Iterated Transformations and Quantitative Metrics for Software Protection

International Conference on Security and Cryptography (SECRYPT 2009) |

This paper describes a new framework for design, implementation and evaluation of software-protection schemes. Our approach is based on the paradigm of iterated protection, which repeats and combines simple transformations to build up complexity and security. Based on ideas from the field of complex systems, iterated protection is intended as an element of a comprehensive obfuscation and tamper-resistance system, but not as a full-fledged, standalone solution. Our techniques can (and should) be combined with previously proposed approaches, strengthening overall protection.

A long-term goal of this work is to create protection methods amenable to analysis or estimation of security in practice. As a step towards this, we present security evaluation via metrics computed over transformed code. Indicating the difficulty of real-life reverse engineering and tampering, such metrics offer one approach to move away from ad hoc, poorly analyzable approaches to protection.