This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection
August 2002 (vol. 28 no. 8)
pp. 735-746

Abstract—We identify three types of attack on the intellectual property contained in software and three corresponding technical defenses. A defense against reverse engineering is obfuscation, a process that renders software unintelligible but still functional. A defense against software piracy is watermarking, a process that makes it possible to determine the origin of software. A defense against tampering is tamper-proofing, so that unauthorized modifications to software (for example, to remove a watermark) will result in nonfunctional code. We briefly survey the available technology for each type of defense.

[1] 4C Entity, “Content Protection System Architecture,” revision 0.81, availablehttp://wwwinfo.ncc.go.jp/jjco/(http://www.apa.org/ journals/amp/amp548594.html)http:/ /www.4centity.com/data/tech/cpsacpsa081.pdf , Aug. 2001.
[2] M. Abadi and J. Feigenbaum, “Secure Circuit Evaluation: A Protocol Based on Hiding Information from an Oracle,” J. Cryptology, vol. 2, no. 1, pp. 1–12, 1990.
[3] R.J. Anderson and F.A.P. Peticolas, “On the Limits of Steganography,” IEEE J. Selected Areas Comm., vol. 16, no. 4, May 1998.
[4] Atari Games Corp. and Tengen, Inc. v. Nintendo of America Inc. and Nintendo Co., Ltd., United States Court of Appeals for the Federal Circuit, Sept. 1992.
[5] D. Aucsmith, “Tamper Resistant Software: An Implementation,” Information Hiding, First Int'l Workshop, R.J. Anderson, ed., pp. 317–333, May 1996.
[6] D. Aucsmith and G. Graunke, “Tamper Resistant Methods and Apparatus,” US patent 5,892,899, Assignee: Intel Corporation, 1999.
[7] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang, “On the (Im)possibility of Obfuscating Programs (Extended Abstract),” Advances in Cryptology—CRYPTO 2001, J. Kilian, ed., 2001.
[8] A. Beimel, M. Burmester, Y. Desmedt, and E. Kushilevitz, “Computing Functions of a Shared Secret,” SIAM J. Discrete Math., vol. 13, no. 3, pp. 324–345, 2000.
[9] W. Bender, D. Gruhl, N. Morimoto, and A. Lu, “Techniques for Data Hiding,” IBM Systems J., vol. 35, nos. 3&4, pp. 313–336, 1996.
[10] P. Bieber, J. Cazin, P. Girard, J.L. Lanet, V. Wiels, and G. Zanon, “Checking Secure Interactions of Smart Card Applets,” Proc. Sixth European Symp. Research in Computer Security (ESORICS), 2000.
[11] M. Bishop, “An Overview of Computer Viruses in a Research Environment,” technical report, Dept. of Math. and Computer Science, Dartmouth College, 1992.
[12] M. Blum, “Program Result Checking: A New Approach to Making Programs More Reliable,” Proc. 20th Int'l Colloquium Automata, Languages, and Programming, S. Carlsson, A. Lingas, and R.G. Karlsson, eds., pp. 1–14, July 1993.
[13] M. Blum and S. Kannan, “Designing Programs that Check Their Work,” J. ACM, vol. 42, no. 1, pp. 269–291, Jan. 1995.
[14] D Boneh and M.K. Franklin, “An Efficient Public Key Traitor Tracing Scheme,” Advances in Cryptology—Crypto `99, pp. 338–353, 1999.
[15] T.A. Budd, “Protecting and Managing Electronic Content with a Digital Battery,” Computer, vol. 34, no. 8, pp. 2–8, Aug. 2001.
[16] L.K. Chen, “Computer Software Protection against Piracy in Taiwan,” J. Asian Law, vol. 8, no. 1, 1994, http://www.columbia.edu/cu/asiawebv8n1chen.htm .
[17] D.M. Chess, “Security Issues in Mobile Code Systems,” Mobile Agents and Security, pp. 1–8, 1998.
