Apple Invents Secrets-based Security Measure Relating to the Detection of Unauthorized Calls to Software Routines
According to a New York Times report published this week, a particularly nasty mobile malware campaign targeting Android users has hit between four million and 4.5 million Americans since January of 2013. In a mid-January security report published by Cisco, they claimed that ninety-nine percent of all mobile malware targeted Android devices. And while security firms have tried to sully Apple's iOS reputation for not having malware with reports about the recent Masque attack, Apple responded quickly. They also noted that they "…designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software." This week the US Patent & Trademark Office published a patent application from Apple that reveals systems and methods for a security measure that prevents unauthorized calls from being made to protected functions of software. Apple describes embedding secrets to each function that can't be hacked.
Apple's Patent Background
Software developers invest considerable resources in the development and maintenance of computer software. This investment often results in the development of proprietary algorithms that are advantageous over those used by the competition and which the developer would like to keep secret so as to leverage the superiority of the algorithm. In addition to proprietary algorithms, software may also contain other embedded secrets such as cryptographic keys. Because of the plethora of important information, software is often the target of various reverse engineering efforts to dissect, analyze, and discover how it works.
One approach frequently used by attackers to minimize the reverse engineering effort is to lift whole sections, such as individual functions, from a program. For example, if a program includes a function to decrypt a song prior to playback, instead of reverse engineering the decryption function, the attacker could simply call the decryption function providing the proper input parameters. Because this type of attack can be used to bypass media protection technologies, such as digital rights management technologies, software developers have used a variety of code obfuscation and anti-tamper techniques to thwart these reverse engineering attacks. Unfortunately, previous techniques have suffered from a number of drawback including code bloat, architecture specific solutions, and lack of stealth.
Apple Invention Covers Preventing Unauthorized Calls to a Protected Function
Apple's invention relates to systems, methods, and non-transitory computer-readable storage media for detecting and reacting to unauthorized calls to software routines using a call path enforcement (CPE) obfuscation technique.
The CPE technique can be applied to a program by an obfuscation tool, such as compiler, to produce a protected program. The CPE technique uses static information about a program's call structure to identify execution paths to a selected function. The CPE constructs a whitelist of authorized execution paths to the selected function based on the identified execution paths. The whitelist can include all identified execution paths, or can be limited to those execution paths with a path length less than or equal to a predefined maximum path length. In some cases, an execution path with a length greater than the predefined maximum can be truncated to the predefined maximum path length.
The CPE then uses the authorized execution paths to generate a verification polynomial. The verification polynomial can be generated by first assigning a secret value to each function on at least one authorized execution path. For each authorized execution path, the CPE generates a path representation by combining the assigned secret values. The CPE constructs the verification polynomial such that each authorized path representation is a root of the polynomial.
The CPE can then embed instructions throughout the program that ensure the functions in the program are executed according to one of the authorized execution orders. To ensure the functions are executed in an authorized order, the CPE can embed a secret in each function on an authorized execution path. The embedded secret value can be stored in a local variable that is pushed on the runtime stack during execution. At runtime, after a protected function is called, the embedded instructions can trace up the runtime stack to identify any secret values pushed onto the stack by previous functions in the execution path. The embedded instructions can combine the secrets to generate a representation for the runtime execution path to the protected function. The embedded instructions can combine the identified secret values using a same process as was used during the CPE obfuscation process. The embedded instructions can then verify that the runtime representation matches an authorized representation by evaluating the verification polynomial using the runtime representation at an input. If the verification fails, the program can be made to fail either immediately or at some later point in the execution. In some cases, the runtime verification value can be used to manipulate program data, or used in the execution of a callback function.
Apple's patent FIG. 9 illustrates an exemplary method embodiment for obfuscating a program using the CPE technique.
Apple's patent FIG. 10 illustrates an exemplary method embodiment for executing a program obfuscated using the CPE technique.
Apple credits Jon McLachlan, Julien Lerouge, Daniel Reynaud and Eric Laspe as the inventors of patent application 20140344924 which was originally filed in Q2 2013. It's a very technical patent that programmers will likely want to review further and could do so here. Whether this invention is in use today or is on the way is unknown at this time.
Patently Apple presents a detailed summary of patent applications with associated graphics for journalistic news purposes as each such patent application is revealed by the U.S. Patent & Trade Office. Readers are cautioned that the full text of any patent application should be read in its entirety for full and accurate details. About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Comments are reviewed daily from 4am to 8pm MST and sporadically over the weekend.