Tools for Software Protection Abstract

1Watermarking,Tamper-Proofing,andObfuscation—ToolsforSoftwareProtectionChristianS.CollbergDepartmentofComputerScienceUniversityofArizonaTucson,AZ85721collberg@cs.arizona.eduClarkThomborsonDepartmentofComputerScienceUniversityofAucklandAuckland,NewZealandcthombor@cs.auckland.ac.nzAbstractWeidentifythreetypesofattackontheintellectualpropertycontainedinsoftware,andthreecor-respondingtechnicaldefenses.Apotentdefenseagainstreverseengineeringisobfuscation,aprocessthatrenderssoftwareunintelligiblebutstillfunctional.Adefenseagainstsoftwarepiracyiswater-marking,aprocessthatmakesitpossibletodeterminetheoriginofsoftware.Adefenseagainsttamperingistamper-proofing,sothatunauthorizedmodificationstosoftware(forexampletoremoveawatermark)willresultinnon-functionalcode.Webrieflysurveytheavailabletechnologyforeachtypeofdefense.Keywords:obfuscation,watermarking,tamper-proofing,intellectualpropertyprotection.Figure1:Attacksbymaliciousclientsandhosts.(a)Attackbyamaliciousclient.InstallDownload/BenignhostMaliciousclientprogram/appletC(b)Attackbyamalicioushost.MalicioushostInstallDownload/Benignclientprogram/appletC1Background–MaliciousClientsvs.MaliciousHostsUntilrecently,mostcomputersecurityresearchwasconcernedwithprotectingtheintegrityofabenignhostanditsdatafromattacks,forexamplefrommaliciousclientprograms(Figure1(a)).ThisassumptionofabenignhostispresentinNeumann’sinfluentialtaxonomyof“computer-relatedrisks,”inwhichthejobofasecurityexpertistodesignandadministercomputersystemsthatwillfulfill“certainstringentsecurityrequirementsmostofthetime”[64,p.4].Othersecurityexpertsexpresssimilarworldviews,sometimesbychoosingatitlesuchas“PrinciplesandPracticesforSecuringITSystems”[82];sometimesbymakingexplicitdefinitionsthatpresupposebenignhosts“...asecurityflawisapartofaprogramthatcancausethesystemtoviolateitssecurityproperties”[48];sometimesinanexplanation“...vulnerabilitiestothesystem...couldbeexploitedtoprovideunauthorizedaccessoruse.”[42,p.51];andsometimesinastatementofpurpose“[wetake]theviewpointofthesystemowner.”[52].Thebenign-hostworldviewisthebasisoftheJavasecuritymodel,whichisdesignedtoprotectahostfromattacksbyapotentiallymaliciousdownloadedappletoravirus-infestedinstalledapplication.Theseattacksusuallytaketheformofdestroyingorotherwisecompromisinglocaldataonthehostmachine.Todefenditselfanditsdataagainstamaliciousclient,ahostwilltypicallyrestricttheactionsthattheclientisallowedtoperform.IntheJavasecuritymodel,thehostusesbytecodeverificationtoensurethetypesafetyoftheuntrustedclient.Additionally,untrustedcode(suchasapplets)ispreventedfromperformingcertainoperations,suchaswritingtothelocalfilesystem.AsimilartechniqueisSoftwareFaultIsolation[53,90,91],whichmodifiestheclientcodesothatitisunabletowriteoutsideitsdesignatedarea(the“sandbox”).2Arecentsurgeofinterestin“mobileagent”systemshascausedresearcherstofocusattentiononafundamentallydifferentviewofsecurity[17,88].SeeFigure1(b),illustratingabenignclientcodebeingthreatenedbythehostonwhichithasbeendownloadedorinstalled.A“malicioushostattack”typicallytakestheformofintellectualpropertyviolations.Theclientcodemaycontaintradesecretsorcopyrightedmaterialthat,shouldtheintegrityoftheclientbeviolated,willincurfinanciallossestotheowneroftheclient.Wewillnextconsiderthreemalicious-hostattackscenarios.1.1MalicioushostattacksSoftwarepiracy,theillegalcopyingandresaleofapplications,isa12billiondollarperyearindustry[67].Piracyisthereforeamajorconcernforanyonewhosellssoftware.Intheearlydaysofthepersonalcomputerrevolution,softwaredevelopersexperimentedvigorouslywithvariousformsoftechnicalpro-tection[34,37,56–59,79,96]againstillegalcopying.Someearlycopyprotectionschemeshavebeenaban-doned,sincetheywerehighlyannoyingtohonestuserswhocouldnotevenmakebackupcopiesoflegallypurchasedsoftware,orwholostthehardware“dongle”requiredtoactivateit.Anumberofdonglemanu-facturersarestillinbusiness;oneisfrankenoughtostate“...thesoftwareinterrogatingthedongle[maybe]theweakestpartofthesystem...Anydonglemanufacturerwhoclaimsthattheirsystemisunbeatableislying.”[83].Softwarepiracyislikelytocontinuesolongasitcontinuestobeeasy,deliversimmediatetangibleorintangiblerewardstothepirate,andissociallyacceptable[51].Ourgoalinthispaperistomakepiracymoredifficult.Wenotethatsoftwarepiracyissociallyacceptableinsettingsthatencourageabeliefininsiders’entitlement[72],pricediscrimination[33],“cooperationismoreimportantthancopyright”[81],ortraditionalConfucianethics[16]–butalsosee[85].Manysoftwaredevelopersalsoworryabouttheirapplicationsbeingreverseengineered[4,55,76,78,87].Severalcourtcaseshavebeentriedinwhichavaluablepieceofcodewasextractedfromanappli-cationandincorporatedintoacompetitor’scode.Suchthreatshaverecentlybecomemoreofaconcernsince,moreandmore,programsaredistributedineasilydecompilableformatsratherthannativebinarycode[68,89].ImportantexamplesincludetheJavaclassfileformatandANDF[54].3Figure2:Attacksagainstsoftwareintellectualproperty.(a)Softwarepiracyattack.BobmakesillegalcopiesofAlice’sprogramPandresellsthem.BuyonecopyMakeillegalcopiesResellAliceBobPPP(