Revisiting Software Protection

  • Paul C. van Oorschot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2851)


We provide a selective survey on software protection, including approaches to software tamper resistance, obfuscation, software diversity, and white-box cryptography. We review the early literature in the area plus recent activities related to trusted platforms, and discuss challenges and future directions.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Algesheimer, J., Cachin, C., Camenisch, J., Karjoth, G.: Cryptographic Security for Mobile Code. In: Proc. 2001 IEEE Symposium on Security and Privacy, pp. 2–11 (May 2001)Google Scholar
  2. 2.
    Anderson, R.: Trusted Computing FAQ – TCPA/Palladium/NGSCB/TCG,
  3. 3.
    Anderson, R.J., Kuhn, M.G.: Low Cost Attacks on Tamper-Resistant Devices. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Arbaugh, W.A., Farber, D.J., Smith, J.M.: A Secure and Reliable Bootstrap Architecture. In: Proc. 1997 IEEE Symp. Security and Privacy, pp. 65–71 (May 1997)Google Scholar
  5. 5.
    Arbaugh, W.A., Farber, D.J., Keromytis, A.D., Smith, J.M.: Secure and Reliable Bootstrap Architecture, U.S. Patent 6,185,678 (filed October 2 1998; issued February 6 2001)Google Scholar
  6. 6.
    Aucsmith, D.: Tamper Resistant Software: An Implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Aucsmith, D., Graunke, G.: Tamper Resistant Methods and Apparatus, U.S. Patent 5,892,899 (filed June 13 1996; issued April 6 1999)Google Scholar
  8. 8.
    Balacheff, B., Chen, L., Pearson, S., Plaquin, D., Proudler, G. (eds.): Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall, Englewood Cliffs (2002)Google Scholar
  9. 9.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of Obfuscating Programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997); Revised: Technion - C.S. Dept. - Technical Report CS0910-revised (1997)Google Scholar
  11. 11.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Eliminating Errors in Cryptographic Computations. J. Cryptology 14(2), 101–119 (2001)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Chang, H., Atallah, M.: Protecting Software Code by Guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 160–175. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Chen, Y., Venkatesan, R., Cary, M., Pang, R., Sinha, S., Jakubowski, M.: Oblivious Hashing: A Stealthy Software Integrity Verification Primitive. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 400–414. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Chess, D.M.: Security Issues in Mobile Code Systems. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 1–14. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Chow, S., Gu, Y., Johnson, H., Zakharov, V.A.: An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 144–155. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Nickerson, J.R., Chow, S.T., Johnson, H.J., Gu, Y.: The Encoder Solution to Implementing Tamper Resistant Software. Presented at the CERT/IEEE Information Survivability Workshop, Vancouver (October 2001)Google Scholar
  17. 17.
    Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: White-Box Cryptography and an AES Implementation. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A White-Box DES Implementation for DRM Applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003) (to appear)CrossRefGoogle Scholar
  19. 19.
    Cohen, F.: Operating System Protection Through Program Evolution. Computers and Security 12(6), 565–584 (1993)CrossRefGoogle Scholar
  20. 20.
    Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations., Technical Report 148, Dept. Computer Science, University of Auckland (July 1997)Google Scholar
  21. 21.
    Collberg, C., Thomborson, C., Low, D.: Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In: Proc. Symp. Principles of Programming Languages (POPL 1998) (January 1998)Google Scholar
  22. 22.
    Collberg, C., Thomborson, C., Low, D.: Breaking Abstractions and Unstructuring Data Structures. In: IEEE International Conf. Computer Languages (ICCL 1998) (May 1998)Google Scholar
  23. 23.
    Collberg, C.S., Thomborson, C.: Watermarking, Tamper-Proofing, and Obfuscation - Tools for Software Protection. IEEE Trans. Software Engineering 28(6) (June 2002)Google Scholar
  24. 24.
    Daemen, J., Rijmen, V.: The Design of Rijndael: aes – The Advanced Encryption Standard. Springer, Heidelberg (2001)Google Scholar
  25. 25., U.S. Software Security Takes Off, November 8 (2002),
  26. 26.
    England, P., DeTreville, J.D., Lampson, B.W.: Digital Rights Management Operating System, U.S. Patent 6,330,670 (filed January 8 1999; issued December 11 2001)Google Scholar
  27. 27.
