A Static Birthmark of Binary Executables Based on API Call Structure

详细信息    查看全文

• 作者：Seokwoo Choi ; Heewan Park ; Hyun-il Lim ; Taisook Han
• 关键词：software piracy ; software birthmark ; binary analysis
• 刊名：Lecture Notes in Computer Science
• 出版年：2007
• 出版时间：2007
• 年：2007
• 卷：4846
• 期：1
• 页码：2-16
• 全文大小：845.6 KB

文摘

A software birthmark is a unique characteristic of a program that can be used as a software theft detection. In this paper we suggest and empirically evaluate a static birthmark of binary executables based on API call structure. The program properties employed in this birthmark are functions and standard API calls when the functions are executed. The API calls from a function includes the API calls explicitly found from the function and its descendants within limited depth in the call graph. To statically identify functions, call graphs and API calls, we utilizes IDAPro disassembler and its plug-ins. We define the similarity between two functions as the proportion of the number of all API calls to the number of the common API calls. The similarity between two programs is obtained by the maximum weight bipartite matching between two programs using the function similarity matrix. To show the credibility of the proposed techniques, we compare the same applications with different versions and the various types of applications which include text editors, picture viewers, multimedia players, P2P applications and ftp clients. To show the resilience, we compare binary executables compiled from various compilers. The empirical result shows that the similarities obtained using our birthmark sufficiently indicates the functional and structural similarities among programs.