Opaque Predicates Detection by Abstract Interpretation

  • Mila Dalla Preda
  • Matias Madou
  • Koen De Bosschere
  • Roberto Giacobazzi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4019)


Code obfuscation and software watermarking are well known techniques designed to prevent the illegal reuse of software. Code obfuscation prevents malicious reverse engineering, while software watermarking protects code from piracy. An interesting class of algorithms for code obfuscation and software watermarking relies on the insertion of opaque predicates. It turns out that attackers based on a dynamic or an hybrid static-dynamic approach are either not precise or time consuming in eliminating opaque predicates. We present an abstract interpretation-based methodology for removing opaque predicates from programs. Abstract interpretation provides the right framework for proving the correctness of our approach, together with a general methodology for designing efficient attackers for a relevant class of opaque predicates. Experimental evaluations show that abstract interpretation based attacks significantly reduce the time needed to eliminate opaque predicates.


Basic Block Abstract Interpretation Abstract Domain Brute Force Attack Completeness Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arboit, G.: A Method for Watermarking Java Programs via Opaque Predicates. In: Proc. Int. Conf. Electronic Commerce Research (ICECR-5) (2002)Google Scholar
  2. 2.
    Collberg, C., Thomborson, C., Low, D.: Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In: Proc. ACM POPL 1998, pp. 184–196 (1998)Google Scholar
  3. 3.
    Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations. Technical Report 148, The University of Auckland, New Zealand (1997)Google Scholar
  4. 4.
    Collberg, C., Carter, E., Debray, S., Huntwork, A., Linn, C., Stepp, M.: Dynamic Path-Based Software Watermarking. In: Proc. ACM PLDI 2004, pp. 107–118 (2004)Google Scholar
  5. 5.
    Collberg, C., Myles, G., Huntwork, A.: SandMark - A Tool for Software Protection Research. IEEE Security and Privacy 1(4), 40–49 (2003)CrossRefGoogle Scholar
  6. 6.
    Collberg, C.: CSc620: Security through Obscurity. Handouts of a course (2002), available at
  7. 7.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. ACM POPL 1977, pp. 238–252 (1977)Google Scholar
  8. 8.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proc. ACM POPL 1978, pp. 84–97 (1978)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. ACM POPL 1979, pp. 269–282 (1979)Google Scholar
  10. 10.
    Dalla Preda, M., Giacobazzi, R.: Semantic-based code obfuscation by abstract interpretation. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 1325–1336. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Dalla Preda, M., Giacobazzi, R.: Control Code Obfuscation by Abstract Interpretation. In: Proc. 3rd IEEE International Conference on Software Engineering and Formal Methods (SEFM 2005), pp. 301–310 (2005)Google Scholar
  12. 12.
    Giacobazzi, R., Ranzato, F., Scozzari, F.: Making abstract interpretations complete. J. ACM 47(2), 361–416 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Granger, P.: Static analysis of linear congruence equality among variables of a program. In: Abramsky, S. (ed.) CAAP 1991 and TAPSOFT 1991. LNCS, vol. 493, pp. 169–192. Springer, Heidelberg (1991)Google Scholar
  14. 14.
    Hormkovic, J.: Algorithmics for Hard Problems. Springer, Heidelberg (2002)Google Scholar
  15. 15.
    Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Proc. 10th ACM Conference on Computer and Communications Security (CCS 2003) (2003)Google Scholar
  16. 16.
    Madou, M., Anckaert, B., De Sutter, B., De Bosschere, K.: Hybrid Static-Dynamic Attacks Against Software Protection Mechanisms. In: Proc. 5th ACM Workshop on Digital Rights Management (DRM 2005) (2005)Google Scholar
  17. 17.
    Madou, M., Van Put, L., De Bosschere, K.: Loco: An Interactive Code (De)Obfuscation tool. In: Proc. ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation (PEPM 2006) (2006)Google Scholar
  18. 18.
    Maebe, J., Ronsse, M., De Bosschere, K.: DIOTA: Dynamic Instrumentation, Optimization and Transformation of Applications. In: Proc. 4th Workshop on Binary Translation (WBT 2002) (2002)Google Scholar
  19. 19.
    Majumdar, A., Thomborson, C.: Securing Mobile Agents Control Flow Using Opaque Predicates. In: Khosla, R., Howlett, R.J., Jain, L.C. (eds.) KES 2005. LNCS (LNAI), vol. 3684, Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Michael, C., McGraw, G., Schatz, M., Walton, C.: Genetic Algorithms for Dynamic Test Data Generation. In: Proc. ASE 1997, pp. 307–308 (1997)Google Scholar
  21. 21.
    Minè, A.: The octagon abstract domain. In: Proc. Analysis, Slicing and Transformation (AST 2001), pp. 310–319 (2001)Google Scholar
  22. 22.
    Monden, A., Iida, H., Matsumoto, K., Inoue, K., Torii, K.: A Practical Method for Watermarking Java Programs. In: Proc. 24th Computer Software and Applications Conference, pp. 191–197 (2000)Google Scholar
  23. 23.
    Myles, G., Collberg, C.: Software Watermarking via Opaque Predicates: Implementation, Analysis, and Attacks. In: Proc. Int. Conf. Electronic Commerce Research (ICECR-7) (2004)Google Scholar
  24. 24.
    Palsberg, J., Krishnaswamy, S., Kwon, M., Ma, D., Shao, Q., Zhang, Y.: Experience with Software Watermarking. In: Proc. 16th Annual Computer Security Applications Conference (ACSAC 2000), pp. 308–316 (2000)Google Scholar
  25. 25.
    Schwarz, B., Debray, S., Andrews, G.: PLTO: A Link-Time Optimizer for the Intel IA-32 Architecture. In: Proc. Workshop on Binary Translation (WBT 2001) (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mila Dalla Preda
    • 1
  • Matias Madou
    • 2
  • Koen De Bosschere
    • 2
  • Roberto Giacobazzi
    • 1
  1. 1.Department of Computer ScienceUniversity of VeronaItaly
  2. 2.Electronics and Information Systems DepartmentGhent UniversityBelgium

Personalised recommendations