Skip to main content
SpringerLink
Log in

A framework for secure execution of software

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The protection of software applications is one of the most important problems to solve in information security because it has a crucial effect on other security issues. We can find in the literature many research initiatives that have tried to solve this problem, many of them based on the use of tamperproof hardware tokens. This type of solution depends on two basic premises: (i) increasing the physical security by using tamperproof devices and (ii) increasing the complexity of the analysis of the software. The first premise is reasonable. The second one is certainly related to the first one. In fact, its main goal is that the pirate user not be able to modify the software to bypass an operation that is crucial: checking the presence of the token. However, experience shows that the second premise is not realistic because analysis of the executable code is always possible. Moreover, the techniques used to obstruct the analysis process are not enough to discourage an attacker with average resources.

In this paper, we review the most relevant works related to software protection, present a taxonomy of those works, and, most important, introduce a new and robust software protection scheme. This solution, called SmartProt, is based on the use of smart cards and cryptographic techniques, and its security relies only on the first of the premises given above; that is, SmartProt has been designed to avoid attacks based on code analysis and software modification. The entire system is described following a lifecycle approach, explaining in detail the card setup, production, authorization, and execution phases. We also present some interesting applications of SmartProt as well as the protocols developed to manage licences. Finally, we provide an analysis of its implementation details.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Aura T, Gollman D (1999) Software license management with smart cards. In: Proc. Usenix workshop on smartcard technology (Smartcard’99), pp 75–86

  2. Beck F (1998) Integrated circuit failure analysis: a guide to preparation techniques. Wiley, New York

    Google Scholar 

  3. Yee BS (1994) Using secure coprocessors. PhD thesis CMU-CS-94-149, Carnegie Mellon University, Pittsburgh

  4. Barak B, Goldreich O, Impagliazzo R, Rudich S, Sahai A, Vadhan S, Yang K (2001) On the (im)possibility of obfuscating programs. In: Proc. CRYPTO ‘01. Lecture notes in computer science, vol 2139. Springer, Berlin Heidelberg New York, pp 1–18

  5. Collberg C, Thomborson C (2000) Watermarking, tamper-proofing, and obfuscation – tools for software protection. University of Auckland Technical Report #170. http://www.cs.auckland.ac.nz/∼collberg/Research/Publications/CollbergThomborson2000a/index.html

  6. Collberg C, Thomborson C (1999) Software watermarking: models and dynamic embeddings. In: Proc. POPL’99 – 26th ACM symposium on principles of programming languages. http://www.cs.arizona.edu/∼collberg/Research/Publications/CollbergThomborson99a/index.html

  7. Funfrocken S (1999) Protecting mobile Web-commerce agents with smartcards. In: Proceedings of ASA/MA’99

  8. Goldreich O (1987) Towards a theory of software protection. In: Proc. 19th annual ACM symposium on theory of computing, pp 182–194

  9. Hachez G (2003) A comparative study of software protection tools suited for e-commerce with contributions to software watermarking and smart cards. PhD Thesis. Universite Catholique de Louvain, France

  10. Herzberg A, Pinter SS (1987) Public protection of software. ACM Trans Comput Syst 5(4):371–393

    Article  Google Scholar 

  11. International Organization for Standardization (1995–2002) ISO/IEC 7816 (Parts 1 to 5). http://www.iso.ch

  12. Kocher P, Jaffe J, Jun B (1998) Differential power analysis. Cryptography Research, Inc. http://www.cryptography.com/dpa/technical/

  13. Kocher P (1995) Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. http://www.cryptography.com/timingattack/

  14. Kuhn M, Anderson R (1996) Tamper resistance – a cautionary note. In: Proc. 2nd USENIX workshop on electronic commerce, Oakland, CA, pp 1–11. http://www.cl.cam.ac.uk/∼mgk25/tamper.html

  15. López J, Maña A, Pimentel P (2000) Un esquema eficiente de protección de software basado en tarjetas inteligentes. Technical Report 14/2000, Department of Computer Science, University of Malaga, Spain

  16. López J, Maña A, Pimentel E, Troya JM, Yagüe MI (2002) Access control infrastructure for digital objects. In: Proc. 4th international conference on information and communications security (ICICS’02). Lecture notes in computer science, vol 2513. Springer, Berlin Heidelberg New York

  17. Loureiro S, Molva R (1999) Function hiding based on error correcting codes. In: Proceedings of Cyptec’99 – international workshop on cryptographic techniques and electronic commerce

  18. Maña A (2003) Protección de Software basada en tarjetas inteligentes (in Spanish). PhD dissertation. Computer Science Department, University of Malaga, Spain

  19. Maña A, Pimentel E (2001) An efficient software protection scheme. In: Proceedings of IFIP SEC’01. Kluwer, Dordrecht

  20. Petri S (2001) An introduction to smart cards. Litronic, Inc. http://www.litronic.com/solutions/whitepapers/introduction_to_smartcards/

  21. Samuelson P (1995) A manifesto concerning the legal protection of computer programs: why existing laws fail to provide adequate protection. In: Proceedings of KnowRight ’95, pp 105–115

  22. Sander T, Tschudin CF (1998) On software protection via function hiding. In: Proc. Information Hiding ’98. Lecture notes in computer science, vol 1525. Springer, Berlin Heidelberg New York, pp 111–123

  23. Schaumüller-Bichl I, Piller E (1984) A method of software protection based on the use of smart cards and cryptographic techniques. In: Proc. Eurocrypt’84. Lecture notes in computer science, vol 0209. Springer, Berlin Heidelberg New York, pp 446–454

  24. Shamir A (2000) Protecting smart cards from passive power analysis with detached power supplies. In: Proc. CHES 2000, Springer, Berlin Heidelberg New York, pp 71–77

  25. Stern JP, Hachez G, Koeune F, Quisquater JJ (1999) Robust object watermarking: application to code. In: Proc. Info Hiding ’99. Lecture notes in computer science, vol 1768. Springer, Berlin Heidelberg New York, pp 368–378. http://www.dice.ucl.ac.be/crypto/publications/1999/codemark.pdf

  26. Sun Microsystems (2003) Java Card Technology homepage. http://java.sun.com/products/javacard/

  27. Ward R (2001) Cryptographic smart card capabilities and vulnerabilities. Secure Telecommunications Report ECE 636. http://ece.gmu.edu/courses/ECE636/project/reports/RWard.pdf

  28. Wayner P (2002) Dissapearing cryptography: information hiding, stenography and watermarking. Morgan Kauffman, San Francisco

    Google Scholar 

  29. White S, Commerford L (1990) ABYSS: An architecture for software protection. IEEE Trans Softw Eng 16(6):619-629

    Article  Google Scholar 

  30. Yagüe MI, Maña A, López J, Pimentel E, Troya JM (2003) A secure solution for commercial digital libraries. Online Inf Rev 27(3):147–159

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Malaga, Campus de Teatinos, 29071, Málaga, Spain

    Antonio Maña, Javier Lopez, Juan J. Ortega, Ernesto Pimentel & Jose M. Troya

Authors
  1. Antonio Maña
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javier Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juan J. Ortega
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ernesto Pimentel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jose M. Troya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Antonio Maña.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Maña, A., Lopez, J., Ortega, J. et al. A framework for secure execution of software. IJIS 3, 99–112 (2004). https://doi.org/10.1007/s10207-004-0048-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0048-6

Keywords

Search

Navigation