[18] F. Cohen, “Computer Viruses—Theory and Experiments,” IFIP-TC11, Computers and Security, pp. 22–35, 1987.
[19] F. Cohen, “Current Trends in Computer Viruses,” Proc. Int'l Symp. Information Security, 1991.
[20] F.B. Cohen, Operating System Protection through Program Evolution. http://all.net/books/IP/evolve.html, 1992.
[21] C. Collberg, “The Obfuscation and Software Watermarking Home Page,” http://www.cs.arizona.edu/collberg/Research/ Obfuscationindex.html, 1999.
[22] C. Collberg and C. Thomborson, “Software Watermarking: Models and Dynamic Embeddings,” Principles of Programming Languages (POPL '99), Jan. 1999, http://www.cs.auckland.ac.nz/collberg/Research/ nz/~collberg/Research/Publications/ CollbergThomborson99aindex.html.
[23] C. Collberg, C. Thomborson, and D. Low, “A Taxonomy of Obfuscating Transformations,” Technical Report 148, Dept. of Computer Science, Univ. of Auckland, July 1997, http://www.cs.auckland.ac.nz/~collberg/Research/ PublicationsCollbergThomborsonLow97a .
[24] C. Collberg, C. Thomborson, and D. Low, “Breaking Abstractions and Unstructuring Data Structures,” Proc. IEEE Int'l Conf. Computer Languages (ICCL '98), May 1998,
[25] C. Collberg, C. Thomborson, and D. Low, “Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs,” Proc. Symp. Principles of Programming Languages (POPL '98), Jan. 1998. http://www.cs.auckland.ac.nz/collberg/Research/ Publications/CollbergThomborsonLow98b/ .http://www.cs.auckland.ac.nz/collberg/ Research/PublicationsCollbergThomborsonLow98a /.
[26] Compaq, “FreePort Express,” http://www.support.compaq.com/amtfreeport /.
[27] Convera, “Software Integrity System,” http:/convera.com/.
[28] R.L. Davidson and N. Myhrvold, “Method and System for Generating and Auditing a Signature for a Computer Program,” US Patent 5,559,884, Assignee: Microsoft Corporation, Sept. 1996.
[29] A. Deutsch, “Interprocedural May-Alias Analysis for Pointers: Beyond$\big. k\bigr.$-Limiting,” Proc. SIGPLAN Conf. Programming Language Design and Implementation (PLDI '94), pp. 230–241, June 1994.
[30] F. Ergün, S. Kannan, S.R. Kumar, R. Rubinfeld, and M. Vishwanathan, “Spot-Checkers,” Proc. 30th Ann. ACM Symp. Theory of Computing (STOC '98), pp. 259–268, May 1998.
[31] Ernie , “Disk Copy Protection,” Mar. 1997, Usenet:comp. misc,http://groups.google.comgroups?selm=33256CC1.7EE040mitre.org .
[32] O. Goldreich and R. Ostrovsky, “Software Protection and Simulation on Oblivious RAMs,” J. ACM, vol. 43, no. 3, pp. 431–473, 1996.
[33] R.D. Gopal and G.L. Sanders, “Global Software Piracy: You Can't Get Blood Out of Turnip,” Comm. ACM, vol. 43, no. 9, pp. 83–89, Sept. 2000.
[34] J.R. Gosler, “Software Protection: Myth or Reality? CRYPTO'85—Advances in Cryptology, pp. 140–157, Aug. 1985.
[35] D. Grover, “Program Identification,” The Protection of Computer Software: Its Technology and Applications, The British Computer Soc. Monographs in Informatics, Cambridge Univ. Press, second ed., 1992.
[36] S. Hada, “Zero-Knowledge and Code Obfuscation,” AsiaCrypt 2000, pp. 443–457, 2000, http://link.springer.de/link/service/series/ 0558/papers/197619760443.pdf.
[37] A. Herzberg and S.S. Pinter, “Public Protection of Software,” ACM Trans. Computer Systems, vol. 5, no. 4, pp. 371–393, Nov. 1987.
