The present invention relates generally to security of distributable content in hostile environments, and more particularly to protecting distributable software from hostile attacks, such as automated attacks.
Commercial vendors may distribute sensitive software-based content on physically insecure systems and/or to devices. For example, content distribution for multi-media applications may involve electronic dissemination of books, music, software programs, and video over a network. In particular, software is often distributed over the Internet to servers where access control enforcement cannot be guaranteed, as sites may be beyond the control of the distributor. Nonetheless, such Internet-based software distribution does require management and enforcement of digital rights of the distributed content. However, the distributed content may be prone to different kinds of attacks, including a direct attack by an otherwise legitimate end user and an indirect attack by a remote hacker or an automated attack, employing different software tools. Often inhibiting a hacker from altering or bypassing digital rights management policies for content protection is referred to as copy protection.
To this end, before distribution, software is compiled to hide source-level secrets and programming techniques embedded within the source code. Software compilers compile source code developed in a source language into target code in a target language. The target code may need to be protected from automated programs that may ascertain the data flow in the compiled code using different tools such as static analysis and run-time trace analysis.
Software, being information, is trivially easy to modify. Tamper-resistant software also can be trivially modified, but the distinguishing characteristic is that it is difficult to modify tamper-resistant software in a meaningful way. Often attackers wish to retain the bulk of functionality, such as decrypting protected content, but skip payment or modify digital rights management portions. This implies that in tamper-resistant software it is not easy to observe and analyze the software to discover the point where a particular function is performed, nor how to change the software so that the desired code is changed without disabling the portion whose functionality the attacker wishes to retain.
In order to avoid wholesale replacement of the software, for example, the software must contain and protect a secret. This secret might be simply how to decode information in a complex, unpublished, proprietary encoding, or it might be a cryptographic key for a standard cipher. However, in the latter case, the resulting security is often limited by the ability of the software to protect the integrity of its cryptographic operations and confidentiality of its data values, which is usually much weaker than the cryptographic strength of the cipher. Indeed, many attempts to provide security simply by using cryptography fail because the software is run in a hostile environment that fails to provide a trusted computing base. Such a base is required for cryptography to be secure, and must be established by non-cryptographic means (though cryptography may be used to extend the boundaries of an existing trusted computing base).
Thus, there is a continuing need for better ways to secure distributable content in hostile environments, especially protecting distributable software from analyses that extract embedded secrets and changes that circumvent embedded policies enforced by the software.