Design and Evaluation of Dynamic Software Birthmarks Based on API Calls

This paper presents a technique of dynamic software birthmarks to support efficient detection of software theft. A dynamic birthmark f(p, I) is a set of unique and native characteristics of a program p, obtained by executing p with a given input I . For a pair of software p and q, if f(p, I) = f(q, I) holds, q is suspected as a copy of p. In this paper, we propose two kinds of dynamic birthmarks, EXESEQ and EXEFREQ for the above f . In general, it is difficult for adversaries to alter API calls in the binary code automatically. Based on the fact, we extensively use runtime information of API calls as a strong signature of the program, specifically, the execution order for EXESEQ and the frequency distribution for EXEFREQ. We evaluated the proposed birthmarks through two experiments. The first experiment evaluates the preservation and distinction properties of the birthmarks with a set of the same-purpose applications. In the second experiment, we examined the impact of using different compilers. The results showed that the birthmarks of an extended-version application was very similar to that of its ancestor application, and that the birthmarks are robust enough to tolerate different compilers.