    England, P., DeTreville, J.D., Lampson, B.W.: Loading and Identifying a Digital Rights Management Operating System, U.S. Patent 6,327,652 (filed January 8 1999; issued December 4 2001)Google Scholar
  28. 28.
    Forrest, S., Somayaji, A., Ackley, D.H.: Building Diverse Computer Systems. In: Proc. 6th Workshop on Hot Topics in Operating Systems, pp. 67–72. IEEE Computer Society Press, Los Alamitos (1997)CrossRefGoogle Scholar
  29. 29.
    Garey, M.R., Johnson, D.S.: Computers and Intractability - A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)MATHGoogle Scholar
  30. 30.
    Goldreich, O., Ostrovsky, R.: Software Protection and Simulation on Oblivious RAMs. Journal of the ACM 43(3), 431–473 (1996); Based on earlier ideas of Goldreich (STOC 1987) and Ostrovsky (STOC 1990)MATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    Gosler, J.: Software Protection: Myth or Reality? In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 140–157. Springer, Heidelberg (1985)Google Scholar
  32. 32.
    Gutmann, P.: An Open-source Cryptographic Co-processor. In: Proc, USENIX Security Symposium (2000)Google Scholar
  33. 33.
    Herzberg, A., Pinter, S.S.: Public protection of software. ACM Trans. Computer Systems 5(4), 371–393 (1987); Earlier version in Crypto 1985CrossRefGoogle Scholar
  34. 34.
    Horne, B., Matheson, L., Sheehan, C., Tarjan, R.: Dynamic Self-Checking Techniques for Improved Tamper Resistance. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 141–159. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Jacob, M., Boneh, D., Felton, E.: Attacking an Obfuscated Cipher by Injecting Faults. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 16–31. Springer, Heidelberg (2003) (to appear)CrossRefGoogle Scholar
  36. 36.
    Jakobsson, M., Reiter, M.K.: Discouraging Software Piracy Using Software Aging. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 1–12. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  37. 37.
    Kent, S.: Protecting Externally Supplied Software in Small Computers, Ph.D. thesis, M.I.T. (September 1980)Google Scholar
  38. 38.
    Kerckhoffs, A.: La Cryptographie Militaire. Journal des Sciences Militaires 9 (February 1883)Google Scholar
  39. 39.
    Lie, D., Thekkath, C., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J., Horowitz, M.: Architectural Support for Copy and Tamper Resistant Software. In: Proc. 9th International Conf. Architectural Support for Programming Languages and Operating Systems (November 2000)Google Scholar
  40. 40.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  41. 41.
    Next-Generation Secure Computing Base (formerly Palladium), Microsoft web site,
  42. 42.
    Next-Generation Secure Computing Base - Technical FAQ, Microsoft web site,
  43. 43.
    Ogiso, T., Sakabe, U., Soshi, M., Miyaji, A.: Software Tamper Resistance Based on the Difficulty of Interprocedural Analysis. In: 3rd Workshop on Information Security Applications (WISA 2002), Korea (August 2002)Google Scholar
  44. 44.
    Petitcolas, F., Anderson, R.J., Kuhn, M.G.: Information Hiding – A Survey. Proc. of the IEEE (Special Issue on Protection of Multimedia Content) 87(7), 1062–1078 (1999)Google Scholar
  45. 45.
    Sander, T., Tschudin, C.F.: Towards Mobile Cryptography. In: Proc. 1998 IEEE Symposium on Security and Privacy, pp. 215–224 (1998)Google Scholar
  46. 46.
    Sander, T., Tschudin, C.F.: Protecting Mobile Agents Against Malicious Hosts. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 44–60. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  47. 47.
    Schneider, F. (ed.): Trust in Cyberspace, report of the Committee on Information Systems Trustworthiness, Computer Science and Telecommunications Board (U.S.) National Research Council. National Academy Press (1999)Google Scholar
  48. 48.
  49. 49.
    van Someren, N., Shamir, A.: Playing Hide and Seek with Keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  50. 50.
    Wang, J.: Average-Case Computational Complexity Theory. In: Hemaspaandra, L., Selman, A. (eds.) Complexity Theory Retrospective II, pp. 295–328. Springer, Heidelberg (1997)Google Scholar
  51. 51.
    Wang, C., Hill, J., Knight, J., Davidson, J.: Software Tamper Resistance: Obstructing Static Analysis of Programs., Dept. of Computer Science, Univ. of Virginia, Tech. Report CS-2000-12, Updated in [52] (May 2000)Google Scholar
  52. 52.
    Wang, C.: A Security Architecture for Survivability Mechanisms, Ph.D. thesis, University of Virginia (October 2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Paul C. van Oorschot
    • 1
  1. 1.Digital Security Group, School of Computer ScienceCarleton UniversityCanada

Personalised recommendations