final_submission

DCVP.tex

@@ -15,7 +15,7 @@
 
 % Package to generate and customize Algorithm as per ACM style
 
-\usepackage[colorlinks,bookmarksopen,bookmarksnumbered,citecolor=blue,urlcolor=red]{hyperref}
+\usepackage[colorlinks,bookmarksopen,bookmarksnumbered,citecolor=black,urlcolor=black]{hyperref}
 \usepackage{array}
 \usepackage{graphicx}
 %\usepackage{caption}
@@ -161,7 +161,7 @@
 %Northwest University, Xi¡¯an, China, 710127.
 Email: [email protected].
 
-Author's addresses: G. Li, K. Kuang, Z. Tang, D. Fang, X. Chen,
+Author's addresses: Z. Tang, K. Kuang, G. Li, D. Fang, X. Chen,
 School of Information Science and Technology,
 Northwest University, Xi¡¯an, China, 710127;
 D. Ma, Department of Computer and Information Science,
@@ -410,12 +410,7 @@ \subsection{Effectiveness Evaluation}
 form \texttt{handlers} is tedious and error-prone.
 Therefore, it will save analysts lots of time and energy if the semantics of bytecode instructions are accessible,
 
-\begin{figure}[!t]
-\centering
-\includegraphics[width=0.5\textwidth]{fig/opfreq.pdf}
-\caption{The average frequencies of \textit{opcodes}. The horizontal axis specifies the \textit{opcodes}.}
-\label{fig:freq}
-\end{figure}
+
 
 without bothering to trace and analyze the \texttt{handlers} once again.
 DCVP's aim is to frustrate this attempt and force analysts to analyze the \texttt{handlers} every time.
@@ -435,7 +430,7 @@ \subsection{Effectiveness Evaluation}
 Therefore, we believe DCVP can effectively remove the \textit{analysis knowlege}
 about the semantics of bytecode instructions.
 
-We also put the four target programs (Table~\ref{tab:statistics}) together 
+We also put the four target programs (Table~\ref{tab:statistics}) together
 and count the average frequencies of \textit{opcodes}.
 We take the obfuscated programs with 1, 2, 4, 8, 16, and 32 partitions for comparison.
 The results are presented in figure \ref{fig:freq}.
@@ -484,13 +479,18 @@ \subsection{Overhead Evaluation}
 \end{tabnote}
 \end{table}
 
-
+\begin{figure}[!t]
+\centering
+\includegraphics[width=0.5\textwidth]{fig/opfreq.pdf}
+\caption{The average frequencies of \textit{opcodes}. The horizontal axis specifies the \textit{opcodes}.}
+\label{fig:freq}
+\end{figure}
 
 \begin{figure}[t]
 \centering
 \begin{minipage}[t]{0.32\linewidth}
 \centering
-\includegraphics[width=0.9\textwidth]{fig/filesize.pdf}
+\includegraphics[width=1\textwidth]{fig/filesize.pdf}
 \caption{The impact on code size (KB) of DCVP. The file size slightly increased with the increase of number of partitions}
 \label{fig:filesize}
 \end{minipage}
@@ -499,14 +499,14 @@ \subsection{Overhead Evaluation}
 \begin{minipage}[t]{0.32\linewidth}
 %\begin{figure}[t]
 \centering
-\includegraphics[width=0.9\textwidth]{fig/runtime.pdf}
+\includegraphics[width=1\textwidth]{fig/runtime.pdf}
 \caption{The impact on runtime performance ($\mu$s) of DCVP with different partitions.}
 \label{fig:runtime}
 \end{minipage}
 \hspace{0.005\textwidth}
 \begin{minipage}[t]{0.32\linewidth}
 \centering
-\includegraphics[width=0.9\textwidth]{fig/avg_runtime.pdf}
+\includegraphics[width=1\textwidth]{fig/avg_runtime.pdf}
 \caption{The average runtime overhead per dynamically executed critical instruction.}
 \label{fig:avgruntime}
 \end{minipage}
@@ -650,7 +650,8 @@ \section{Related Work}\label{sec:related}
 which is orthogonal to the above approaches and is complementary to them.
 
