Towards Optimally Hiding Protected Assets in Software Applications

Software applications contain valuable assets that, if compromised, can make the security of users at stake and cause huge monetary losses for software developers. Software protections are applied whenever assets’ security is at risk as they delay successful attacks. Unfortunately, protections might have recognizable fingerprints that can expose the location of the assets, thus facilitating the attackers’ job. This paper presents a novel approach that uses three main methods to hide the protected assets: protection fingerprint replication, enlargement, and shadowing. The best way to hide assets is determined with a Mixed Integer Linear Program, which is automatically built starting from the code structure, the protected assets, and a model that depicts the dependencies among protection and the fingerprints they generate. Additional constraints, such as overhead limits are also supported to ensure the usability of the protected applications. Our implementation, which uses off-the-shelf solvers, showed promising performance and scalability on large applications.