Field Notes: From West Lafayette

Author(s): Mikhail Atallah
Photographs by: Provided

Atallah

Mikhail Atallah (second from the right) co-founded Arxan Technologies in 2001 and has served on its board of scientific advisers since then. The company has developed software protection that is used in more than 200 million computing devices. Its products provide protection by linking “guards” at different points within software code, making it far more difficult for hackers to access.

The need for software protection


Modern society is increasingly reliant on software systems. Software is clearly central to the cyberworld, but it is also crucial for the physical world (it pilots airliners, controls manufacturing plants, for example). This has brought many advantages, including large increases in productivity, convenience and functionality. But it has also brought much vulnerability: Software can be deliberately compromised so that it misbehaves, and this misbehavior can wreak havoc (both electronic and physical). This is why software assets need protection against unauthorized modification.

Adversaries and what they want

Who is the attacker against whom the protection is sought?

It could be someone with physical access to the device on which the software runs (thief, roommate, partner, or even the owner). Or it could be a remote party attacking through the network. And what might such an attacker want? Possibly to inject malware in the software, or to disable policy-enforcing functionality the attacker dislikes (while preserving other functionality that the attacker likes), or to extract (and reuse elsewhere) proprietary functionality, or to turn a demo version into a fully functional one. Examples of targets of such attacks include:

  • Mobile devices (cell phones, sensors).
  • Games (for the purpose of cheating at online games, pirating the game, stealing and reusing the IP in it).
  • TV set-top boxes (for viewing without paying the subscription fee).
  • Taxi metering devices (to overcharge the customer).
  • Smart meters used by utility companies (for the purpose of underpaying, or avoiding rationing, or causing a large blackout).
  • Software controlling a physical plant (for the purpose of sabotaging it and/or using it for terrorism).

Why digital signatures are not enough

A common technique for protecting software is the use of digital signatures. The signature is a short bitstring that accompanies the software and acts as a witness to its integrity; any modification to the software would invalidate the signature, unless it is done by a legitimate entity that can produce a new valid signature. The signature is produced by a trusted authority (Apple, Microsoft, and
so on). A trusted system checks the digital signature of software before giving the OK to install or run it.

This prevents running corrupted (e.g., malware-ridden) versions of the software, but it does not work if the system itself is compromised; if the system is misconfigured to skip the signature-verification step altogether, or the system is under the control of the adversary. There is a need for an approach to protection that works even when the environment in which the software runs is hostile — not only in the sense that it cannot be relied on to protect the software, but also in the sense of actively facilitating the attack against the software.

Self-protection benefits from the difficulty of software analysis

The Purdue team has developed selfprotecting software: Software that contains defensive mechanisms that protect it against unauthorized modification, that detect such modification when it occurs, and that react to the modification (e.g., repair the damage, or notify about it, or retaliate). This approach turns the well-known difficulty of software analysis into an advantage, because its proper functioning relies on that difficulty.

How to create self-protecting software

How does one go about injecting the self-protection functionality (the “goodware”) into software? The Purdue team preferred the approach of developing a protection tool that is usable for automatically injecting protections into any software, after (and separately from) the software development process. This means that only a small team needs to know about the elaborate and difficult protection techniques, yet all software can subsequently benefit from those techniques.

The tool that was developed makes it easy to create and automatically install protections that are stealthy, unobtrusive (have small impact on size and speed), and are flexible and accommodate customizable new functionalities.

Resistance to attack is further enhanced by the use of variable protection topologies (a different instance of the protection is used for each protected software) and by entanglement of the protections with the original code. The approach is scalable and actually benefits from the software being large, because it provides a bigger haystack in which to hide the “needles” (the protections). Experiments and testing by independent professional hackers have demonstrated a huge asymmetry in protection vs. attack efforts (protections are easy to apply, very hard to remove or disable).

A secondary use of the technology is the marking of software: The insertion of a hidden mark in it (e.g., to identify who purchased it), a mark that is hard to detect and remove.

Commercial success

Commercially, the technology has been deployed on more than 200 million devices and has won 13 industry awards. The company (Arxan Technologies) that was founded in 2001 to commercialize the technology (under a Purdue license) now has a global presence with many offices in the U.S., one in London, and one in Tokyo. Its customers include:

  • 7 out of 10 global digital media companies.
  • 4 out of 5 top game publishers.
  • 4 out of 5 top independent software vendors.
  • Many Fortune 500 enterprises in markets including mobile financial services, automotive, and embedded computing.

The early steps to commercialization involved building a proof-of-concept prototype to test and demonstrate feasibility, performance, and functionality. That early prototype was developed with Purdue Trask funding ($100K). This was followed by angel investor funding, then venture-capital (VC) funding that included convincing VC-hired expert consultants, and professional testing of the protections by VC-hired hackers who attacked the protections. After securing the VC funding, the proof-of-concept prototype was discarded and a commercial-quality product was built.