[38] F. Hohl, “Time Limited Blackbox Security: Protecting Mobile Agents from Malicious Hosts,” Mobile Agents and Security, pp. 92–113, vol. 1419,Lecture Notes in Computer Science, Springer-Verlag, 1998.
[39] F. Hohl, “A Framework to Protect Mobile Agents by Using Reference States,” Proc. 20th Int'l Conf. Distributed Computing Systems, pp. 410–417, 2000.
[40] K. Holmes, “Computer Software Protection,” US Patent 5,287,407, Assignee: International Business Machines, Feb. 1994.
[41] S. Horwitz, “Precise Flow-Insensitive May-Alias Analysis is NP-Hard,” TOPLAS, vol. 19, no. 1, pp. 1–6, Jan. 1997.
[42] J.D. Howard, “An Analysis of Security Incidents on the Internet, 1989-1995,” PhD thesis, Dept. of Eng. and Public Policy, Carnegie-Mellon Univ., Apr. 1997.
[43] IBM, “Cryptolopes,” http://www.ibm.com/software/securitycryptolope /.
[44] InterTrust, “Digital Rights Management,” http://www.intertrust.com/deindex.html.
[45] N.F. Johnson and S. Jajodia, “Computing Practices: Exploring Steganography: Seeing the Unseen,” Computer, vol. 31, no. 2, pp. 26–34, Feb. 1998, http://www.isse.gmu.edu/njohnson/pubr2026.pdf .
[46] A.B. Kahng, J. Lach, W.H. Mangione-Smith, S. Mantik, I.L. Markov, M. Potkonjak, P. Tucker, H. Wang, and G. Wolfe, “Watermarking Techniques for Intellectual Property Protection,” Proc. 35th ACM/IEEE DAC Design Automation Conf. (DAC '98), pp. 776–781, June 1999,
[47] M.D. LaDue, “The Maginot License: Failed Approaches to Licensing Java Software over the Internet,” http://www.cs.ucla.edu/gangqu/ipp/c79.ps.gz.http:/ /www.geocities.com/securejavaapplets maginot.html, Copyright 1997.
[48] C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi, “A Taxonomy of Computer Program Security Flaws,” ACM Computing Surveys, vol. 26, no. 3, pp. 211–254, Sept. 1994.
[49] D. Libes, Obfuscated C and Other Mysteries. Wiley, 1993.
[50] D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz, “Architectural Support for Copy and Tamper Resistant Software,” Architectural Support for Programming Languages and Operating Systems, pp. 168–177, Nov. 2000.
[51] M. Limayem, M. Khalifa, and W.W. Chin, “Factors Motivating Software Piracy: A Longitudinal Study,” Proc. 20th Int'l Conf. Information Systems, pp. 124–131, 1999.
[52] U. Lindqvist and E. Jonsson, “How to Systematically Classify Computer Security Intrusions,” Proc. 1997 IEEE Symp. Security and Privacy, pp. 154–163, 1997, .
[53] S. Lucco, R. Wahbe, and O. Sharp, “Omniware: A Universal Substrate for Web Programming,” Proc. WWW4, 1995.
[54] S. Macrakis, “Protecting Source Code with ANDF,” http://www.ce.chalmers.se/staff/ulfl/pubs/ sp97ftp://riftp.osf.org/pub/andf/andf_coll_papers ProtectingSourceCode.ps, Jan. 1993.
[55] Apple's QuickTime lawsuit,http://www.macworld.com/pages/june.95News.848.html andmay.95News.705.html, May–June 1995.
[56] Y. Malhotra, “Controlling Copyright Infringements of Intellectual Property: The Case of Computer Software,” J. Systems Management, part 1, vol. 45, no. 6, pp. 32–35, June 1994, part 2: no. 7, pp. 12–17, July 1994.
[57] J. Martin, “Pursuing Pirates (Unauthorized Software Copying),” Datamation, vol. 35, no. 15, pp. 41–42, Aug. 1989.
