Critical errors in widely used software are discovered almost every day. They currently leave users of that software vulnerable to cyber attacks until the manufacturer eventually supplies a fix - sometimes this takes unacceptably long. There currently is no way that users of commercial off-the-shelf software that is distributed as binary code can go and fix such vulnerabilities themselves, ex post facto, because software is not easily changeable once it has been compiled to binary form. This research project investigates techniques for enabling consumer-side rewriting of binary software. The approach is appealing because it can be deployed quickly in response to new threats, without waiting for code-producers, and can enforce consumer-specific security policies unsupported or unforeseen by the software?s developers. If successful, this research will lead to significant improvements in software security. Consumer-side binary rewriting is currently not feasible because binary files don't contain enough information to do it safely. On the other hand, code producers don't want to reveal too many implementation details of their code due to intellectual property and software piracy concerns. The key goal of this project is to enable code producers to supplement their binary code with a small amount of metadata that can be used, consumer-side, to perform sophisticated binary rewriting, but without disclosing much extra information about the internal working of the code and without making reverse-engineering much easier than before. The project will produce a prototype implementation consisting of a producer-side metadata derivation engine, and a consumer-side binary rewriting engine using this metadata to safely perform binary code manipulation.
TWC: TTP Option: Medium: Collaborative: ENCORE - ENhanced program protection through COmpiler-REwriter cooperation