Presentation from World Congress on Internet Security 2011, London.
Based on the paper "A Survey of Static Software Watermarking" with some thoughts on the usefulness of watermarking for software protection.
http://jameshamilton.eu/content/survey-static-software-watermarking
3. Software Watermarking – what is it?
0001010101010101101111 0001010101010101101111
010100MICROSOFT11010 010100MICROSOFT11010
1010010101010101010101 1010010101010101010101
1010010000000101010101 1010010000000101010101
1010010101011111111010 copy 1010010101011111111010
Allows the
software author
to prove
ownership.
software software
company 'thief'
3
4. Software Fingerprinting – what is it?
0001010101010101101111 0001010101010101101111
0101001234567890101010 0101001234567890101010
1010010101010101010101 1010010101010101010101
1010010000000101010101 1010010000000101010101
1010010101011111111010 copy 1010010101011111111010
Allows the
software author
to prove the
source of the
copied
software software. software
company 'thief'
4
5. Software Watermarking – what is it not?
• It does not prevent copying software.
• It does not prevent decompilation or program understanding.
• But it could be used in-conjunction with obfuscation (need to be
careful the obfuscation doesn't remove the watermark).
public class HelloWorld {
public String wm = “Microsoft”;
public static void main(String[] args) {
System.out.println(“Hello World”);
Decompile }
}
Obfuscate
5
7. Dynamic Software Watermarking
• Embeds code to generate a watermark at run-time.
• Recogniser uses a debugger to extract watermark.
• Should be resilient to semantics-preserving transformations.
.
7
8. Code Replacement & Addition
• Very basic, early algorithms simply replaced sections of code, or
data, with watermark code.
• Susceptible to collusive attacks if the watermarks are placed in the
same location in every copy of a program.
• Monden et al. [1] encode the watermark as a sequence of bytecode
sequences which replace instructions in a dummy method.
– difficult to generate code which is similar to the original program
– easily remove by semantics-preserving transformations
8
[1] A. Monden, H. Iida, K.-ichi Matsumoto, K. Inoue, and K. Torii, “A practical method for watermarking java programs,” Computer
Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International, Washington, DC, USA: IEEE, 2002,
p. 191–197.
9. Code Re-Ordering
• The watermark is encoded as the
nth permutation of some set
• Davidson and Myhrvold [1]
encode the watermark as the nth
permutation of the set of basic
blocks in a method.
– higly unstealthy due to a
greater ratio of goto
instructions [2]
• Another option, in Java, is to re-
order the constant pool (Gong et
al.)
• Requires the original program
from comparison
9
[1] R.I. Davidson and N. Myhrvold, “Method and system for generating and auditing a signature for a computer program,” US
Patent 5,559,884, Sep. 1996.
[2] Myles, G. et al., 2005. The evaluation of two software watermarking algorithms. Softw. Pract. Exper., 35(10), 923–938.
[3] D. Gong, F. Liu, B. Lu, and P. Wang, “Hiding Informationin in Java Class File,” International Symposium on Computer
Science and Computational Technology, 2008. ISCSCT ’08., IEEE Computer Society, 2008, pp. 160-164.
10. Register Allocation
• the watermark is encoded in the
interference graph, which is used to
model the relationship between
variables.
• each vertex represents a variable and
an edge between the two variables
indicates that their live ranges overlap.
• we colour the graph in order to
minimise the number of registers and
ensure that two live variables do no
share a register.
• QP algorithm [1] adds edges to the
graph
• QP is flawed; QPS, QPI, CC and CP
followed with a similar idea.
10
[1] G. Qu and K. Potkonjak, “Analysis of watermarking techniques for graph coloring problem,” Computer-Aided Design, 1998.
ICCAD 98. Digest of Technical Papers. 1998 IEEE/ACM International Conference on, San Jose, California, United States: IEEE,
2005, p. 190–193.
