Presentation is loading. Please wait.

Presentation is loading. Please wait.

Could Software Watermarks Express Both Rules and Assurances? Prof. Clark Thomborson Presentation to the ReTRUST Group Villach, Austria 11 th March 2008.

Published byAshlynn Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "Could Software Watermarks Express Both Rules and Assurances? Prof. Clark Thomborson Presentation to the ReTRUST Group Villach, Austria 11 th March 2008."— Presentation transcript:

1 Could Software Watermarks Express Both Rules and Assurances? Prof. Clark Thomborson Presentation to the ReTRUST Group Villach, Austria 11 th March 2008

2 SW WM Rules 11Mar08 2 Agenda What is security? What is software watermarking, and how is it used? Are we missing any cases?

3 SW WM Rules 11Mar08 3 What is Security? (A Taxonomic Approach) The first step in wisdom is to know the things themselves; this notion consists in having a true idea of the objects; objects are distinguished and known by classifying them methodically and giving them appropriate names. Therefore, classification and name-giving will be the foundation of our science. Carolus Linnæus, Systema Naturæ, 1735 (from Lindqvist and Jonsson, “How to Systematically Classify Computer Security Intrusions”, 1997.)

4 SW WM Rules 11Mar08 4 Standard Taxonomy of Security 1.Confidentiality: no one is allowed to read, unless they are authorised. 2.Integrity: no one is allowed to write, unless they are authorised. 3.Availability: all authorised reads and writes will be performed by the system. Authorisation: giving someone the authority to do something. Authentication: being assured of someone’s identity. Identification: knowing someone’s name or ID#. Auditing: maintaining (and reviewing) records of security decisions.

5 SW WM Rules 11Mar08 5 A Multi-Level Hierarchy Static security: the Confidentiality, Integrity, and Availability properties of a system. Dynamic security: the technical processes which assure static security. The gold standard: Authentication, Authorisation, Audit. Defense in depth: Prevention, Detection, Response. Security governance: the “people processes” which develop and maintain a secure system. Governors set budgets and delegate their responsibilities for Specification, Implementation, and Assurance.

6 SW WM Rules 11Mar08 6 Generalized Static Security Confidentiality, Integrity, and Availability are properties of read and write operations on data objects. What about executable objects? Unix directories have “rwx” permission bits. XXXX-ity: all executions must be authorised. GuiJu FangYuan ZhiZhiYe  a new English adjective “Guijuity” (coined in Beijing, 2007). At the top of a taxonomy, we should have a clear and important distinction, not a long list of alternatives. Confidentiality, Integrity, and Guijuity are Prohibitions (P–). Availability is a Permission (P+). S P−P− CIG P+ A S CIGA

7 SW WM Rules 11Mar08 7 Prohibitions and Permissions Prohibition: prevent an action. Permission: allow an action. There are two types of action-secure systems: In a prohibitive system, all actions are prohibited by default. Permissions are granted in special cases, e.g. to authorised individuals. In a permissive system, all actions are permitted by default. Prohibitions are special cases, e.g. when an individual attempts to access a secure system. Prohibitive systems have permissive subsystems. Permissive systems have prohibitive subsystems.

8 SW WM Rules 11Mar08 8 Recursive Security Prohibitions, i.e. “Thou shalt not kill.” General rule: An action (in some range P − ) is prohibited, with exceptions (permissions) E1, E2, E3,... Permissions, i.e. a “licence to kill” (James Bond). General rule: An action in P + is permitted, with exceptions (prohibitions) E1, E2, E3,... Static security is a hierarchy of controls on actions: P + : permitted E3 E1: prohibited E2 E11 E12

9 SW WM Rules 11Mar08 9 Is Our Taxonomy Complete? Prohibitions and permissions are properties of hierarchical systems, such as a judicial system. Most legal controls (“laws”) are prohibitive: they prohibit certain actions, with some exceptions (permissions). Contracts are non-hierarchical (agreed between peers), and consist mostly of requirements to act (with some exceptions): Obligations are promises to do something in the future. Exemptions are exceptions to an obligation. Obligations and exemptions are not well-modeled by action-security rules. Inaction security! Obligations arise occasionally in the law, e.g. a doctor’s “duty of care” or a trustee’s fiduciary responsibility.

10 SW WM Rules 11Mar08 10 Obligations are forbidden inactions; Prohibitions are forbidden actions. When we take out a loan, we are obligated to repay it. We are forbidden from never repaying. Exemptions are allowed inactions; Permissions are allowed actions. In the English legal tradition, a court can not compel a person to give evidence which would incriminate their spouse (husband or wife). This is an exemption from a general obligation to give evidence. We have added a new level to our hierarchy. Forbiddances and Allowances S Forbid ProObl Allow PerExe S ProPerOblExe

11 SW WM Rules 11Mar08 11 A Taxonomy of Security Three types of security: Static, Dynamic, Governance. Static: the rules. Prohibitions, permissions, obligations, exemptions. Dynamic: how the rules are enforced. The gold standard (Authentication, Authorisation, Audit). Defense in depth (Prevention, Detection, Response). Governance: how the rules are made. Governors set budgets and delegate responsibilities for Specification, Implementation, and Assurance. We have defined a system consisting of a Secure Subsystem and its Governors. Governors may themselves be regulated. Research question #1: Can governors govern themselves? Sed quis custodiet ipsos custodes? Can systems secure themselves, or are there only secure subsystems? Research question #2: Can the dynamic layer be more clearly defined?

