Abstract: Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defense against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes. Effective TRS encoding techniques include data-flow encoding and mass-data encoding techniques.

Abstract: Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defence against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes. Effective TRS encoding techniques include data-flow encoding and mass-data encoding techniques.

Abstract: Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defence against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes. Effective TRS encoding techniques include data-flow encoding and mass-data encoding techniques.

Abstract: The present invention relates generally to computer software, and more specifically, to a system and method of foiling buffer-overflow and alien-code attacks. The invention protects computers from such attacks by encoding data placed in storage, and varying the encodings used in different storage areas. When the data is needed by a software application, the data is simply decoded in a complementary manner. This prevents storage areas written according to one usage from being used effectively for some other purpose. The method of the invention can be done in a number of ways. For example, a “protector” engine can be placed between a software application and memory, or the function calls in the software application itself, could be amended to include encoding and decoding. Other embodiments and alternatives are also described.

Abstract: Infiltration of malware communications. Malicious programs infecting individual devices within a network oftentimes communicate with another infected device (e.g., a master device by which the infection was established on a slave device in the first place). During this call home to a master device (or receiving a call from the master device), vital information about the attack, target, master device, etc. may be transmitted. The call home may include information acquired/retrieved from the infected device, or it may request additional information from the infecting device. By monitoring the network messages associated with such call home attempts (including any errors associated therewith), an infected device may be identified and appropriate action be taken (e.g., continue monitoring, isolate infected device from network, generate call to network help desk, etc.). This approach may be implemented at a network level to help prevent further promulgation of the malicious program to other devices.

Abstract: The invention relates to a system and method of hiding cryptographic private keys. While public/private key encryption systems are considered to be secure, the private keys ultimately must be stored in some location—in fact, in some digital commerce systems the private key is sent to the end user as part of an executable file such as an audio player and audio file. Thus, attackers can obtain access to the private key. The broad concept of the invention is to split the private key up into parts which are obfuscated, but still kept in a form that allows the encrypted data to be decrypted. One technique for obfuscating the private key uses modulo arithmetic.

Abstract: The present invention relates generally to computer software, and more specifically, to a method and system of making computer software resistant to tampering and reverse-engineering. Tampering refers to changing computer software in a manner that is against the wishes of the original author, and is distinct from obscurity techniques which do not change the underlieing data or control flow of a program. Broadly speaking, the method of the invention is to analyse the effectiveness of various encoding techniques by measuring the number of possible decodings corresponding to a given encoded world. This analysis gave rise to a number of new data flow encoding techniques including alternative mixed encoding (a combination of linear and residue number encoding), and multinomial encoding.

Abstract: A great deal of intellectual property is currently handled digitally, in the from of audible, visual, or audio-visual files or data streams. With today's powerful electronic equipment and communication networks such as the internet, this digital content can be reproduced flawlessly and distributed without control. While attemps have been made to protect such digital content, none of the existing protection techniques have been successful. The invention provides a system and method of protecting digital content by integrating the digital content with an executable software package such as a digital media player, executing some sort of protection mechanism (such as password, watermark or encryption protection), and then encoding the software into a tamper-resistant form. In this way, the digital content can be used by initiating the executable software it was encoded with, but the content itself cannot be accessed, nor can the protection mechanism be cracked.

Abstract: Existing encryption systems are designed to protect secret keys or other data under a “black box attack,” where the attacker may examine the algorithm, and various inputs and outputs, but has no visibility into the execution of the algotitm itself. However, it has been shown that the black box model is generally unrealistic, and that attack efficiency rises dramatically if the attacker can observe even minor aspects of the algorithm's execution. The invention protects software from a “white-box attack”, where the attacker has total visibility into software implementation and execution. In general, this is done by encoding the software and widely diffusing sites of information transfer and/or combination and/or loss. Other embodiments of the invention include: the introduction of lossy subcomponents, processing inputs and outputs with random cryptographic functions, and representing algorithmic steps or components as tables, which permits encoding to be represented with arbitrary nonlinear bijections.

Abstract: Digital marks (so-called fingerprints and watermarks) serve two basic purposes: (1) Investigative: the owner reads a fingerprint to determine how the marked entity leaked; and (2) Legal: the owner must prove in court that (a) there is a watermark (a concealed copyright message), and (b) it is the owner's. The main difficulty of item (2) is that the first use of the watermark software reveals the watermarking method to the public so that hostile parties are equipped to remove or damage its watermarks. The invention uses tamper-resistant software encoding techniques to protect the digital mark extractor algorithm, frustrating the attacks of hostile parties in two ways: the resulting code is obscure (that is, its inner workings are incomprehensible; and chaotic (that is, a modification at any point will almost certainly produce a nonsense program.

Abstract: Mass data (the contents of arrays, large data structures, linked data structures and similar data structures stored in memory) are common targets for attack. The invention presents a method and system of protecting mass data by mapping virtual addresses onto randomly or pseudo-randomly selected actual addresses. This mapping distributes data values throughout the memory so an attacker cannot locate the data he is seeking, or identify patterns which might allow him to obtain information about his target (such as how the software operates, encryption keys, biometric data or passwords stored therein, or algorithms it uses). Additional layers of protection are described, as well as efficient techniques for generating the necessary transforms to perform the invention.

