Chit W. (Nick) Saw, Mariusz M. Jakubowski, Ramarathnam Venkatesan



This paper describes a new framework for design, implementation and evaluation of software-protection schemes. Our approach is based on the paradigm of iterated protection, which repeats and combines simple transformations to build up complexity and security. Based on ideas from the field of complex systems, iterated protection is intended as an element of a comprehensive obfuscation and tamper-resistance system, but not as a full-fledged, standalone solution. Our techniques can (and should) be combined with previously proposed approaches, strengthening overall protection. A long-term goal of this work is to create protection methods amenable to analysis or estimation of security in practice. As a step towards this, we present security evaluation via metrics computed over transformed code. Indicating the difficulty of real-life reverse engineering and tampering, such metrics offer one approach to move away from ad hoc, poorly analyzable approaches to protection.


  1. Anckaert, B., Jakubowski, M. H., Venkatesan, R., and Bosschere, K. D. (2007a). Run-time randomization to mitigate tampering. In 2nd International Workshop on Security (IWSEC 2007), Nara, Japan.
  2. Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., and Preneel, B. (2007b). Program obfuscation: a quantitative approach. In QoP 7807: Proceedings of the 2007 ACM workshop on Quality of protection, pages 15-20, New York, NY, USA. ACM.
  3. Anckaert, B., Sutter, B. D., and Bosschere, K. D. (2004). Software piracy prevention through diversity. In DRM 7804: Proceedings of the 4th ACM Workshop on Digital Rights Management, pages 63-71, New York, NY, USA. ACM Press.
  4. Aucsmith, D. (1996). Tamper resistant software: An implementation. Information Hiding, Lecture Notes in Computer Science, 1174:317-333.
  5. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., and Yang, K. (2001). On the (im)possibility of obfuscating programs. In Electronic Colloquium on Computational Complexity, volume 2139, pages 1-18.
  6. Chen, Y., Venkatesan, R., Cary, M., Pang, R., Sinha, S., and Jakubowski, M. H. (2002). Oblivious hashing: A stealthy software integrity verification primitive. In Information Hiding 2002, Noordwijkerhout, The Netherlands.
  7. Collberg, C., Thomborson, C., and Low, D. (1997). A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, The University of Auckland, New Zealand.
  8. Collberg, C., Thomborson, C., and Low, D. (1998a). Breaking abstractions and unstructuring data structures. In International Conference on Computer Languages, pages 28-38.
  9. Collberg, C., Thomborson, C., and Low, D. (1998b). Manufacturing cheap, resilient, and stealthy opaque constructs. In Principles of Programming Languages, POPL'98, pages 184-196.
  10. Dedic, N., Jakubowski, M. H., and Venkatesan, R. (2007). A graph game model for software tamper protection. In Proceedings of the 2007 Information Hiding Workshop.
  11. El-khalil, R. and Keromytis, A. D. (2004). Hydan: Hiding information in program binaries. In International Conf. on Information and Communications Security (ICICS).
  12. Goldreich, O. and Ostrovsky, R. (1996). Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3):431-473.
  13. Goldwasser, S. and Kalai, Y. T. (2005). On the impossibility of obfuscation with auxiliary input. In FOCS 7805: Proceedings of the 46th IEEE Symposium on Foundations of Computer Science.
  14. Horne, B., Matheson, L. R., Sheehan, C., and Tarjan, R. E. (2001). Dynamic self-checking techniques for improved tamper resistance. In Digital Rights Management Workshop, pages 141-159.
  15. Jacob, M., Jakubowski, M. H., and Venkatesan, R. (2007). Towards integral binary execution: Implementing oblivious hashing using overlapped instruction encodings. In 2007 ACM Multimedia and Security Workshop, Dallas, TX.
  16. Lynn, B., Prabhakaran, M., and Sahai, A. (2004). Positive results and techniques for obfuscation. In Eurocrypt 7804.
  17. Menezes, A. J., Vanstone, S. A., and Oorschot, P. C. V. (1996). Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton, FL, USA.
  18. Microsoft Corporation (2008). Phoenix compiler framework.
  19. Tan, G., Chen, Y., and Jakubowski, M. H. (2006). Delayed and controlled failures in tamper-resistant software. In Proceedings of the 2006 Information Hiding Workshop.
  20. Wang, C. (2000). A Security Architecture for Survivability Mechanisms. PhD thesis, University of Virginia.
  21. Wang, C., Hill, J., Knight, J., and Davidson, J. (2000). Software tamper resistance: Obstructing static analysis of programs. Technical Report CS-2000-12, University of Virginia.
  22. Wee, H. (2005). On obfuscating point functions. In STOC 7805: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, pages 523-532, New York, NY, USA. ACM Press.
  23. Wolfram, S. (2002). A New Kind of Science. Wolfram Media Inc., Champaign, IL, USA.

Paper Citation

in Harvard Style

M. Jakubowski M., W. (Nick) Saw C. and Venkatesan R. (2009). ITERATED TRANSFORMATIONS AND QUANTITATIVE METRICS FOR SOFTWARE PROTECTION . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 359-368. DOI: 10.5220/0002220103590368

in Bibtex Style

author={Mariusz M. Jakubowski and Chit W. (Nick) Saw and Ramarathnam Venkatesan},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
SN - 978-989-674-005-4
AU - M. Jakubowski M.
AU - W. (Nick) Saw C.
AU - Venkatesan R.
PY - 2009
SP - 359
EP - 368
DO - 10.5220/0002220103590368