12 SW WM Rules 11Mar08 12 Reviewing our Agenda  What is security?  What is software watermarking, and how is it used?  Are we missing any cases?

13 SW WM Rules 11Mar08 13 Developing Use Cases We can find use cases at the dynamic and governance layers of our hierarchy. A rule (static security) is not a use: we need an actor, a system, and a desired action (or set of actions). We can also look for misuses: malicious actors who take advantage of a system. There are also “confuses” – authorised users who cause damage by mistake. Several years ago, I developed dynamic-use cases for various software protection technologies. My purpose was to explain the functional differences between these technologies. Let’s focus on the software watermarking entries...

14 SW WM Rules 11Mar08 14 Defense in Depth for Software 1.Prevention: a)Deter attacks on forbiddances (use obfuscation, encryption, watermarking, cryptographic hashes, or trustworthy computing). b)Deter attacks on allowances (use replication, or resilient algorithms). 2.Detection: a)Monitor subjects (user logs), relative to a user ID. Use biometrics, ID tokens, or passwords. b)Monitor actions (execution logs, intrusion detectors), relative to a code ID: cryptographic hashing, watermarking. c)Monitor objects (object logs), relative to an object ID: hashing, watermarking. 3.Response: a)Ask for help: Set off an alarm (which may be silent – steganographic), then wait for an enforcement agent. b)Self-help: Self-destructive or self-repairing systems. Watermarks are used at all three layers! (Is there only one type of watermark, or are we using the same word for different things?)

15 SW WM Rules 11Mar08 15 Software Watermarking Key taxonomic questions: Where is the watermark embedded?  How is the watermark embedded? When is the watermark embedded? Why is the watermark embedded?  What are its desired properties?

16 SW WM Rules 11Mar08 16 Software Watermarking Systems An embedder E(P; W; k)  P w embeds a message (the watermark) W into a program P using secret key k, yielding a watermarked program P w An extractor R(P w ;... )  W extracts W from P w In an invisible watermarking system, R (or a parameter) is a secret. In visible watermarking, R is well-publicised (ideally obvious). The attack set A and goal G model the security threat. For a robust watermark, the attacker’s goal is a false-negative extraction, usually by creating an attacked object a(P w ), with R(a(P w );... ) ≠ W such that P w is valuable. For a fragile watermark, the attacker’s goal is a false-positive: R(a(P w );... ) = W such that P w ≠ P is valuable. A protocol attack is a substitution of R’ for R, causing a false- negative or false-positive extraction.

17 SW WM Rules 11Mar08 17 Where Software Watermarks are Embedded Static code watermarks are stored in the section of the executable that contains instructions. Static data watermarks are stored in other sections of the executable Static watermarks are extracted without executing (or emulating) the code.  A watermark extractor is a special-purpose static analysis.  Extraction is inexpensive, but we don’t know of any robust static code watermarks. Attackers can easily modify the watermarked code to create an unwatermarked (false-negative) version.

18 SW WM Rules 11Mar08 18 Dynamic Watermarks Easter Eggs are revealed to any end-user who types a special input sequence. Other dynamic behaviour watermarks:  Execution Trace Watermarks are carried in the instruction execution sequence of a program, when it is given a special input sequence (possibly null).  Data Structure Watermarks are built by a program, when it is given a special input.  Data Value Watermarks are produced by a program on a surreptitious channel, when it is given a special input.

19 SW WM Rules 11Mar08 19 Easter Eggs The watermark is visible – if you know where to look! Not very robust, after the secret is published. See www.eeggs.com

20 SW WM Rules 11Mar08 20 Dynamic Data Structure Watermarks The embedder inserts code in the program, so that it creates a recognisable data structure when given specific input (the key). Details are given in our POPL’99 paper, and in two published patent applications. Assigned to Auckland UniServices Ltd. I would very much like to find licensed uses for this technology! Implemented at http://www.cs.arizona.edu/sandmark/ (2000- )http://www.cs.arizona.edu/sandmark/ Experimental findings by Palsberg et al. (2001): JavaWiz adds less than 10 kilobytes of code on average. Embedding a watermark takes less than 20 seconds. Watermarking increases a program’s execution time by less than 7%. Watermark retrieval takes about 1 minute per megabyte of heap.

21 SW WM Rules 11Mar08 21 Thread-Based Watermarks A dynamic watermark is expressed in the thread-switching behaviour of a program, when given a specific input (the key). The thread-switches are controlled by non-nested locks. NZ Patent 533208, US Patent App 2005/0262490 Article in IH’04; Jas Nagra’s PhD thesis, 2006 The embedder inserts tamper-proofing sequences which closely resemble the watermark sequences but which, if removed, will cause the program to behave incorrectly. This is a “self-help” response mechanism.