Abstract: If a user loses his password or pass phrase required for a computer or communication system, he must have some way of obtaining a new one. Typically, new passwords are provided to users manually, by another human, an approach that is expensive and insecure. The invention provides an automated solution which allows recovery of secure access. The invention does this by complementary encryption of the user's pass phrase and responses to personal questions, the reference responses being encrypted with the pass phrase and the pass phrase being encrypted with the reference responses. When a user loses his pass phrase, he can provide answers to the personal questions and the system will recover both the reference responses and the pass phrase, so the account can be re-initialized by entering a new pass phrase. The invention also allows “approximate matching”, so biometric data can be used for identification.

Abstract: The present invention relates generally to computer software, and more specifically, to a method and system of making computer software resistant to tampering and reverse-engineering. “Tampering” occurs when an attacker makes unauthorized changes to a computer software program such as overcoming password access, copy protection or timeout algorithms. Broadly speaking, the method of the invention is to increase the tamper-resistance and obscurity of computer software code by transforming the data flow of the computer software so that the observable operation is dissociated from the intent of the original software code. This way, the attacker can not understand and decode the data flow by observing the execution of the code. A number of techniques for performing the invention are given, including encoding software arguments using polynomials, prime number residues, converting variables to new sets of boolean variables, and defining variables on a new n-dimensional vector space.

Abstract: Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defence against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes.

Abstract: The present invention relates generally to computer software, and more specifically, to a method and system of making computer software resistant to tampering and reverse-engineering. Tampering refers to changing computer software in a manner that is against the wishes of the original author, and is distinct from obscurity techniques which do not change the underlieing data or control flow of a program. Broadly speaking, the method of the invention is to analyse the effectiveness of various encoding techniques by measuring the number of possible decodings corresponding to a given encoded world. This analysis gave rise to a number of new data flow encoding techniques including alternative mixed encoding (a combination of linear and residue number encoding), and multinomial encoding.

Abstract: The present invention relates to a method and system of making computer software resistant to tampering and reverse-engineering. “Tampering” refers to making unauthorized changes to software, such as bypassing password checks, which are of benefit to the tamperer or of detriment to the provider or vendor of the software. Thus, tampering does not denote arbitrary destructive changes, such as causing the software to fail completely. Broadly speaking, the method of the invention is to increase the tamper-resistance and obscurity of software so that the observable operation of the transformed software is dissociated from the intent of the original code, and so that the functionality of the software is extremely fragile when modified: any modification will, with high probability, produce persistently nonsensical behaviour. These effects are achieved by converting the control-flow of the software into data-driven form, and increasing the complexity of the control-flow by orders of magnitude.

Abstract: Existing encryption systems are designed to protect secret keys or other data under a “black box attack,” where the attacker may examine the algorithm, and various inputs and outputs, but has no visibility into the execution of the algotitm itself. However, it has been shown that the black box model is generally unrealistic, and that attack efficiency rises dramatically if the attacker can observe even minor aspects of the algorithm's execution. The invention protects software from a “white-box attack”, where the attacker has total visibility into software implementation and execution. In general, this is done by encoding the software and widely diffusing sites of information transfer and/or combination and/or loss.

Abstract: As microprocessors and other electronic devices become faster and employ higher component densities, the noise generated by the transitions between data states has an increasing influence on the performance and security of these devices. Calculations and processes performed with the method of the invention will have a constant number of bit transitions, so ground bounce and similar effects are minimized. In the preferred embodiment, this is done by replacing leaky software processes with lookup tables filled with output data corresponding to outputs of a software process indexed with corresponding operand values. The invention is particularly useful in smart card implementations using DES (data encryption standard) protection, which may be cracked by monitoring the power signature while data is being processed.

Abstract: If a user loses his password or pass phrase required for a computer or communication system, he must have some way of obtaining a new one. Typically, new passwords are provided to users manually, by another human, an approach that is expensive and insecure. The invention provides an automated solution which allows recovery of secure access. The invention does this by complementary encryption of the user's pass phrase and responses to personal questions, the reference responses being encrypted with the pass phrase and the pass phrase being encrypted with the reference responses. When a user loses his pass phrase, he can provide answers to the personal questions and the system will recover both the reference responses and the pass phrase, so the account can be re-initialized by entering a new pass phrase. The invention also allows “approximate matching”, so biometric data can be used for identification.

Abstract: New techniques for cracking sealed platforms have recently been discovered which observe power modulation during execution of a software encryption program on a computer processor. Particularly vulnerable to such simple power analysis and differential power analysis attacks are smart cards which employ Data Encryption Standard (DES) protection. The invention protects against such attacks by mapping data onto “Hamming-neutral” values, that is, bytes which have the same number of 1-values, so power signatures do not varying during execution. The Hamming-neutral values are assigned to each bit-string in a targeted data set, rather than in a bit-wise manner as known. This approach has a number of advantages: it is less demanding of system resources, it results in a larger number of encodings for an attacker to decipher, and it can be applied to various components including: addressing, indexing, stored data and input data. Many variations and improvements are also described.