Subscribe

Software obfuscation thwarts attackers

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 31 Jul 2013

In what they describe as a "first", researchers at the University of California (UCLA) have developed a way of encrypting software so that it allows users access to the program, but not the source code.

According to a paper, "Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits", by obfuscating software patches, vulnerabilities being repaired would not be visible to an attacker. This would give IT professionals breathing space in which to test and deploy patches, minus the worry that the patch could be reverse-engineered in the meantime.

This technique for software obfuscation creates confusing source code that is hard to understand. The researchers' method uses mathematical puzzles that respond to any attempts at cracking with a series of complex functions that they say would take hundreds of years to solve on a traditional computer.

In a press release, computer science professor Amat Sahai says: "You write your software in a nice, reasonable, human-understandable way and then feed that software to our system. It will output this mathematically transformed piece of software that would be equivalent in functionality, but when you look at it, you would have no idea what it's doing."

Previous attempts for obfuscation were described by Sahai as only a "speed bump", while the new system, he said, puts up an "iron wall", making it impossible for a cyber criminal to reverse-engineer the software.

"You can inspect everything, you can turn it upside-down, you can look at it from different angles and you still won't have any idea what it's doing," Sahai said. "The only thing you can do with it is put it together the way that it was meant to interlock. If you tried to do anything else ? like if you tried to bash this piece and put it in some other way ? you'd just end up with garbage."

What is key here is a framework the researchers have dubbed "Multilinear Jigsaw Puzzles". These are a simplified variant of multi-linear maps, in which only the party who generated the system parameters can encode elements in the exponent of the different groups.

According to Threatpost, "the intuitive analogy to jigsaw puzzles is that these group elements can only be combined in very structured ways - like jigsaw puzzle pieces, different puzzle pieces either fit together or, if they do not fit, then they cannot be combined in any meaningful way".

The researchers claim this is the first time software obfuscation has been accomplished and could be an important tool in protecting intellectual property and suchlike.

The full paper will be presented at the IEEE Symposium on Foundations of Computer Science in October.

The paper also delves into functional encryption, a method that encrypts information on the go and depending on identity characteristics of the recipient, only certain bits of information could be encrypted.

Share