[58] T. Maude and D. Maude, “Hardware Protection against Software Piracy,” Comm. ACM, vol. 27, no. 9, pp. 950–959, Sept. 1984.
[59] R. Mori and M. Kawahara, “Superdistribution: The Concept and the Architecture,” Technical Report 7, Inst. of Information Sci.&Electron, Tsukuba Univ., Japan, July 1990, http://www.site.gmu.edu/bcox/ElectronicFrontier MoriSuperdist.html.
[60] S.A. Moskowitz and M. Cooperman, “Method for Stega-Cipher Protection of Computer Code,” US Patent 5,745,569, Assignee: The Dice Company, Jan. 1996.
[61] D. Naccache, A. Shamir, and J.P. Stern, “How to Copyright a Function?” Public Key Encryption '99, Hideki Imai, ed., Lecture Notes in Computer Science, Springer-Verlag, 1999.
[62] D. Nagy-Farkas, “The Easter Egg Archive,” http://www.eeggs.comlr.html, 1998.
[63] NetSafe, “EXE Guardian™,” http://members.ozemail.com.au/netsafeguardian_detailed_information.html,Copyright 1996.
[64] P.G. Neumann, Computer-Related Risks. ACM Press, 1995.
[65] L.C. Noll, S. Cooper, P. Seebach, and L.A. Broukhis, “The International Obfuscated C Code Contest,” http://www.ioccc.orgindex.html, 2000.
[66] F.A.P. Peticolas, R.J. Anderson, and M.G. Kuhn, “Attacks on Copyright Marking Systems,” Proc. Second Workshop Information Hiding, Apr. 1998.
[67] International Planning and Research Corporation, “Sixth Annual BSA Global Software Piracy Study,” http://www.bsa.org/resources2001-05-21.55.pdf , 2001.
[68] T.A. Proebsting and S.A. Watterson, “Krakatoa: Decompilation in Java (Does Bytecode Reveal Source?),” Proc. Third USENIX Conf. Object-Oriented Technologies and Systems (COOTS), June 1997.
[69] G. Qu and M. Potkonjak, “Analysis of Watermarking Techniques for Graph Coloring Problem,” Proc. IEEE/ACM Int'l Conf. Computer Aided Design, pp. 190–193, Nov. 1998, .
[70] G. Ramalingam, “The Undecidability of Aliasing,” ACM Trans. Programming Languages and Systems, vol. 16, no. 5, pp. 1467–1471, Sept. 1994.
[71] R. Rivest, “The MD5 Message-Digest Algorithm,” The Internet Eng. Task Force RFC 1321,http://www.cs.ucla.edu/gangqu/publication/ gc.ps.gzhttp://www.ietf.org/rfcrfc1321.txt , 1992.
[72] H. Rosner, “Steal this Software,” The.Standard.com, June 2000. http://www.thestandard.com/article/article_print 1,1153,16039,00.html.
[73] R. Rubinfeld, “Batch Checking with Applications to Linear Functions,” Information Processing Letters, vol. 42, no. 2, pp. 77–80, May 1992.
[74] R. Rubinfeld, “Designing Checkers for Programs that Run in Parallel,” Algorithmica, vol. 15, no. 4, pp. 287–301, Apr. 1996.
[75] P.R. Samson, “Apparatus and Method for Serializing and Validating Copies of Computer Software,” US Patent 5,287,408, Assignee: Autodesk, Inc., Feb. 1994.
[76] P. Samuelson, “Reverse-Engineering Someone Else's Software: Is It Legal?” IEEE Software, pp. 90–96, Jan. 1990.
[77] T. Sander and C.F. Tschudin, “Protecting Mobile Agents against Malicious Hosts,” Mobile Agents and Security, 1998.
[78] Sega Enterprises Ltd. v. Accolade, Inc., United States Court of Appeals for the Ninth Circuit, July 1992.
[79] S.S. Simmel and I. Godard, “Metering and Licensing of Resources—Kala's General Purpose Approach,” Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment, pp. 81–110, Jan. 1994.