11. Graph Watermarking
• Venkatesan et al. [1] encode the watermark in a CFG and 'connect'
it to the original program.
11
[1] R. Venkatesan, V. Vazirani, and S. Sinha, “A graph theoretic approach to software watermarking,” Information Hiding,
Springer, 2001, p. 157–168.
12. Example of a bad watermarking algorithm
push 4
push 52
push 34
push 12
pop
pop
pop
pop
Optimiser
push 1
push 23
push 1
push 4
pop
pop
pop
pop
12
13. Problems with static watermarks in general
• can be unstealthy, if the watermark code is compared with 'normal'
code
• highly susceptible to semantics-preserving transformations
– static watermarks rely on syntactic properties
• without perfect tamper-proofing techniques an attacker can apply
any semantics-preserving transformation to a program
– tamper-proofing is hard & unstealthy
• especially in Java
Conclusion
• Static watermarks are not good for software protection
13
14. What about dynamic watermarks?
• in theory, should not be susceptible to semantics-preserving
transformations (but some current ones are).
• but, they can only protect a complete program rather than single
modules, classes, methods etc.
• can be susceptible to additive attacks
Conclusion
• Better than static watermarks, but still not great.
14
15. Watermark Stealthiness
• Some watermarking algorithms are unstealthy
– easy to find
– 'strange looking' code
– doesn't act like the rest of the program
• statistical analysis of instructions (e.g. ratio of goto instructions)
• program slicing metrics
15
16. Program slicing
public void w() {
int a = 1;
b = a + 1;
String wm = “mywatermark”;
return b; slicing criteria
}
Program Slice [1]: An independent program guaranteed to faithfully
represent the original program within the domain of the specified subset of
behaviour
16
[1] Weiser, M., 1981. Program slicing. In ICSE '81: Proceedings of the 5th international conference on Software engineering.
Piscataway, NJ, USA: IEEE Press, p. 439―449.
17. Program slicing
public void w() {
program slice shown in red
int a = 1;
b = a + 1;
String wm = “mywatermark”;
return b; slicing criteria
}
17
18. Program slicing
public void w() {
int a = 1;
b = a + 1;
String wm = “mywatermark”; slicing criteria
return b;
}
18
19. Opaque predicates
• A predicate that's outcome is known a-priori
• Can be used to protect watermarks from slicing attacks
public void w() {
int a = 1;
b = a + 1;
String wm = “mywatermark”;
if(PF) {
b = wm.length();
}
return b;
}
• Introduces false dependencies to stop slicing
19
20. Problems with watermarks in general
Prove that the software
is yours
judge
here's my watermark
software software
company 'thief'
20
21. Problems with watermarks in general
who can I believe?
judge
and here's
my watermark
software software
company 'thief'
21
22. Problems with watermarks in general
I've examined the watermark
recogniser carefully, and believe I that
only one recogniser is genuine
independent
software
expert
judge
software software
company 'thief'
22
23. Problems with watermarks in general
show me your source-code.
independent
software
expert
judge
the real author could
demonstrate ownership
by showing the source-
code of their software
(without the need for
software watermarks)
software software
company 'thief'
23
24. Decompilation
• The attacker could decompile the the program to get their own
source-code to demonstrate they own the code
• But it will 'look' decompiled
– incoherent variable names
– no comments
– verbose code
– extraneous instructions
• The attacker will probably have little understanding of the code and
will have trouble answering trivial questions about it
24
25. Conclusion
• There are many static watermarking algorithms but they are all
susceptible to trivial semantics-preserving transformation attacks.
• Dynamic watermarks are better but can also be susceptible to
attacks.
• Unstealthy watermarks give an attacker clues and allow them to
remove a watermark easier.
• Program slicing may be able to give clues about watermarks,
and/or help remove them.
• Maybe watermark is not actually needed or useful.
25
26. Thanks
Any comments or questions?
26
http://www.gold.ac.uk/computing http://jameshamilton.eu/