water marking

Document Sample
water marking Powered By Docstoc
					ABSTRACT
W e i d e n t i f y t h r e e t yp e s o f a t t a c k o n t h e i n t e l l e c t u a l p r o p e r t y
contained in software and three corresponding technical defenses.
A defense against reverse engineering is obfuscation, a process
that renders software unintelligible but still functional. A defense
against software piracy is watermarking, a process that makes it
possible to determine t he origin of software. A defense against
tampering is tamper-proofing, so that unauthorized modifications
to software will result in nonfunctional code. We briefly survey
t h e a v a i l a b l e t e c h n o l o g y f o r e a c h t yp e o f d e f e n s e .
Wh a t i s wa t e r ma r k i n g ?
• Originally used to identify paper quality
• Anti-counterfeiting of paper money
• Extended to other forms of hidden information.
Definitions:
• Work: specific song, video, image, tex t, etc.
• Watermarking: practice of imperceptibly altering a work to
embed a message about that work.
WA T E R M AR KI N G G OA L S :
– verify the owner of a digital image
– detect forgeries of an original image
– identify illegal copies of the image
–Prevent unauthorized distribution.


1 BACKGROUND–MALICIOUS CLIENTS VS. MALICIOUS
HOSTS
U n t i l r e c e n t l y, m o s t c o m p u t e r s e c u r i t y r e s e a r c h w a s c o n c e r n e d
with protecting the integrity of a benign host and its data from
attacks from malicious client programs (Fig. 1a). This assumption
of a benign host is present in Neumann's influential taxonomy of
computer-related risks, in which the job of a security expert is to
d e s i g n a n d a d m i n i s t e r c o m p u t e r s ys t e m s t h a t w i l l f u l f i l l c e r t a i n
stringent security requirements most of the time .
 To defend itself and its data against a malicious client, a host
w i l l t yp i c a l l y r e s t r i c t t h e a c t i o n s t h a t t h e c l i e n t i s a l l o w e d t o
perform.
    A r e c e n t s u r g e o f i n t e r e s t i n m o b i l e a g e n t s ys t e m s h a s c a u s e d
    researchers to focus attention on a fundamentally different
    view of securit y. See (Fig. 1b), illustrating a benign client
    code being threatened by the host on which it has been
    downloaded or installed. A malicious host attack typically
    takes the form of intellectual property violations. The client
    c o d e m a y c o n t a i n t r a d e s e c r e t s o r c o p yr i g h t e d m a t e r i a l t h a t ,
    should the integrity of the cli ent be violated, will incur
    financial losses to the owner of the client. We will next
    consider three malicious-host attack scenarios.
      1 .1 M a l i c i o u s Hos t At t a c k s
 P i r a c y i s a m a j o r c o n c e r n f o r a n yo n e w h o s e l l s s o f t w a r e . O u r
goal in this paper is to mak e piracy more difficult. We note that
software piracy is socially acceptable in settings that encourage a
belief in insiders' entitlement, price discrimination, cooperation
i s m o r e i m p o r t a n t t h a n c o p yr i g h t , o r t r a d i t i o n a l C o n f u c i a n e t h i c s .
Threats have recently become more of a concern since, more and
more, programs are distribute d in easily decompilable format
rather than native binary code.
A related threat is software tampering. Many mobile agents and
e-commerce application programs must, by their very nature,
c o n t a i n e n c r yp t i o n k e ys o r o t h e r s e c r e t i n f o r m a t i o n . P i r a t e s w h o
are     able      to    extract,        m o d i f y,     or    otherwise           tamper         with      this
information             can      incur        significant            financial          losses        to     the
intellectual property owner.
T h e s e t h r e e t yp e s o f a t t a c k ( s o f t w a r e p i r a c y, m a l i c i o u s r e v e r s e
engineering, and tampering) are illustrated in Fig. 2
              In Fig. 2a, Bob makes copies of an application he
               halegally purchased from Alice and illegally sells them
               to unsuspecting customers.
              In Fig. 2b , Bob decompiles and revers e engineers an
               application he has bought from Alice in order to reuse
               one of her modules in his own program.
              I n F i g . 2 c , f i n a l l y, B o b r e c e i v e s a d i g i t a l c o n t a i n e r
      (also      known          as     C r yp t o l o p e    and       DigiBox)            from       Alice,
    consisting of some digital media content as well as code that
    transfers a certain amount of electronic money to Alice's
    account whenever the media is played. Bob can attempt to
    tamper with the digital container either to modify the amount
    that he has to pay or to ex tract the media content itself. In the
    latter case, Bob can continue to enjoy the content for free or
    e v e n r e s e l l i t t o a t h i r d p a r t y.
2 . W AT E R M ARK I NG
       Watermarking embeds a secret message into a cover message.
I n m e d i a w a t e r m a r k i n g , t h e s e c r e t i s u s u a l l y a c o p yr i g h t n o t i c e
and       the cover a digital image or an audio or video production.
Watermarking an object discourages intellectual property theft
or, when such theft has occurred, allows us to prove ownership.
          Software watermarking problem as follows :
    Embed a structure W (the watermark) into a program P such
    that:
             W can be reliably located and extracted from P attacks.
             W is large (the embedding has a high data rate).
             Embedding W                 into P         does      not     adversely affect               the
              performance of P (the embedding is cheap).
             Embedding W into P does not change any statistical
              p r o p e r t i e s o f P ( t h e e m b e d d i n g i s s t e a l t h y) .
         Any software watermarking technique will exhibit a trade-
         off between resilience, data rate, cost, and stealth. It should
         be noted that there are two possible interpretation s of
s t e a l t h , s t a t i c s t e a l t h a n d d yn a m i c s t e a l t h . A w a t e r m a r k i s
s t a t i c a l l y s t e a l t h y i f a s t a t i c a n a l ys i s r e v e a l s n o s t a t i s t i c a l
differences            between           the     original          and       the     watermarked
p r o g r a m . S i m i l a r l y , t h e w a t e r m a r k i s d yn a m i c a l l y s t e a l t h y
if an execution trace of the program reveal s no differences.




