UA News

Christian Collberg has co-authored a new book that explores an emergent branch of software security.

Breaches that have disabled sites much like the one that hit Twitter earlier this month have captured the public eye, but there is a more sinister – and sophisticated – form of computer hacking emerging that has gotten much less attention.

Increasingly, pirates and "crackers" analyze and tamper with programs to reveal the very information that software creators and researchers are trying to keep hidden. 

To counter such attacks, particularly in the realm of intellectual property, companies and government agencies have begun using nontraditional techniques like code obfuscation, steganography and watermarking to further conceal information embedded in computer software and, in some cases, hardware systems. 

It's a new branch of software security, and it is one that Christian Collberg has termed "surreptitious software" in his newly published, co-authored book, which was released earlier this month.

Collberg, a University of Arizona associate professor of computer science, authored the book with Jasvir Nagra, one of his former students, who is currently a software engineer at Google Inc.

"Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection," documents theories and techniques surrounding software tampering, piracy and reverse engineering, and endeavors to prevent such attempts.

The nearly 800-page book is being marketed as the first book published on the relatively new field, and has been published among eight books featured in the Addison-Wesley Software Security Series, a collection of books on software security.

"I felt what the field really needed was a comprehensive description of what the field was in order to make progress," Collberg said, noting that this new branch of software security has been in development for about 10 years.

Numerous companies, including Microsoft, Apple, Intel and Skype, use surreptitious software, often patenting the algorithms used to protect their software and code, the book notes. Researchers at higher education institutions and government agencies have begun doing the same.

The development and trajectory of the field, however, hasn't been well-documented in research.

"Before this book, there was no book to put into the hands of students who wanted to study this and no comprehensive terminology and organization of the material," he said.

But with the increasing reliance on digital communication and digital record keeping comes an urgent need for more improved systems of protection, lest there be more breaches of privacy, financial liability, copyright violations and other threats, Collberg said.

One major concern is that existing vulnerabilities could someday lead to a software pirate downing the Internet, he added.

Collberg, who began writing the book three years ago while on sabbatical in China, explained that probable scenarios include a software pirate gaining access to a password-protected computer containing patient information; digging into information embedded in a video game or musical content prior to its release and attempting to duplicate the game or audio file; or tapping into electronic hardware systems containing military secrets. 

"It doesn't matter how strong your password is or how well you encrypt your sensitive data, if an attacker can analyze, reverse engineer and tamper with the program and hardware used to access that data," said Collberg, who teaches programming and software security at the UA.

"The underlying idea here is that if an attacker has complete access to the computer or to the software, it doesn't matter if you have all these passwords in place because he could bypass them," he said, noting that techniques in the book make it harder for secret information to be revealed. 

"These types of attack scenarios have typically been ignored in the past because they've been considered too difficult to defend against – the assumption is always that the attacker has complete access to the code and therefore there is no limit to the types of attacks he can launch," Collberg added.

Here, the conversation moves from concerns about ways to protect against viruses to a conversation about ways to protect software and codes – intellectual property – from inevitably moving into the public.

Some of the nontraditional techniques explored in the book include ways that companies and agencies hide images, text or audio and video in the software or embed unique identifiers in programs to trace software piracy and obfuscate code in order to make it difficult to understand.

Others have begun to embed information to help track and identify tampering and the illegal use of software.

The book "is full of techniques for confusing hackers, tracking down and prosecuting software pirates, proving ownership of code, protecting secrets," said Paul Cohen, head of the UA computer science department.

"These techniques are quite aggressive, in contrast to the passive methods that try to put up walls between oneself and hackers," Cohen said, noting that computer security is of great concern in higher education, business and national security.

"This new book is a refreshing set of new ideas," he added.

Ultimately, Collberg hopes the book will lead to more research and the discovery of robust techniques to protect against tampering and reverse engineering of sensitive software.

So, for now, there is a disclaimer.

"None of the techniques proposed, or that we know about, are foolproof," Collberg warned.

"You need continuous upgrading of defenses, and it's not very different from the real world. If your house is broken into, you put a bigger lock on it," he said.

"The attackers will become better, and we will become better at defending against them," Collberg added. "It's a cat-and-mouse game, and it is more likely that this will be a continuous struggle."