It is easy to reverse engineer software today. An attacker generally requires no more than a basic debugger, a compiler and about a day's effort to de-obfuscate code that has been obfuscated with the best current methods. The reason for the relative ease is that program obfuscation is primarily based on "security through obscurity" strategies, typified by inserting passive junk code into a program’s source code. Existing program obfuscation methods also do not have quantifiable security models, and so it is difficult even to measure how much security is gained by a given obfuscation effort.
DARPA’s SafeWare program aims to develop obfuscation technology that would render the intellectual property in software (e.g., proprietary algorithms) incomprehensible to a reverse engineer, but allow the code to otherwise compile and run normally. To accomplish this, SafeWare researchers aim to develop fundamentally new program obfuscation technology with (i) quantifiable security that (ii) depends not on the appearance of complexity in code structure, but on the difficulty of the mathematical problems an attacker would have to solve to successfully de-obfuscate the program.
To gain the security benefits of program obfuscation, a price in program runtime efficiency must be paid. Fortunately, recent developments indicate that the scaling between the price paid in efficiency and the security benefit gained by obfuscation is favorable. Extant theory guarantees an adversary work factor (i.e., CPU cycles required to break the obfuscation) that scales exponentially with respect to polynomial increases in program runtime. Unfortunately, this runtime overhead is still extremely large in absolute terms, making even the simplest kinds of programs run unacceptably slow. SafeWare will address the main practical obstacle to implementing this technology today: reducing these overheads so that software can run efficiently for users while being safe from reverse engineering.
If successful, SafeWare technologies will provide provably-secure protection of sensitive intellectual property and algorithmic information in software that is vulnerable to capture and dissection.
You are now leaving the DARPA.mil website that is under the control and
management of DARPA. The appearance of hyperlinks does not constitute
endorsement by DARPA of non-U.S. Government sites or the information,
products, or services contained therein. Although DARPA may or may not
use these sites as additional distribution channels for Department of
Defense information, it does not exercise editorial control over all of
the information that you may find at these locations. Such links are
provided consistent with the stated purpose of this website.
After reading this message, click to continue