 
-Has been also have some deobfuscation techniques of code virtualization was put forward. Representative like,
+Some deobfuscation techniques of code virtualization have been also put forward in recent years.
+The representative researches are as follows, 
 Sharif et al.~\cite{sharif2009automatic} used dynamic data-flow and taint analysis to identify data buffers
 containing the bytecode program and extract the syntactic and semantic information about the bytecode instructions.
 Coogan et al.~\cite{coogan2011deobfuscation} proposed an approach to identify instructions that related to system calls, and automatically extract an approximate dynamic trace of the original code.
@@ -699,7 +700,7 @@ \section{Conclusion}
 
 % Acknowledgments
 \begin{acks}
-This work was partial supported by projects of the National Natural Science Foundation of China (No. 61373177, No. 61572402),
+This work was partial supported by projects of the National Natural Science Foundation of China (No. 61373177, No. 61572402, No. 61672427),
 the Key Project of Chinese Ministry of Education (No. 211181),
 the International Cooperation Foundation of Shaanxi Province, China (No. 2013KW01-02, No. 2015KW-003, No. 2016KW-034),
 the China Postdoctoral Science Foundation (grant No. 2012M521797),

abstract.tex

@@ -6,7 +6,7 @@
 across programs. This, however, opens up a security hole where an experienced
 attacker can use knowledge extracted from other programs to quickly uncover
 the mapping between virtual instructions and native code for applications
-protected under the same scheme. In this paper, we propose a novel VM-code
+protected under the same scheme. In this paper, we propose a novel VM-based code
 obfuscation system to address this problem. The core idea of our approach is
 to obfuscate the mapping between the opcodes of bytecode instructions and
 their semantics. We achieve this by partitioning each protected code region
@@ -18,6 +18,6 @@
 native code mappings obtained from other programs is unlikely to be useful
 for a new program. We evaluate our approach on a set of real-world
 applications and compare it against two state-of-the-art VM-based code
-obfuscation approaches. Experimental results show that our simple approach is effective, 
+obfuscation approaches. Experimental results show that our simple approach is effective,
 which provides stronger protection at the cost of little extra overhead.
 \end{abstract}

background.tex

@@ -11,7 +11,7 @@ \section{Background}\label{sec:background}
 %Virtualization technique has been used in many fields, e.g.
 %virtual memory for resource virtualization, VMware and VirtualBox for CPU virtualization,
 %and Java bytecode and .Net CIL for application virtualization.
-Visualization techniques is widely used to protect software programs from unauthorized analyses.
+Virtualization techniques is widely used to protect software programs from unauthorized analyses.
 Examples of VM-based code obfuscation tools include VMProtect~\cite{vmp}, Code Virtualizer~\cite{cv} and~\cite{Themida}.
 Code obfuscation often comes at a cost, with bloating code size and longer execution time.
 To minimize the overhead, in practice only critical parts of the software will be obfuscated~\cite{geneiatakis2012adaptive}.
@@ -26,22 +26,22 @@ \section{Background}\label{sec:background}
 to translate the IS to native code.
 Interpretation of virtual instructions follows the classical \textit{decode-dispatch} approach \cite{ghosh2012replacement},
 using a bundle of \texttt{handlers} and a \texttt{VMloop}.
-Here, the \texttt{VMloop} is the execution engine which fetches and decodes a bytecode instruction 
+Here, the \texttt{VMloop} is the execution engine which fetches and decodes a bytecode instruction
 and then dispatches a \texttt{handler} to interpret instruction.
-%Bytecode instructions are compiled for a virtual context,  
+%Bytecode instructions are compiled for a virtual context,
 \texttt{VMcontext}, which contains hardware-independent virtual registers and flags.
-At runtime, the virtual registers and flags will be mapped down to the underlying hardware, 
-and the \texttt{VMInit} is responsible for saving the native context and initializing the \texttt{VMcontext}. 
+At runtime, the virtual registers and flags will be mapped down to the underlying hardware,
+and the \texttt{VMInit} is responsible for saving the native context and initializing the \texttt{VMcontext}.
 In comparison, \texttt{VMExit} restores the native context when exiting VM.
-Finally, these VM components will be assembled into a new section and attached to 
+Finally, these VM components will be assembled into a new section and attached to
 the end of the target program through binary rewriting.
-This work targets two key components of the VM-based obfuscation architecture, 
+This work targets two key components of the VM-based obfuscation architecture,
 highlighted as two regions Figure \ref{fig:vmprotection} (a and b).
-Our approach divides the protected code region to different sections. 
-It generates multiple implementations for each bytecode handler using code obfuscation techniques. 
-Different implementations of the same bytecode handler will produce an identical output for a given virtual instruction, 
-by they follow different execution paths and exhibit diverse behavior during runtime. 
-We further enhance the strength of the protection by using a number of obfuscation 
+Our approach divides the protected code region to different sections.
+It generates multiple implementations for each bytecode handler using code obfuscation techniques.
+Different implementations of the same bytecode handler will produce an identical output for a given virtual instruction,
+by they follow different execution paths and exhibit diverse behavior during runtime.
+We further enhance the strength of the protection by using a number of obfuscation
 and anti-taint analysis technologies to protect the important components of the VMCore.