A framework for secure execution of software

The protection of software applications is one of the most important problems to solve in information security because it has a crucial effect on other security issues. We can find in the literature many research initiatives that have tried to solve this problem, many of them based on the use of tamperproof hardware tokens. This type of solution depends on two basic premises: (i) increasing the physical security by using tamperproof devices and (ii) increasing the complexity of the analysis of the software. The first premise is reasonable. The second one is certainly related to the first one. In fact, its main goal is that the pirate user not be able to modify the software to bypass an operation that is crucial: checking the presence of the token. However, experience shows that the second premise is not realistic because analysis of the executable code is always possible. Moreover, the techniques used to obstruct the analysis process are not enough to discourage an attacker with average resources.In this paper, we review the most relevant works related to software protection, present a taxonomy of those works, and, most important, introduce a new and robust software protection scheme. This solution, called SmartProt, is based on the use of smart cards and cryptographic techniques, and its security relies only on the first of the premises given above; that is, SmartProt has been designed to avoid attacks based on code analysis and software modification. The entire system is described following a lifecycle approach, explaining in detail the card setup, production, authorization, and execution phases. We also present some interesting applications of SmartProt as well as the protocols developed to manage licences. Finally, we provide an analysis of its implementation details.

[1]  Stefan Fünfrocken,et al.  Protecting Mobile Web-Commerce Agents with Smartcards , 1999, Autonomous Agents and Multi-Agent Systems.

[2]  Antonio Maña Protección de software basada en tarjetas inteligentes , 2003 .

[3]  José M. Troya,et al.  Access Control Infrastructure for Digital Objects , 2002, ICICS.

[4]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[5]  Steve Petri An Introduction to Smart Cards , 2004 .

[6]  Christian S. Collberg,et al.  Software watermarking: models and dynamic embeddings , 1999, POPL '99.

[7]  Peter Wayner,et al.  Disappearing Cryptography: Information Hiding: Steganography and Watermarking (2nd Edition) , 2002 .

[8]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[9]  Adi Shamir,et al.  Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies , 2000, CHES.

[10]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[11]  Friedrich Beck,et al.  Integrated circuit failure analysis : a guide to preparation techniques , 1998 .

[12]  Gael Hachez,et al.  A Comparative Study of Software Protection Tools Suited for E-Commerce with Contributions to Software Watermarking and Smart Cards , 2003 .

[13]  Christian F. Tschudin,et al.  On Software Protection via Function Hiding , 1998, Information Hiding.

[14]  Pamela Samuelson,et al.  A Manifesto Concerning the Legal Protection of Computer Programs: Why Existing Laws Fail To Provide Adequate Protection , 1994, KnowRight.

[15]  Dieter Gollmann,et al.  Software License Management with Smart Cards , 1999, Smartcard.

[16]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[17]  Oded Goldreich,et al.  Towards a Theory of Software Protection , 1986, CRYPTO.

[18]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[19]  Sergio Loureiro,et al.  Function hiding based on error correcting codes , 1999 .

[20]  José M. Troya,et al.  A secure solution for commercial digital libraries , 2003, Online Inf. Rev..

[21]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[22]  Steve R. White,et al.  ABYSS: An Architecture for Software Protection , 1990, IEEE Trans. Software Eng..

[23]  Amir Herzberg,et al.  Public Protection of Software , 1985, CRYPTO.

[24]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[25]  Ingrid Schaumüller-Bichl,et al.  A Method of Software Protection Based on the Use of Smart Cards and Cryptographic Techniques , 1985, EUROCRYPT.

[26]  Jean-Jacques Quisquater,et al.  Robust Object Watermarking: Application to Code , 1999, Information Hiding.

[27]  Ernesto Pimentel,et al.  An Efficient Software Protection Scheme , 2001, SEC.