Embed Size (px)
Citation preview
August 2013, 20(Suppl. 1): 136–140 www.sciencedirect.com/science/journal/10058885 http://jcupt.xsw.bupt.cn
The Journal of China Universities of Posts and Telecommunications
A software protection framework for mobile devices
DONG Hang1, LI Jing2(�), ZHANG Miao1, SU Shuai1, YANG Yi-xian1
1. Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 10029, China
Abstract
The software protection technology is the main component of modern software security technology. Generally, confu-sion and encryption methods are using in software protection technology to provide traditional desktop applications. But applications based on mobile devices are also faces with threats such as piracy and tampering. The security problem in ex-isting applications for mobile devices will do far more harm to users than traditional virus, but there is no effective software protection security framework for them. A software application framework for mobile devices is proposed in this paper, and the white box decryption algorithm involved is improved. And it is analyzed in this paper the performance and security of the framework proposed, the operational efficiency of the improved encryption algorithm is verified.
Keywords software security, white box encryption, software protection, smartphone
1 Introduction
As the bearing and main innovation platform for mobile internet business, smartphones has become the strategic high ground of the whole industry. At the same time, the security problem of applications for mobile devices has become increasingly problematic, which brings potential threat to user information and the development of national economy and society.
Within these malicious programs, there is a considerable amount of Android application that is secondary packed or joined with malicious code lately by illegal app stores or malicious developers. Such behavior was known as ‘pack-ing party’. The mobile games malicious tampered by ‘packing party’ will usually do lots of harm to mobile users such as malicious deductions, flow consumption and pri-vacy disclosure [1].
In the field of software protection, Kent [2] published the first academic paper in 1980, which pointing out that the main purpose of software protection for software sell-ers is tamper-proof and anti-piracy, and putting forward
Received date: 29-06-2013 Corresponding author: LI Jing, E-mail: [email protected] DOI: 10.1016/S1005-8885(13)60231-9
two software protection technology respectively based on physical hardware and cryptography. In 1985, Gosler [3] introduced some software anti-copying technology in his paper. At the same year, Pinter [4] proposed a software anti-copying technology supported by processor. In 1996, Goldreich and Ostrovsky [5] proposed the first software protection model. In 2006, Madou and his workmates [6] proposed a software protection method through obfuscation, prevent static analysis methods. At the same year, Kanzaki et al. [7] proposed a software protection method based on instruction camouflage, which can also prevent some kinds of static analysis.
However, more and more phenomenon such as software cracking, content theft happened all the time, raising new challenges to software protection: how to protect intellec-tual property in a relatively transparent execution envi-ronment.
In cryptography, it is always assumed that the running environment of cryptographic algorithm is safe, as long as the secret key is well protected. Recent years, with digital data being widely used, most of the time, encryption soft-ware will be released to a platform that can’t be fully trusted.
Such attackers will extract the secret key easier than
Supplement 1 DONG Hang, et al. / A software protection framework for mobile devices 137
those who only know the plaintext and the corresponding cipher text. The research literature about how to prevent such attacks was originally founded in 2002 by Chow, et al. [8], they creatively defined the white box environ-ment and put forward some creative ideas to prevent the attacker to extract secret key. In 2006, Bringer et al. [9] proposed another method to make the attacker can’t ana-lyze the algebraic structure of the whole algorithm. How-ever, there are some deficiencies of existing white box algorithm in design, especially in the algorithm efficiency.
Above all, the existing security frameworks and algo-rithms for PC should be adjust and optimize to meet the needs of mobile platform. A software application frame-work for mobile devices is proposed in this paper, the framework includes processes of loading, decryption and verification of applications, and uses efficient white box AES algorithm to store and use secret key safely. Evalua-tion of the efficiency and security of the framework shows that the framework can effectively reduce the low effi-ciency and large occupied space problem caused by tradi-tional white box encryption algorithm, and meanwhile ensure the safety.
2 Software protection framework for mobile de-vices
Smartphone is limited to the compute capability, the ef-ficiency of network connection and so on. It is not very convenient to use the traditional DRM framework. Based on the traditional DRM scheme, a Mobile software protec-tion framework is proposed, protecting software during software distribution, software runtime from unauthorized users using, reversing, tampering with the applications with related encryption technology, protecting the intel-lectual property rights and interests of developers.
The process of software protection should work with Software distribution channels in tow aspects: software distribution stage and running stage.
As Fig. 1 shows, the following step should be dealt with during the application program distribution stage.
1) Unpack the APK developers uploaded before, extract files for protection like classes.dex.