Fig:3


Assume the following scenario: Alice watermarks a program
P with watermark W and key K and then sells P to Bob.
Before Bob can sell P on to Douglas, he must ensure that
the watermark has been rendered useless or else
Alice will be able to prove that her program has been
stolen.
Fig. 3 illustrates the kinds of dewater marking attacks
available to Bob:
         In Fig. 3a, Bob launches an additive attack b y adding
          his      own        watermark             W1        to     Alice's         watermarked
          program          P0.      This is          an     effective attack                 if    it    is
          impossible to detect that Alice's mark temporally
          precedes Bob's.
         In Fig. 3b, Bob launches a distortive attack on Alice's
          watermarked program P0. A distortive attack applies a
          sequence            of      semantics -preserving                     transformations
          uniformly over the entire program, in the hope that a.
          the      distorted           watermark             W0        can      no       longer         be
          recognized and b. the distorted program P00 does not
         become so degraded (i.e., slow or large) that it no
         longer has any value to Bob.
        In Fig. 3c, Bob buys several copies of Alice's program
         P, each with a different fingerprint (serial number) F.
         By comparing the different copies of the program,
         Bob is able to locate the fingerprints and can then
         easily remove them.


3 .2 S t a t i c Wa t e r ma r k i n g Te c h n i q u e s
Software          watermarks            come        in     two      flavors,        static       and
d yn a m i c . S t a t i c w a t e r m a r k s a r e s t o r e d i n t h e a p p l i c a t i o n
executable            itself;       whereas,             d yn a m i c     watermarks              are
c o n s t r u c t e d a t r u n t i m e a n d s t o r e d i n t h e d yn a m i c s t a t e o f
the program. While static watermarks have been around for
a l o n g t i m e , d yn a m i c m a r k s w e r e o n l y i n t r o d u c e d r e c e n t l y .
                      Moskowitz and Cooperman and Davidson and
M yh r v o l d a r e t w o t e c h n i q u e s r e p r e s e n t a t i v e o f t yp i c a l s t a t i c
watermarks. Moskowitz and Cooperman describe a static
data      watermarking              method         in     which         the    watermark            is
embedded           in    an     image        using        one     of     the     many media
watermarking algorithms. This image is then stored in the
s t a t i c d a t a s e c t i o n o f t h e p r o g r a m . D a v i d s o n a n d M yh r v o l d
describe a static code watermark in which a fingerprint is
encoded in the basic block sequence of a program's control
flow graphs.
To detect the watermark of Venkatesan et. al., the extractor
needs to
A. reconstructs the control flow graph of the watermarked
program,
B. identify which of the nodes of the control flow graph
belong to the watermark graph (or, at least identify most of
these nodes), and
C. reconstructs the watermark graph itself.
3 .3 D yn a mi c Wa t e r ma r k i n g T e c h n i q u e s
T h e r e a r e t h r e e k i n d s o f d yn a m i c w a t e r m a r k s . I n e a c h c a s e ,
the mark is recognized by running the watermarked program
with a predetermined input sequence. This highly unusual
input makes the application enter a state which represents
the watermark.
T h e r e a r e t h r e e d yn a m i c w a t e r m a r k i n g t e c h n i q u e s :
Easter Egg Watermarks. The defining characteristic of an
Easter       Egg      watermark           is    that,     when        the     special     input
sequence         is     entered,        it     performs        some         action     that    is
