On Thursdays the USPTO publishes new pending patent applications. Both of todays Spotlight Applications concern aspects of software obsfucation as a security technique. Assigned to Apple, the first application discloses techniques for software data reference obfuscation. Assigned to McAfee, the second application discloses techniques for obfuscated malware detection.
20110167407, "System and method for software data reference obfuscation," assigned to Apple.
Abstract
Disclosed herein are systems, methods, and computer-readable storage media for obfuscating software data references. The obfuscation process locates pointers to data within source code and loads the pointers into an ordered set of pools. The process further shuffles the pointers in the ordered set of pools and adds a function within the source code that when executed uses the ordered set of pools to retrieve the data. The obfuscation process utilizes pool entry shuffling, pool chaining shuffling and cross-pointer shuffling.
20110145921, "Obfuscated malware detection," assigned to McAfee.
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.
Comments