Last Man Standing or Self Defensive Software
In this article, we’ll try to shed some lights on software protection which is actually an interesting sub area of software security. It is part of software security because it may be seen as the last line of defence (for man-at-the-end attacks) for securing your software against certain type of software security attacks. The reason why we call the software protection as “last line of defence” is that if the adversary passes perimeter security measures (firewalls, IDS, AV, etc.) then your software should defend itself to protect its intellectual property as well as to continue run as it is programmed originally.
Software protection is part of software security so it should be considered as a major part of cyber security concepts and studies. In classical cyber warfare approaches, the man-in-the-middle type of attacks is common so perimeter security plays a major role. However, software protection complement but don’t rely upon network firewalls or hardware security. There are many solid cases which you need to protect the software and the content. To name some solid examples; you can think of you’re a military contractor and produce critical embedded software which is used in UAV systems. What happens if the UAV is shot down (or hijacked) in adversary’ territories? What if a maliciously modified/patched version of your fighter’s avionics code which acts unreliable at a critical time was uploaded into your state of art new fighter jets? Or, imagine you wouldn’t have enough time to destroy all critical software and hardware used in your state-of-the-art spy plane when it was forced to land in your adversary’s controlled region. What happens then?
To see what happens in real life examples, you can visit the discussions, concerns, claims and counter claims on the net which occurred around Iran-US, RQ-170 capturing incident on 2011 (http://en.wikipedia.org/wiki/Iran-U.S._RQ-170_incident) and Hainan Island Incident on 2001 (http://en.wikipedia.org/wiki/Hainan_Island_incident). These examples show the importance of employing software and hardware anti-tampering measures in critical system components. The software protection is not only essential for military systems but also for many commercial applications like game applications and consoles. For some type of applications staying unbreakable couple of weeks further is the vital factor for the company’s profit.
The methods involved in software protection like, code obfuscation, anti-debugging techniques may not be used only by the good guys. It can be employed for the malicious purposes like cloaking a virus code and hiding some on purpose planted bugs in the code. On the other hand, applying software protection methods (both for good causes or malicious purposes) is a double-edged sword which has some performance trade-offs. Because of the runtime checks and obfuscation methods applied to software it has performance impact on runtime and the code size increases. The challenge in software anti-tampering studies are to make these trade-offs negligible comparing the benefits.
Another challenge in the area is that almost all the public resources in software protection area come from academia. The commercial works stay in the dark due to the fact “security through obscurity” is partially valid in software protection. You may think this is not correct approach for security but in software protection to stay unbreakable couple of months, weeks, days (even hours in war time) further is vital. Therefore, academia plays a major role as it share the knowledge and studies the methods and the attacks at the same time that helps the researcher community grow.
The protection may not be only interest of government/military institutions or big companies. Imagine you have a small company or individual and you would like to protect your intellectual property (patents etc.) in your software against the big competitors like multi-billion companies. If they use your code (even patented), you don’t have a big chance at court against them as they have much bigger legal capabilities then yours. So, the protection methods may be your best option to go. If you somehow go to the court, the techniques like watermarking and birth marking can also help you to show the evidences of theft in the court.
It is also interesting to note that software protection techniques like code obfuscation are also commonly used by virus and malware writers. They use these techniques to hide themselves from virus scanners and provide polymorphic versions of the same malware. Malware analyst’s job gets more and more difficult if the malware code is furnished with dynamic and static obfuscation methods.
Producing self-protected software against dynamic and static type of attacks can also help you defend your software against zero-day type of attacks to some extent. Because in order to create zero-day attacks, your code must be investigated and the security flaws should be identified. If you furnish your binaries with anti-tampering techniques, this will make the zero-day researcher’s job tougher.
A known correct motto is that “If your computer can see the instructions, then you can see them, too”, Bruce Schneier. However, if you do your best to make the reverse engineering time of your code relatively bigger (there is no exact academic measurement for that now) than the original developing time of the same code includes its all IPs, we can say that you accomplished your task successfully!
