Software Protection: Integrity, Diversity, Entanglement and Renewability (SPIDER)
We’ve spent a lot of time finding a suitable analogy to explain the more subtle aspects of defense in depth and the multi-layered approach to cybersecurity that we favor here in the Cloakware group at Irdeto. The obvious brute-force comparison with castles and other walled defenses falls short in communicating the concept of self-reinforcing, robust security, even though advanced defensive structures often included the concept of rings of defense and supporting fire to help secure a particularly important feature, like a bridgehead or gate. In fact, the castle analogy feels too much like ‘just’ perimeter security which is proven to be insufficient on its own.
We’ve settled on the spider web for our analogy, and in our introductory Cloakware Report we introduced the SPIDER acronym, which I’ll try to explain in this blog post. Let’s see how far we can ‘spin’ the analogy with similes and metaphors relating software protection to spiders, their silk and webs!
Like spider silk (see, the first simile already!), it is important that the technologies that underlie software protection solutions be strong and resilient. Spider silk is well known to be 5 times stronger than steel by weight, but a Nature Article by MIT Researchers showed how other properties of the material lend resilience and robustness to the spider’s web:
It turns out that a key property of spider silk that helps make webs robust is something previously considered a weakness: the way it can stretch and soften at first when pulled, and then stiffen again as the force of the pulling increases.
The silk is not only strong, but has a great ability to stretch, which can handle gusts of wind or the impact of a bug, and when it breaks it will break only at the point where force is applied, leaving the rest of the web intact and functional. Good software protection has very similar properties… it will resist the hacker’s efforts to poke and prod it; you might ‘break’ it at a particular point but it will remain intact overall; and left mostly intact it is easily renewed, with a few changes it is restored to full strength again.
The particular approaches we will associate with ‘silk-like’ properties of software protection are contained in the acronym above: Integrity verification, Diversity, Entanglement and Renewability. They are not just techniques but also philosophies that should be embodied in all good software protection, reflected in the individual components whenever appropriate:
Integrity verification will ensure that your software hasn’t been tampered with. Like silk, it gives the web of software protection its strength. It is useful at loading time but is enhanced when it is dynamic… checking software integrity throughout the execution of the software. A reliable and robust / tamper-resistant integrity verification capability is an important element to establishing a software root of trust, especially when hardware anchors are not available. Philosophically, integrity verification can happen all throughout the components of software protection, for example, see entanglement below.
It has been understood for quite some time that a security solution needs to be renewable and diverse to support a proper security lifecycle. In software protection, diverse instances of software can frustrate a hacker’s efforts to understand what is going on, especially when a simple change to a random seed can create diversity in the algorithmic code and data cloaking such that the instances have very good separation between each other. In the world of the spider, the web will vary over time as well, typically due to an attack, capture of a bug, or other external events. Also, spider webs are very diverse but are built in a repeatable algorithmic way… just like good software protection!
An effective software protection technique, entangling code & data as part of software hardening can help reinforce the software protection. Entanglement can be applied algorithmically at the source level such that nothing can be modified without affecting the control flow of the program… another very good example of how software protection is like a spider web — the web is very sensitive to disturbances of bugs landing on the silk!
Since effective software protection has a measurable impact on hacker productivity it is feasible to anticipate the ‘time to hack’ and use renewal of the software protection to deliberately frustrate the hacker’s progress mid-stream. In the event that a breach in the security is detected new diverse instances can be created in combination with a different set of protections applied for a very effective renewal cycle. This latter point is very similar to a spider web, that once breached remains mostly intact and is easily repaired.
Now that we have established a decent metaphor for spider silk properties as the underlying philosophies of software protection, let’s move on to build the web!
The spider constructs its web in a specific way. It requires a couple of anchor points at the top for support and one or more at the bottom to give it shape. Referring to the figure above, to construct a web of software security, we anchor on the transcoder code & data transformation / obfuscation capabilities, which serve as the foundation for most software protection in the industry. In Irdeto’s case, this is part of the Transcoder offering. High quality transcoding, or ‘cloaking,’ can provide a strong multi-language obfuscation that can frustrate even the most determined hacker and will itself feature many of philosophies discussed above, including entanglement of code and data, tunable levels of protection, polymorphism or selectable isomorphic diversity, control flow integrity checking, etc.
The span of the web is established by robust white-box cryptography, built, in part, with the transcoder. A good set of white-box crypto implementations are important tools in a complete software protection solution. It helps you protect critical cryptography keys, encrypted communications and data even in a ‘white-box’ environment where the underlying software is accessible, and the system could be attached to a debugger or the code disassembled, etc.
The web is given depth by the system-level integrity verification features which depend on both transcoder and white-box for their robustness. If available, a hardware root of trust can help anchor the integrity verification but the software equivalent is quite sufficient given the strength of the underlying technologies!
Rounding out the web are application and OS-level protections that are built on the first three in such a way that any attempt at hacking will be caught, whether it be static or dynamic in nature. Depending on the software environment, these could include things like secured storage, anti-debug, node-locking cryptographic data to a particular device, file encryption, secure loading, API protections, anti-hooking of OS primitives, jailbreak detection, etc.
The spider works with what it has in terms of location and environment to throw up a web. Similarly, software protection can be crafted such that it is adaptable in terms of the time and space (performance and memory) available to apply software security. Examples include:
- Tunable security levels to trade off the protection level for a particular asset against the impact on performance and size.
- Flexibility to create diverse instances with polymorphic (quite different) or isomorphic (similar performance) transformations
Building a spider web is a simple and iterative process for the spider and good software protection should come together just as easily for the developer. It should integrate into the developer’s build environment seamlessly, support popular development languages, steer development to apply best practices for cybersecurity and even automate some of the software protection such that developers with minimal experience in cybersecurity can achieve a decent level of protection out-of-the-box.
So, we can see why the SPIDER acronym and spider web analogy for software protection has resonated so well with our team. Build your own web of software protection and catch all the bugs! (O.k… that’s stretching the analogy a bit!)