2) Generate a secret key according to the final download information about users, encrypt Classes.dex with the key and generate the library files for decryption.
3) Modify AndroidManifest.xml in the APK and gener-ate loader for this application.
4) Repack the APK with encrypted files, library files for decryption, modified XML files and new loader and sign it.
5) Users download the APK.
Fig. 1 The process of application distribution stage
The loader which uses to load APK files don’t need to modify the system source code of the original application. The following step should be dealt with during the appli-cation program running stage:
1) When users start the application, the operating system loaded APKLoader, which will verify the encrypted data and the fingerprints of library files. After verification the decryption function in the library file will be called to de-crypt the original data of the application.
2) The feature of the APKLoader should be verified when the decryption function is called so as to determine whether the call is legal. The decrypted original data of the application will be stored in the memory if it is legal.
3) The loader calls the original application package in the memory and eventually launches the application.
Mobile software protection framework uses customized application loader, in the application distribution stage specific secret key is generated according to user’s infor-mation with specific fingerprint information, and such loader does not affect the normal loading of original pro-gram. In application loading stage, the users’ and the call-ers’ information is both verified off line, which conforms to the characteristics of mobile terminal better, improves the users’ experience while protect application securely.
However, the protection framework in this paper de-signed is a software based framework, such off-line framework will involve the secret key by which we can decrypt all encrypted information if we deal with digital data in a normal way, and the security of the secret key can’t be ensured during operation. Attackers will decrypt
138 The Journal of China Universities of Posts and Telecommunications 2013
the encrypted data when get the secret key and bypass the loader and decryption library file loading mechanism and finally obtain the source code of the application. Under this circumstance, the protection of secret key is important for the security of the Mobile software protection frame-work. So a white box cryptography is introduced in this paper to protect the secret key in encryption and decryp-tion process.
3 Research on the white box cryptography
White box attack model assumes that the implementa-tion process of the whole cipher algorithm is visible to the attacker, and the attacker owns the total control of the ci-pher algorithm running platform. In addition to control the input and output of the algorithm, the attacker can also watch the data in the memory, set breakpoints on program, record the intermediate variables during the execution and tamper with the implementation process of the cipher al-gorithm. The white box attack environment is mainly used in the analysis of security of cryptographic algorithm when the execution environment is not trusted. This assumption is the strongest assumptions for the white box attack envi-ronment [10].
In order to prevent the secret key from being exposed in encryption and decryption process under the assumed en-vironment, Chow put forward white box algorithm for the first time in 2002, which will not make the key exposure in the operational environment. The general working model of white box cryptography is as follows [11]:
1) Choose a cipher algorithm A, record the encryption process as Ek(m), the decryption process as Dk(m), where k is the secret key for encryption or decryption, m is the message plaintext.
2) Select a secret key skey. 3) Construct a white box decryption device for the se-
lected skey and decryption process D, making Dwb(m)=Dskey(m).
4) Confuse Dwb (m) so the skey can safely hide in it and can’t be separated.
Essentially, Dwb(m) is a special version of Dk(m) for a particular key. Different white box decryption devices Dwb should be constructed for different decryption keys in the same cipher algorithm.
Algorithms mentioned in this paper is aimed at two kinds of symmetric encryption algorithm DES and AES, in this framework, we have done some specific research on
white-box AES algorithm.
3.1 Introduction of AES algorithm
The AES algorithm (128 bit) is a 10 rounds of arithmetic operation, AES encryption, AES encryption cycle for each round (except the last round) consists 4 steps [12]:
AddRoundKey: each byte in the matrix will do XOR operation with the round key; each key generated by the key generation scheme.
Sub Bytes: Use the lookup table to replace each byte with the corresponding byte by a non-linear replacement function.
ShiftRows: Cyclically shift each row of the matrix. MixColumns: This operation is for fully mixing all rows
of the matrix. Use the linear transformation to mix four bytes inline.
In AES algorithm, secret key should be extended into round key, the expansion algorithm is deterministic and reversible and round key needs to be directly involved in the basic arithmetic operation, which is easily exposed, therefore, black box AES algorithm should not be exposed in the white box attack environment.
3.2 Chow’s white box AES algorithm
Chow put forward the design of white box AES algo-rithm in 2002 [13], the secret key in the standard AES al-gorithm is concealed by lookup table, so the confidential-ity of the cipher algorithm is still good in the white box environment.
In order to achieve the white box algorithm, Ad-dRoundKey and the SubBytes in the next step should be combined into one step, and the ShiftRows step should be done at the beginning of each round, So the round key (kr) should be shifted first when combine the AddRoundKey step into the 9 rounds cycle as (kr − 1).