immediately perceptible by the user .
Execution             Trace          Watermarks .                     Execution          Trace
watermarks            produces          no      special        output.         Instead,       the
watermark is embedded within the trace (either instructions
or addresses, or both) of the program as it is being run with
the special input I.
Data Structure Watermarks. Data Structure watermarks do
not generate any output. Rather, the watermark becomes
embedded within the state of the program as it is being run
with the special input I.
4 T AM PE R - P RO O FI NG
There are many situations where we would like to stop a
one from executing our program if it has been altered in any
w a y. F o r e g , a p r o g r a m P s h o u l d n o t b e a l l o w e d t o r u n i f
   1) P is watermarked and the code that builds the mark has
   been altered, 2) A virus has been attached to P, or 3) P is
   an e-commerce application and the security-sensitive part
   of its code has been modified. To prevent such tampering
   attacks we can add tamper -proofing code to our program.
   This code should
   a) detect if the program has been altered and b) cause the
   program to fail when tampering is evident.
   I d e a l l y, d e t e c t i o n a n d f a i l u r e s h o u l d b e w i d e l y d i s p e r s e d i n
   time        and       space         to       confuse           a     potential            attacker.
   Simpleminded Tamper-proofing code like if (tampered-with
   ())i=1/0 is unacceptable, for example, because it is easily
   defeated by locating the point of failure and then reversing
   the test of the detection code.
   T h e r e a r e t h r e e p r i n c i p a l w a ys t o d e t e c t t a m p e r i n g :
   1. We can examine the executable program itself to see if it
   is identical to the original one. To speed up the test, a
   message-digest algorithm can be used.
   2. We can examine the validity of intermediate results
   produced by the program. This technique is known                                                     as
   program (or result) checking and has been touted as an
   alternative to program verification and testing.
   3.    We      can      encrypt         the     executable,            thereby         preventing
   a n yo n e f r o m m o d i f y i n g i t s u c c e s s f u l l y u n l e s s t h e y a r e a b l e
   t o d e c r yp t i t . T h e d e c r yp t i o n r o u t i n e s m u s t b e p r o t e c t e d
   from         reverse-engineering                     by       hardware             means,            by
   obfuscation, or both.
                    T a m p e r - p r o o f i n g o f t yp e - s a f e d i s t r i b u t i o n f o r m a t s
   s u c h a s J a v a b yt e c o d e i s m o r e d i f f i c u l t t h a n t a m p e r -
   proofing assembly code.
4 .1 T a mp e r - P r o o f i n g Vi r u s e s
   Virus writers employ many obfuscation -like techniques to
   protect a virus from detection and tamper -proofing-like
       techniques to protect it from being easily removed fr om the
       infected host program. So -called armored viruses add extra
       c o d e t o a v i r u s t o m a k e i t d i f f i c u l t t o a n a l yz e . P o l ym o r p h i c
        viruses generate new versions of themselves as part of the
       infection process.
References:
 [1] 4C Entity, ™Content Protection System Architecture, revision 0.81 available
http://www.4centity.com/data/tech/cpsa/ cpsa081.pdf, Aug. 2001.
[2] A. Deutsch, ™Interprocedural May-Alias Analysis for Pointers: Beyond k-
Limiting,º Proc. SIGPLAN Conf. Programming Language
[3] IBM, ™Cryptolopes, http://www.ibm.com/software/security/ cryptolope/.
[4] InterTrust, ™Digital Rights Management, http://www.intertrust.com/de/ .

				
DOCUMENT INFO