Christian Collberg - Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection

Obfuscation, Watermarking, and Tamperproofing for Software Protection

Christian Collberg
Jasvir Nagra

Upper Saddle River, NJ Boston Indianapolis San Francisco
New York Toronto Montreal London Munich Paris Madrid
Capetown Sydney Tokyo Singapore Mexico City

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales
(800) 382-3419

For sales outside the United States, please contact:

International Sales

Visit us on the Web: www.informit.com/aw

Library of Congress Cataloging-in-Publication Data

Collberg, Christian.
Surreptitious software : obfuscation, watermarking, and tamperproofing for software protection /
Christian Collberg, Jasvir Nagra. 1st ed.
p. cm.
Includes bibliographical references and index.
ISBN 0-321-54925-2 (pbk. : alk. paper)
1. Computer security. 2. Cryptography. 3. Data protection. 4. Copyright and electronic data
processingUnited States. I. Nagra, Jasvir. II. Title.
QA76.9.A25C6165 2009
005.8dc22 2009015520

Copyright 2010 Pearson Education, Inc.

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:

Pearson Education, Inc.
Rights and Contracts Department
501 Boylston Street, Suite 900
Boston, MA 02116
Fax: (617) 671-3447

ISBN-13: 978-0-321-54925-9
ISBN-10: 0-321-54925-2

Text printed in the United States on recycled paper at Edwards Brothers in Ann Arbor, Michigan.
First printing, July 2009

To Louise and Andrew, with all my love, pride, and admiration
Christian

For Shwetha, whose unwavering love and support makes everything possible
Jasvir

Gary McGraw, Consulting Editor

Exploiting Online Games: Cheating Massively Distributed Systems,
by Greg Hoglund and Gary McGraw
ISBN: 0-132-27191-5
Secure Programming with Static Analysis, by Brian Chess and Jacob West
ISBN: 0-321-42477-8
Software Security: Building Security In, by Gary McGraw
ISBN: 0-321-35670-5
Rootkits: Subverting the Windows Kernel, by Greg Hoglund and James Butler
ISBN: 0-321-29431-9
Exploiting Software: How to Break Code, by Greg Hoglund and Gary McGraw
ISBN: 0-201-78695-8
Also Available
The Software Security Library Boxed Set, by Gary McGraw, John Viega, Greg Hoglund
ISBN: 0-321-41870-0

For more information about these titles, and to read sample chapters, please visit informit.com/softwaresecurityseries

Surreptitious software is the term we have chosen to describe a new branch of computer security research that has emerged over the last decade. Its a field that borrows techniques not only from computer security, but also from many other areas of computer science, such as cryptography, steganography, media watermarking, software metrics, reverse engineering, and compiler optimization. Surreptitious software applies these techniques in order to solve very different problems: It is concerned with protecting the secrets contained within computer programs. We use the word secrets loosely, but the techniques we present in this book (code obfuscation, software watermarking and fingerprinting, tamperproofing, and birthmarking) are typically used to prevent others from exploiting the intellectual effort invested in producing a piece of software. For example, software fingerprinting can be used to trace software pirates, code obfuscation can be used to make it more difficult to reverse engineer a program, and tamperproofing can make it harder for a hacker to remove a license check.

So lets look at why someone should read this book, who they might be, and what material the book will cover.

Unlike traditional security research, surreptitious software is not concerned with how to protect your computer from viruses, but rather how virus writers protect their code from you! Similarly, were not interested in how to make your code free from security bugs, but rather how to riddle your program with buggy code that gets run only when someone tries to tamper with the program. And unlike cryptography research that protects the confidentiality of data, assuming that a secret key remains hidden, were interested in how to hide that key. While software engineering research has devised a multitude of software metrics in order to be able to make programs well structured, we will use the same techniques to make your programs more convoluted! Many of the techniques that we will describe in this book are based on algorithms developed by compiler optimization researchers, but unlike them, were not interested in making your program faster or smaller. Rather, after you apply the algorithms in this book to your own code, your programs will be larger and slower! Finally, unlike traditional media watermarking and steganography that hides secrets in images, audio, video, or English text, surreptitious software hides secrets inside computer code.

So why, then, should you be interested in this book? Why learn about a branch of computer security research that doesnt teach how to protect yourself against viruses and worms? Why study optimizing compiler transformations that make your code slower and larger? Why bother with a branch of cryptography that breaks the most basic assumption of that field, namely, that the secret key must be kept hidden?

The answer is that there are real-world problems that dont fit neatly into traditional computer security and cryptography research but that are interesting nonetheless. For example, in this book we will show you how to use software watermarking to fight piracy. A software watermark is a unique identifier (such as someones credit card number or your copyright notice) that you embed into your program to uniquely bind it to you (the author) or your customer. If you find illegal copies of your program being sold at a market in Singapore, you can extract the watermark and trace the illegal copy back to the original purchaser. You can use the same technique when you distribute beta copies of your new computer game to your partner companiesshould any of them leak the code, you can trace the culprit and sue for damages.