In the white box AES designed by Chow, AddRoundKey and SubBytes in every round can be combined into a lookup table:
^i 1( ) ( [ ])r
rT x S x k i−= ⊕ 10 ^
9 10( ) ( [ ]) [ ]iT x S x k i k i= ⊕ ⊕ (x stands for plaintext matrix, ^
1[ ]rk i− for round key matrix, s for S-box) The result can be represented by a structure the same as
S-box, called T-box. By this way Chow hide the secret key into the matrix operation. He combined T-box and Mix-Columns step in the next step to hide the operation into the
Supplement 1 DONG Hang, et al. / A software protection framework for mobile devices 139
lookup table. Original operation expression of MixCol-umns, denoted as Y, is shown as below:
0
1
2
3
02 03 01 0101 02 03 0101 01 02 0303 01 01 02
xxxx
⎡ ⎤⎡ ⎤⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥=⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥
⎣ ⎦ ⎣ ⎦
Y (1)
So as to extend the T-box determined by x into 4 Ty-Box, for example, T-box identified by 0X can extend into 4 Ty-Box as T
0 0 0 0[ , , , ]x x x x⊕ ⊕ ⊕ ⊕02 01 01 03 . Finally, the XOR operation in MixColumns is also cal-
culated with the form of lookup table like S-box. Then Chow raises a 4× 4 invertible matrix MB to In order to scramble the TY-Box.
In practice, however, it might be possible to defense sort of attack by Chow’s white box algorithm, but limited by the size of lookup table and the computing power of em-bedded platform, a more efficient cipher algorithm is needed on mobile and embedded platform to compress volume and enhance efficiency as much as possible while guarantee safety.
3.3 The improved white box AES cipher algorithm
Sort of improvement is made to Chow’s white box algo-rithm, cancelled MB matrix and introduced lightweight internal scrambling measures to reduce the space of white box algorithm while guarantee the scrambling degree.
For Chow’s white box algorithm, set the input is P1, which is shown followed:
0 4 8 12
1 5 9 131
2 6 10 14
3 7 11 15
P P P PP P P PP P P PP P P P
⎡ ⎤⎢ ⎥⎢ ⎥=⎢ ⎥⎢ ⎥⎣ ⎦
P (2)
Then after ShiftRows and T-box step P1 becomes to T1 as below:
0 4 8 12
5 9 13 11
10 14 2 6
15 3 7 11
T T T TT T T TT T T TT T T T
⎡ ⎤⎢ ⎥⎢ ⎥=⎢ ⎥⎢ ⎥⎣ ⎦
T (3)
Through MC line transformation, if we extract the first column, it will turn out to be Ty as followed:
11 12 13 14 0
21 22 23 24 5
31 32 33 34 10
41 42 43 44 15
MC MC MC MCMC MC MC MCMC MC MC MCMC MC MC MC
y
TTTT
⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥= ×⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦
T (4)
In original AES algorithm, this matrix should do XOR operation with the next round key, set the next round as K as below:
0
1
2
3
KK
KK
⎡ ⎤⎢ ⎥⎢ ⎥=⎢ ⎥⎢ ⎥⎣ ⎦
K (5)
If K0, K1, K2 and K3 were randomly split into five parts like below:
0 1 2 3 40 0 0 0 0 0
0 1 2 3 41 1 1 1 1 1
0 1 2 3 42 2 2 2 2 2
0 1 2 3 43 3 3 3 3 3
K K K K K KK K K K K KK K K K K KK K K K K K
⎫= ⊕ ⊕ ⊕ ⊕⎪
= ⊕ ⊕ ⊕ ⊕ ⎪⎬
= ⊕ ⊕ ⊕ ⊕ ⎪⎪= ⊕ ⊕ ⊕ ⊕ ⎭
(6)
Then add the first four parts into Eq. (4) and combine the fifth part 4 4 4 4
0 1 2 3[ ]TK K K K� � � with T-Box in the next round, thus the next round key is combined with lookup table in this round.
Process of the improved white box cipher algorithm can be shown in Fig. 2:
Fig. 2 Process of the improved white box cipher algorithm
4 Efficiency and Safety
According to the proposed design for smartphone soft-ware protection framework, combined with the improved white box cipher algorithm, the authors implemented a prototype system of smartphone software protection, and analyzed the safety and efficiency of the security protection framework by taking encryption, decryption and attacking tests on actual android application.
