Anti-tamper software

Last updated

Anti-tamper software is software which makes it harder for an attacker to modify it. The measures involved can be passive such as obfuscation to make reverse engineering difficult or active tamper-detection techniques which aim to make a program malfunction or not operate at all if modified. [1] It is essentially tamper resistance implemented in the software domain. It shares certain aspects but also differs from related technologies like copy protection and trusted hardware, though it is often used in combination with them. Anti-tampering technology typically makes the software somewhat larger and also has a performance impact. There are no provably secure software anti-tampering methods; thus, the field is an arms race between attackers and software anti-tampering technologies. [2]

Tampering can be malicious, to gain control over some aspect of the software with an unauthorized modification that alters the computer program code and behaviour. Examples include installing rootkits and backdoors, disabling security monitoring, subverting authentication, malicious code injection for the purposes of data theft or to achieve higher user privileges, altering control flow and communication, license code bypassing for the purpose of software piracy, code interference to extract data or algorithms [3] and counterfeiting. Software applications are vulnerable to the effects of tampering and code changes throughout their lifecycle from development and deployment to operation and maintenance.[ citation needed ]

Anti-tamper protection can be applied as either internally or externally to the application being protected. External anti-tampering is normally accomplished by monitoring the software to detect tampering. This type of defense is commonly expressed as malware scanners and anti-virus applications. Internal anti-tampering is used to turn an application into its own security system and is generally done with specific code within the software that will detect tampering as it happens. This type of tamper proofing defense may take the form of runtime integrity checks such as cyclic redundancy checksums, [4] anti-debugging measures, encryption or obfuscation. [5] Execution inside a virtual machine has become a common anti-tamper method used in recent years for commercial software; it is used for example in StarForce and SecuROM. [6] Some anti-tamper software uses white-box cryptography, so cryptographic keys are not revealed even when cryptographic computations are being observed in complete detail in a debugger. [7] A more recent research trend is tamper-tolerant software, which aims to correct the effects of tampering and allow the program to continue as if unmodified. [2] A simple (and easily defeated) scheme of this kind was used in the Diablo II video game, which stored its critical player data in two copies at different memory locations and if one was modified externally, the game used the lower value. [8]

Anti-tamper software is used in many types of software products including: embedded systems, financial applications, software for mobile devices, network-appliance systems, anti-cheating in games, military, [9] license management software, and digital rights management (DRM) systems. Some general-purpose packages have been developed which can wrap existing code with minimal programing effort; for example the SecuROM and similar kits used in the gaming industry, though they have the downside that semi-generic attacking tools also exist to counter them. [10] Malicious software itself can and has been observed using anti-tampering techniques, for example the Mariposa botnet. [11]

See also

Related Research Articles

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

StarForce Technologies is a Russian software developer with headquarters in Moscow. Its main activities are information security, protection against unauthorized copying, modification, and analysis (decompilation).

<span class="mw-page-title-main">Extended Copy Protection</span>

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

<span class="mw-page-title-main">Tamperproofing</span> Security methodology

Tamperproofing, conceptually, is a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system. Since any device or system can be foiled by a person with sufficient knowledge, equipment, and time, the term "tamperproof" is a misnomer unless some limitations on the tampering party's resources is explicit or assumed.

Norton AntiBot, developed by Symantec, monitored applications for damaging behavior. The application was designed to prevent computers from being hijacked and controlled by hackers. According to Symantec, over 6 million computers have been hijacked, and the majority of users are unaware of their computers being hacked.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

<span class="mw-page-title-main">Arxan Technologies</span> US technology security company

Digital Ai is an American technology company specializing in anti-tamper and digital rights management (DRM) for Internet of Things (IoT), mobile, and other applications. Arxan's security products are used to prevent tampering or reverse engineering of software, thus preventing access or modifications to said software that are deemed undesirable by its developer. The company reports that applications secured by it are running on over 500 million devices. Its products are used across a range of industries, including mobile payments & banking, automotive, healthcare and gaming.

In cryptography, the white-box model refers to an extreme attack scenario, in which an adversary has full unrestricted access to a cryptographic implementation, most commonly of a block cipher such as the Advanced Encryption Standard (AES). A variety of security goals may be posed, the most fundamental being "unbreakability", requiring that any (bounded) attacker should not be able to extract the secret key hardcoded in the implementation, while at the same time the implementation must be fully functional. In contrast, the black-box model only provides an oracle access to the analyzed cryptographic primitive. There is also a model in-between, the so-called gray-box model, which corresponds to additional information leakage from the implementation, more commonly referred to as side-channel leakage.

Stegomalware is a type of malware that uses steganography to hinder detection. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, video or network traffic. This type of malware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Bot prevention refers to the methods used by web services to prevent access by automated processes.

References

  1. Arnold, Michael; Schmucker, Martin; Wolthusen, Stephen D. (1 January 2003). Techniques and Applications of Digital Watermarking and Content Protection. Artech House. p. 229. ISBN   978-1-58053-664-6.
  2. 1 2 Jakubowski, M. H.; Saw, C. W. (N.); Venkatesan, R. (2009). "Tamper-Tolerant Software: Modeling and Implementation". Advances in Information and Computer Security (PDF). Lecture Notes in Computer Science. Vol. 5824. pp. 125–139. doi:10.1007/978-3-642-04846-3_9. ISBN   978-3-642-04845-6.
  3. Cappaert, J.; Preneel, B. (2010). "A general model for hiding control flow". Proceedings of the tenth annual ACM workshop on Digital rights management - DRM '10 (PDF). p. 35. doi:10.1145/1866870.1866877. ISBN   9781450300919. S2CID   3755320.
  4. "Keeping the Pirates at Bay". Gamasutra. Retrieved 2013-12-24.
  5. Chaboya, David (20 June 2007). State of the Practice of Software Anti-Tamper (PDF) (Technical report). Anti-Tamper and Software Protection Initiative Technology Office, Air Force Research Laboratory. Archived from the original (PDF) on 27 December 2013. Retrieved 24 December 2013.
  6. Guillot, Y.; Gazet, A. (2009). "Semi-automatic binary protection tampering" (PDF). Journal in Computer Virology. 5 (2): 119–149. doi:10.1007/s11416-009-0118-4. S2CID   7165477.
  7. Oorschot, P. C. (2003). "Revisiting Software Protection". Information Security (PDF). Lecture Notes in Computer Science. Vol. 2851. pp. 1–13. doi:10.1007/10958513_1. ISBN   978-3-540-20176-2.
  8. Davis, Steven B. (2008). Protecting Games. Cengage Learning. p. 135. ISBN   978-1-58450-687-4.
  9. Keller, John (26 April 2010). "Anti-tamper technologies seek to keep critical military systems data in the right hands - Military & Aerospace Electronics". Militaryaerospace.com. Retrieved 2013-12-24.
  10. Honig, Andrew (2012). Practical Malware Analysis. No Starch Press. p. 400. ISBN   978-1-59327-430-6.
  11. Sinha, P.; Boukhtouta, A.; Belarde, V. H.; Debbabi, M. (2010). "Insights from the analysis of the Mariposa botnet". 2010 Fifth International Conference on Risks and Security of Internet and Systems (CRiSIS) (PDF). p. 1. doi:10.1109/CRISIS.2010.5764915. ISBN   978-1-4244-8641-0. S2CID   12673670. Archived from the original (PDF) on 2012-09-16. Retrieved 2015-09-04.