for which they were designed. To achieve greater success, such an exists. Our reports document our experiments adversary would have to build tools specifically with individual reverse engineering tools and our designed to counter anti-reverse-engineering observations and evaluations, in order to enable measures. In the 5-7 year time frame, we other researchers to duplicate demonstrations, believe that decompilers and disassemblers experiments, and results and also to verify could be built that are far more capable than conclusions. We reviewed and analyzed related those now available, and which are able to overcome most code protection measures.

For more information call us at 410-872-1515, send an e-mail to [email protected], or visit us on the Web at http://www.isso.sparta.com/research. SPARTA, Inc. 7075 Samuel Morse Drive, 2nd Floor, Columbia, MD 21046