22 SW WM Rules 11Mar08 22 SW Watermarking (Review of Taxonomic Questions) Where is the watermark embedded?  How is the watermark embedded? When is the watermark embedded? Why is the watermark embedded?  What are its desired properties?

23 SW WM Rules 11Mar08 23 Active Watermarks We can embed a watermark during a design step (“active watermarking”: Kahng et al., 2001). IC designs may carry watermarks in place-route constraints. Register assignments during compilation can encode a software watermark, however such watermarks are insecure because they can be easily removed by an adversary. Most software watermarks are “passive”, i.e. inserted at or near the end of the design process.

24 SW WM Rules 11Mar08 24 Why Watermark Software? (Thomborson & Nagra, 2002) Invisible robust watermarks: useful for prohibition (of unlicensed use) Invisible fragile watermarks: useful for permission (of licensed uses). Visible robust watermarks: useful for assertion (of copyright or authorship). Visible fragile watermarks: useful for affirmation (of authenticity or validity).

25 SW WM Rules 11Mar08 25 A Fifth Function? Any watermark is useful for the transmission of information irrelevant to security (espionage, humour, …). Transmission Marks may involve security for other systems, in which case they can be categorised as Permissions, Prohibitions, etc.

26 SW WM Rules 11Mar08 26 Our Functional Taxonomy for Watermarks [2002] But: there are no “assertions” and “affirmations” in our theory of static security! Hmmm....

27 SW WM Rules 11Mar08 27 Future and Past Actions The Rules of static security define what a system should do in the future. Assertions (e.g. of authorship) are Assurances about a past action. Affirmations (e.g. of authenticity) are Assurances about a past inaction. Audit records are Assertions. Identifications and Authentications are Affirmations. Maybe we can clean up the second layer in my security taxonomy! Secure Assure AffirmAssert Rule Forbid ProhibitObligate Allow PermitExempt

28 SW WM Rules 11Mar08 28 Summary/Review  What is security? Three types: static, dynamic, governance. Secure subsystems must have governors.  What is software watermarking, and how is it used? We have identified five types of watermarks. Invisible & robust watermarks have attracted the most interest to date.  Research question #3: Are we missing any cases? Assertions and affirmations should be analysed carefully... if implemented as watermarks they’d be visible & robust, but why should we have a covertext? Are there different types of covertexts?

Download ppt "Could Software Watermarks Express Both Rules and Assurances? Prof. Clark Thomborson Presentation to the ReTRUST Group Villach, Austria 11 th March 2008."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Rob Farraher Ken Pickering Lim Vu

Rob Farraher Ken Pickering Lim Vu
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
H12.1 15-Mar-01 Clark Thomborson Software Security CompSci 725 Handout 12: Student Presentations, Watermarking & Obfuscation Clark Thomborson University.

H Mar-01 Clark Thomborson Software Security CompSci 725 Handout 12: Student Presentations, Watermarking & Obfuscation Clark Thomborson University.
Techniques for Software Watermarking and Fingerprinting Prof. Clark Thomborson Presentation at Tsinghua University 17 th March 2010.

Techniques for Software Watermarking and Fingerprinting Prof. Clark Thomborson Presentation at Tsinghua University 17 th March 2010.
Security Through Obscurity Clark Thomborson Version of 7 December 2011 for Mark Stamp’s CS266 at SJSU.

Security Through Obscurity Clark Thomborson Version of 7 December 2011 for Mark Stamp’s CS266 at SJSU.
Information Hiding: Watermarking and Steganography

Information Hiding: Watermarking and Steganography
A Foundation for System Security Invited talk at AISC 09 Clark Thomborson 21 February 2009.

A Foundation for System Security Invited talk at AISC 09 Clark Thomborson 21 February 2009.
1 A Functional Taxonomy for Software Watermarking Jas Nagra, Clark Thomborson University of Auckland Christian Collberg University of Arizona.

1 A Functional Taxonomy for Software Watermarking Jas Nagra, Clark Thomborson University of Auckland Christian Collberg University of Arizona.
Wmobf.1 1/5/00 Clark Thomborson Watermarking, Tamper-Proofing and Obfuscation – Tools for Software Protection Christian Collberg & Clark Thomborson Computer.

Wmobf.1 1/5/00 Clark Thomborson Watermarking, Tamper-Proofing and Obfuscation – Tools for Software Protection Christian Collberg & Clark Thomborson Computer.
Data security 1. 2 Overview  generalities  discretionary access control  mandatory access control  data encryption.

Data security 1. 2 Overview  generalities  discretionary access control  mandatory access control  data encryption.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Digital Watermarking for Multimedia Security R. Chandramouli MSyNC:Multimedia Systems, Networking, and Communications Lab Stevens Institute of Technology.

Digital Watermarking for Multimedia Security R. Chandramouli MSyNC:Multimedia Systems, Networking, and Communications Lab Stevens Institute of Technology.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Applied Cryptography for Network Security

Applied Cryptography for Network Security

Similar presentations

Ads by Google