[80] E.H. Spafford, “Computer Viruses as Artificial Life,” Artificial Life, vol. 1, no. 3, pp. 249–265, 1994.
[81] R. Stallman, “Why Software Should not Have Owners,” http://www.gnu.org/philosophywhy-free.html , 1994.
[82] M. Swanson and B. Guttman, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” technical report, Nat'l Inst. Standards and Technology, Dept. of Commerce, US Government, Sept. 1996, http://www.auerbach-publications.com/white-papers nist-security-guidelines.pdf.
[83] Locksmith Tools, “Advanced Detailed Description of Dinkey Dongle for Software Protection, Software Security, and License Management,” Copyright 1988-1999, http://www.locksmithshop.comlsdddetail.htm .
[84] A. Torrubia and F.J. Mora, “Information Security in Multiprocessor Systems Based on the x86 Architecture,” Computers and Security, vol. 19, no. 6, pp. 559–563, Oct. 2000.
[85] R.E. Vaughn, “Defining Terms in the Intellectual Property Protection Debate: Are the North and South Arguing Past Each Other When We Say‘Property’? A Lockean, Confucian, and Islamic Comparison,” ILSA J. Comparative and Int'l Law, vol. 2, no. 2, p. 308, Winter 1996, http://www.nsulaw.nova.edu/student/organizations/ ILSAJournal/2-2Vaughan202-2.htm .
[86] R. Venkatesan, V. Vazirani, and S. Sinha, “A Graph Theoretic Approach to Software Watermarking,” Proc. Fourth Int'l Information Hiding Workshop, Apr. 2001.
[87] Vermont Microsystems Inc. v. AutoDesk Inc., United States Court of Appeals for the Second Circuit, Jan. 1996.
[88] G. Vigna, “Introduction,” Mobile Agents and Security, pp. xi–xii, 1998.
[89] H.P. Van Vliet, “Mocha—The Java Decompiler,” http://web.inter.nl.net/users/H.P.van.Vliet mocha.html, Jan. 1996.
[90] R. Wahbe and S. Lucco, “Methods for Safe and Efficient Implementation of Virtual Machines,” US Patent 5,761,477, Assignee: Microsoft Corporation, 1999.
[91] R. Wahbe, S. Lucco, T. Anderson, and S. Graham, “Efficient Software-Based Fault Isolation,” Proc. Symp. System Principles (SOSP '93), pp. 203–216, 1993.
[92] C. Wang, “A Security Architecture for Survivability Mechanisms,” PhD thesis, Univ. of Virginia, School of Eng. and Applied Science, Oct. 2000, www.cs.virginia.edu/survive/pubwangthesis.pdf .
[93] C. Wang, J. Hill, J. Knight, and J. Davidson, “Software Tamper Resistance: Obstructing Static Analysis of Programs,” Technical Report CS-2000-12, Univ. of Virginia, Dec. 2000.
[94] J. Wang, “Average-Case Complexity Forum,” http://www.uncg.edu/matacc-forum, 1999.
[95] H. Wasserman and M. Blum, “Software Reliability via Run-Time Result-Checking,” J. ACM, vol. 44, no. 6, pp. 826–849, Nov. 1997.
[96] S.P. Weisband and S.E. Goodman, “Int'l Software Piracy,” Computer, vol. 92, no. 11, pp. 87–90, Nov. 1992.
[97] CD Media World, “CD Protections,” http://www.cdmediaworld.com/hardware/cdrom cd_protections.shtml, Copyright 1998–2001.
[98] Xerox, “ContentGuard,” http:/www.contentguard.com.

Index Terms:
Obfuscation, watermarking, tamper-proofing, intellectual property protection.
Citation:
Christian S. Collberg, Clark Thomborson, "Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection," IEEE Transactions on Software Engineering, vol. 28, no. 8, pp. 735-746, Aug. 2002, doi:10.1109/TSE.2002.1027797
Usage of this product signifies your acceptance of the Terms of Use.