140 The Journal of China Universities of Posts and Telecommunications 2013
4.1 Efficiency
In the mobile terminal application protection framework, every application needs a decryption program in addition due to the characteristics of one time padding, so the im-pact engendered by the size of white box cipher algorithm is great for the distribution and installation of the applica-tion. Table 1 shows the size of the three algorithms written in C program language.
Table 1 Comparison of the size of algorithms Decrypt LIB/KB
Normal AES Algorithm 40 Chow’s Algorithm 752
The New Algorithm 147
The three algorithms are respectively performed on two kinds of mobile devices and the results are shown in the Table 2 below:
Table 2 Result of efficiency test on mobile devices/s Common devices Mid-High devices Data Size
AES Chow New AES Chow New 98 Byte 0.002 0.016 0.003 0.000 09 0.002 0.000 2 0.4 KB 0.002 0.048 0.004 0.000 12 0.008 0.000 6 51 KB 0.032 5.089 0.119 0.005 16 0.899 0.013 1
289 KB 0.162 25.28 0.393 0.028 35 5.288 0.072 9 0.56 MB 0.303 49.26 1.713 0.062 35 10.55 0.289 2 1.11 MB 0.567 103.44 2.618 0.107 66 19.96 0.487 2 5.17 MB 2.931 492.62 11.973 0.511 23 95.98 2.220 4
As above shows, the efficiency of the improved white box algorithm is more efficient than Chow’s white box cipher algorithm, the efficiency of decryption normal files is acceptable, which has little impact on user experience.
4.2 Safety
The improved white box algorithm is necessarily less safe than Chow’s white box algorithm when increasing efficiency. However, we can still reduce the transparency of the attack environment by ways of code obfuscation, anti-debugging and verification in the smartphone platform, so as to improve the difficulty of analyzing secret key.
The protection for the original data in this framework mainly depends on the security of AES algorithm. As the white-box AES algorithm introduced to the framework, the key can be protecting well. It is hard to get original data through normal static analysis methods.
5 Conclusions
This paper puts forward a white box based smartphone software security protection framework, which is tested in the test environment. Compared to the traditional software protection way, the characteristics of smartphone software security protection framework are as follows: protecting the application as possible from piracy, being reversed and being tampered with limited computing power and re-sources; improving Chow’s white box algorithm to fit the mobile environment, and the prototype system has proved that it can greatly enhance the operational performance and preserving a certain security at the same time in the mobile platform in this way. So the smartphone software security protection framework has certain feasibility.
In the next work, the safety of white box cryptography will continue to be improved as well as the efficiency by studying on the resource consumption in the decoding process. The loader will also be improved so as to reduce its impact on the overall performance of the system.
Acknowledgements
This work was supported by the National Science and Technology Projects (2012ZX03002012, 2012BAH06B02) the Specialized Re-search Fund for the Doctoral (20120005110017).
References
1. SecurityLab T. Mobile Devices Security Report, 2013. 05. http://m.qq.com/security_lab/news_detail_178.html
2. Kent S. Protecting externally supplied software in small computers. 1981 3. Gosler J R. Software protection: myth or reality? Advances in Cryptology�CRYPTO�85 Proceedings, Springer, 1986: 140−157
4. Herzberg A, Pinter S S. Public protection of software. ACM Transactions on Computer Systems (TOCS), 1987, 5(4): 371−393
5. Goldreich O, Ostrovsky R. Software protection and simulation on oblivi-ous rams. Journal of the ACM (JACM), 1996, 43(3): 431−473
6. Madou M, Anckaert B, Moseley P, et al. Software protection through dy-namic code mutation//Information Security Applications. Springer, 2006: 194−206
7. Kanzaki Y, Monden A, Nakamura M, et al. A software protection method based on instruction camouflage. Electronics and Communications in Ja-pan (Part III: Fundamental Electronic Science), 2006, 89(1): 47−59
8. Chow S, Eisen P, Johnson H, et al. White-box cryptography and an aes implementation//Nyberg K, Heys H. Selected Areas in Cryptography. Springer Berlin / Heidelberg, 2003: 250
9. Bringer J, Chabanne H, Dottax E. White box cryptography: another at-tempt. IACR Cryptology ePrint Archive, 2006, 2006: 468
10. Zhixu L. The Research of Software Tamper Resistance Base on White-Box Cryptography. 2012(in Chinese)
11. Collberg C, Nagra J. Surreptitious software. 2012 12. Wikipedia. Advanced encryption standard. 2013: 2013, 13. Muir J A. A tutorial on white-box aes//Advances in Network Analysis
and its Applications. Springer, 2013: 209−229
