Most software developers have heard of code obfuscation. It’s a technique that takes well constructed, easy to follow code and turns it into something that is difficult to understand. The aim being to stop a reverse engineer (a hacker) from reading the compiled code (static analysis) and discovering how it works.
This article introduces a method for software developers to go beyond obfuscation to protect critical algorithms in code.
Obfuscators are provided as developer tools. Typically they either apply obfuscation as part of the software build pipeline or it is applied to the software binary after it is built.
More basic forms of obfuscation strip out human readable text that is left in the software after it is compiled. While more sophisticated tools will alter the software’s instruction sequences to make them harder to follow–trying not only to confuse the hacker but also the powerful reverse engineering tools at their disposal.
PACE Anti-Piracy, an expert in software security, would never advocate obfuscation on its own as a strong security measure. Working with internal and external “red hat” teams we know that obfuscation only keeps the hacker at bay for so long. But we also know that when sophisticated obfuscation is coupled with other security measures, such as protecting binary integrity with anti-tamper and anti-instrumentation techniques, there is a multiplier effect and all the techniques work together to create something much stronger than the sum of their parts.
PACE specializes in providing technology solutions to protect our customer’s software IP. We stop software applications from being pirated and we stop value algorithms from being reverse engineered.
One of the tools in PACE’s arsenal is a white-box cryptography product called White-Box Works.
White-box cryptography has historically been used to protect cryptographic keys in software. If a hacker can analyse a software application, then they can see any cryptographic keys that are embedded in that software. While it is recognized as best practice not to hardcode cryptographic keys into software, sometimes it is unavoidable. White-box cryptography was developed to solve this problem and has been proven in markets such as video DRM and mobile payments.
White-box cryptography is successful because it stops hackers from understanding software algorithms and the data on which they operate within a white-box environment. A white-box environment is one in which a hacker can see every instruction execute, and every memory read and write. Nearly all software that is deployed off-premises should be considered vulnerable to attack under white-box conditions.
To achieve secure execution where secrets can stay safe for a long time under white-box conditions means going far beyond typically obfuscation techniques. Commercial white-boxes use approaches like mathematical masking so data is near exposed in the clear, and multi-dimensional misalignment to defend against side channel attacks.
PACE has built upon these techniques to move white-box cryptography beyond cryptographic key protection and to use it to protect critical software algorithms and the data on which they operate from reverse engineering.
This is useful to any business that is developing and then licensing software algorithms. Common examples that PACE encounters include digital twins, audio processing, object detection in images and videos, industry control, and medical devices.
The process is straight forward for a developer:
The output of the tool is functionally the same as the algorithm defined by the developer but the operations of the algorithm have been transformed into code that will confuse even the best hackers.
This allows business critical algorithms to be used in software that is deployed into the wild without them being reverse engineered by competitors, criminals, or curious academics.
Protecting your critical software algorithms is no longer just about obfuscation. By leveraging advanced white-box cryptographic techniques, developers can go beyond obfuscation to secure their most valuable intellectual property against even the most determined attackers.
To learn more about using White-Box Works to protect your algorithms from reverse engineering, contact us.
