A Survey on Software Protection Techniques against Various Attacks

Software security and protection plays an important role in software engineering. Considerable attempts have been made to enhance the security of the computer systems because of various available software piracy and virus attacks. Preventing attacks of software will have a huge influence on economic development. Thus, it is very vital to develop approaches that protect software from threats. There are various threats such as piracy, reverse engineering, tampering etc., exploits critical and poorly protected software. Thus, thorough threat analysis and new software protection schemes, needed to protect software from analysis and tampering attacks becomes very necessary. Various techniques are available in the literature for software protection from various attacks. This paper analyses the various techniques available in the literature for software protection. The functionalities and the characteristic features are various software protection techniques have been analyzed in this paper. The main goal of this paper is to analyze the existing software protection techniques and develop an efficient approach which would overcome the drawbacks of the existing techniques

Revisiting software protection

We provide a selective survey on software protection, including approaches to software tamper resistance, obfuscation, software diversity, and white-box cryptography. We review the early literature in the area plus recent activities related to trusted platforms, and discuss challenges and future directions

Подходы к защите программного обеспечения от атак злонамеренного хоста

Рассматриваются существующие методы защиты ПО от действий злонамеренного хоста, для каждого метода дается оценка его стоимости и обеспечиваемой защиты. Приводится комбинированный метод защиты ПО, представляющий собой усовершенствование двух существующих методов: затемнения, основанного на непроницаемых предикатах, и защиты от внесения изменений в код на основе «забывчивого хэширования». Предложенный метод обеспечивает более высокий уровень защиты по сравнению с базовыми методами, а также является применимым для более широкого класса программ.Розглядаються існуючі методи захисту ПЗ від дій злочинного хоста, для кожного методу надається оцінка його вартості і захисту, який він забезпечує. Наводиться комбінований метод захисту ПЗ, що являє собою удосконалення двох існуючих методів: затемнення, що базується на непроникливих предикатах, і захисту від внесення змін до коду на основі “забудькуватого хешування”. Запропонований метод забезпечує більш високий рівень захисту у порівнянні з базовими методами, а також може бути застосованим для більш широкого класу програм.The article considers existing approaches to software protection against attacks caused by malicious hosts. For each approach its cost and provided protection level are considered. As a result of improvement of two existing methods (obfuscation based on opaque predicates and tampering protection based on oblivious hashing), new complex protection method is proposed. The suggested method guarantees higher protection level than the base methods, besides it can be used with wider class of programs

Remote Trust with Aspect-Oriented Programming

Given a client/server application, how can the server entrust the integrity of the remote client, albeit the latter is running on an un-trusted machine? To address this research problem, we propose a novel approach based on the client-side generation of an execution signature, which is remotely checked by the server, wherein signature generation is locked to the entrusted software by means of code integrity checking. Our approach exploits the features of dynamic aspect-oriented programming (AOP) to extend the power of code integrity checkers in several ways. This paper both presents our approach and describes a prototype implementation for a messaging application

Memoization Attacks and Copy Protection in Partitioned Applications

Application source code protection is a major concern for software architects today. Secure platforms have been proposed that protect the secrecy of application algorithms and enforce copy protection assurances. Unfortunately, these capabilities incur a sizeable performance overhead. Partitioning an application into secure and insecure regions can help diminish these overheads but invalidates guarantees of code secrecy and copy protection.This work examines one of the problems of partitioning an application into public and private regions, the ability of an adversary to recreate those private regions. To our knowledge, it is the first to analyze this problem when considering application operation as a whole. Looking at the fundamentals of the issue, we analyze one of the simplest attacks possible, a ``Memoization Attack.'' We implement an efficient Memoization Attack and discuss necessary techniques that limit storage and computation consumption. Experimentation reveals that certain classes of real-world applications are vulnerable to Memoization Attacks. To protect against such an attack, we propose a set of indicator tests that enable an application designer to identify susceptible application code regions

Provenance Tracking in a Commons of Geographic Data

Advancement in digital archiving technologies provides researchers with a multitude of methods for sharing their research and data digitally with others. However, when acquiring data from others directly or indirectly the law often imposes an assumption of copyright in the dataset acquired. This creates a difficult legal situation affecting future use and creation of derivative works from the data. A digital commons may be defined as a shared resource in which creators of contributed materials (data) grant a legal right for all others to use the material under the provisions of an open-access license. This thesis hypothesizes that an approach can be developed that automates the intellectual property rights and licensing management for contributors to a commons of geographic data. In addition, an approach can be developed such that contributors receive credit for their data, and the source of the data can be identified even through generations of alteration and reuse. The technological approach presented centers around embedding both visible and hidden identifiers in contributed data files. The identifiers, which remain intact through reuse and derivatives of the data, display the open-access licensing provisions to future users of the data. The research also involves using the identifiers to retrieve standards-compliant metadata records for the data and preserve links between different versions of the data. Because contributors of data are more likely to receive credit and recognition for their contributions of data when used by others and legal clarity is increased, this new approach may provide incentives to contributors to more openly share data and thereby provide greater benefits to the community through its availability

Software Protection with Code Mobility

The analysis of binary code is a common step of Man-At-The-End attacks to identify code sections crucial to implement attacks, such as identifying private key hidden in the code, identifying sensitive algorithms or tamper with the code to disable protections (e.g. license checks or DRM) embedded in binary code, or use the software in an unauthorized manner. Code Mobility can be used to thwart code analysis and debugging by removing parts of the code from the deployed software program and installing it at run-time by downloading binary code blocks from a trusted server. The proposed architecture of the code mobility protection downloads mobile code blocks, which are allocated dynamically at addresses determined at run-time; control transfers into and out of mobile code blocks are rewritten using the Diablo binary-rewriter tool

Software release and deployment at Exact: a case study report

For vendors of product software it is becoming more and more difficult to manage and control the software configurations of all their users at the customer\'s site. It is labour intensive and error-prone to (semi)automatically register detailed lists of the software artefacts in use by each customer. To alleviate this problem the Deliver project proposes an Intelligent Software Knowledge Base that contains all facts about all artefacts together with their relevant attributes, relations and constraints. In this way, high-quality software configurations can be calculated automatically from a small set of key parameters. It also becomes possible to pose what-if questions about necessary or future upgrades of a customer\'s configuration. This document describes a case study performed at Exact Software into the processes of release and deployment. The results of the case study are presented, existing of process descriptions of the development, release and deployment processes at Exact Software, a comparison to the Intelligent Software Knowledge Base, and an analysis of the result