1 / 24

Software protection

Software protection. Mariano Ceccato FBK - Fondazione Bruno Kessler ceccato@fbk.eu. Traditional computer security. Most computer security research: Protect the integrity of a benign host (and its data) from attacks by malicious client programs Basis of the Java security model

sunee
Download Presentation

Software protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software protection Mariano Ceccato FBK - Fondazione Bruno Kessler ceccato@fbk.eu Obfuscation

  2. Traditional computer security • Most computer security research: • Protect the integrity of a benign host (and its data) from attacks by malicious client programs • Basis of the Java security model • Downloaded applet or virus infested application • Restrict the actions that the client is allowed to perform • Software isolation • A program is not able to write outside of a designated area (sandbox) Obfuscation

  3. More recent computer security • Interest in mobile agents changed the view of computer security • Benign client code being threatened by host on which it has downloaded/installed • Defend a client is much more difficult than defend a host. • To defend the host all is needed is to restrict the client • Once the client code is in the host, the host can use any technique to violate its integrity. • Software piracy • Reverse Engineering • Software tampering Obfuscation

  4. Problem 1:Malicious Reverse Engineering • Valuable piece of code is extracted from an application and incorporated into competitor’s code.

  5. Problem 2:Software piracy • Illegal copy ad resale of applications • 12 billion $ per year, major concern for everyone who sells software • Solution used in the past: • Dongle (it is weak and it annoys customers) Obfuscation

  6. Problem 3:Software tampering • E-commerce application programs contain encryption keys or other secret information. Pirates who are able to extract, modify, or otherwise tamper with this information can incur significant financial losses to the intellectual property owner. Obfuscation

  7. Problem 1:Malicious Reverse Engineering • Valuable piece of code is extracted from an application and incorporated into competitor’s code.

  8. Technological Tools Obfuscation Watermarking Tamperproofing Social Tools Advertising Legal Tools DMCA Pirate Bob IP Program Customer Charles Author Alice Scenario

  9. IP In A Program public class Fibonacci { Hashtable memo = new Hashtable(); public int fib ( int n ) { if ( !memo.contains(n) ) if ( n <= 2 ) memo.put(n,1); else memo.put(n, fib( n - 1 ) + fib( n - 2 )); return memo.get(n); } Obfuscation

  10. Obfuscation • Obfuscation transforms a program into a new program which: • Has the same semantics • Is harder to reverse engineer

  11. Example public class Fibonacci { public int fib ( int n ) { if ( n <= 2 ) return 1; else return fib( n - 1 ) + fib( n - 2 ); } } Obfuscation

  12. Example: Obfuscation public class x {public int x ( int x ) { return x <=2 ? 1 : x(x-1)+x(x-2); }} Obfuscation

  13. Problem 2:Software piracy • Illegal copy ad resale of applications • 12 billion $ per year, major concern for everyone who sells software • Solution used in the past: • Dongle (it is weak and it annoys customers) Obfuscation

  14. Watermarking • Watermarking transforms a program into a new program which: • Has the same semantics • Contains some additional robust identifier ID

  15. Watermarking Obfuscation

  16. Example: Watermarking publicclass Fibonacci { String watermark = “Authored by Alice”; publicint fibonacci ( int n ) { if ( false ) println ( “Authored by Alice” ); if ( n<=2 ) return 1; else return fib ( n - 1 ) + fib ( n - 2 ); } Obfuscation

  17. Example: Watermarking publicclass Fibonacci { publicint fib ( int n ) { if ( opaque predicate ) println ( “Authored by Alice” ); if ( n<=2 ) return 1; else return fib ( n - 1 ) + fib ( n - 2 ); } Obfuscation

  18. Watermarking Embed a structure W into a program p such that: • W is easy to locate and extract from P • Embedding W in P does not affect performances (cheap) • Embedding W does not change statistical properties of P (static/dynamic stealth) • W has a mathematical property that allow to argue that its presence in P is the result of a deliberate action (e.g. product of two prime numbers) Obfuscation

  19. Additive attack: • Add a second watermark to program P. • Attack is effective if it is impossible to recover temporal precedence between watermarks. Obfuscation

  20. Distortive attack: • applying semantic-preserving transformations such that: • W can not be recognized • P is still useful for the attacker Obfuscation

  21. Collusive attack: • Attacker buys sever copy of program P, each one with a different fingerprint. • By comparing the different copy of P, fingerprint is located • Fingerprint can removed/modified Obfuscation

  22. Problem 3:Software tampering • E-commerce application programs contain encryption keys or other secret information. Pirates who are able to extract, modify, or otherwise tamper with this information can incur significant financial losses to the intellectual property owner. Obfuscation

  23. Tamper-proofing • Tamper-proofing transforms a program into a new program which: • Has the same semantics on expected input • “Explodes” on when even slightly modified or on unexpected input trigger

  24. Example: Tamper-proofing publicclass Fibonacci { publicint fibonacci ( int n ) { String encrypted = “0x10 0x21 0x11 0xa2 0x22 0x91 0x21 0x13 0xaf 0xff 0xef 0x48 0x12 0xa2 0x22 0x00…”; int key = “mykey”; Method decrypted = D (encrypted, key); return decrypted.invoke( n ); } } Obfuscation

More Related