Purdue Marshals New Approach To Protect Software

Hackers who try to use or copy software illegally may soon find a sticky web waiting to trap them.

It's not the World Wide Web. Instead, it's a new approach under development at Purdue University designed to protect software. By placing a linked brigade of hundreds of tiny "guards" at different points within software code, computer scientists have made it far more difficult for hackers to use software without permission from the vendor.

"Merely cracking a single password won't do it anymore," said Mikhail (Mike) Atallah, professor of computer science at Purdue. "We are distributing security measures throughout the software. It is no longer enough to hack past one point; the guards will notice what you've done and prevent you from using the program."

Atallah, who leads the research team that came up with this new approach, co-authored a paper on the results with Purdue graduate student Hoi Chang. Chang presented their ideas at the Association for Computing Machinery (ACM) workshop on Security and Privacy in Digital Rights Management, SPDRM 2001.

Atallah has since helped found the startup venture Arxan Technologies Inc. to develop the protection measures for market. The company hopes to have a finished product available by this fall.

"We are encouraged by our test results so far," Atallah said. "We have been able to add custom levels of security to software without significantly decreasing its speed or increasing the time it takes to download over the Internet."

Traditional software protection measures typically demand that a user enter a password supplied by the vendor at the time of purchase. But it has proven all too easy for hackers to get past a single security checkpoint, after which they can use a program for free and copy it as often as they wish.

"The old way is a lot like having a single guard at the bank," Atallah said. "Neutralize him, and the vault is yours."

The innovation of Atallah's team lies in connecting the security measures with the software's operation, making the two inextricable. This effectively multiplies the number of guards to dozens or hundreds, and makes it impossible for a hacker to neutralize one guard without the rest noticing.

"These measures will deter software piracy for a simple reason -- it will become too much of a hassle for a hacker to find and disable all the guards," Atallah said. "And we have additional strategies to compound the effectiveness of our approach."

One such strategy involves adding 100 guards to a piece of software, but only having 10 of them actively on the job at a given moment; their membership changes constantly and in secret. Keeping most of the guards "sidelined" in this fashion is one way Atallah keeps programs functioning fast, even after the guards are added.

"Security measures like ours must be added to existing software," Atallah said. "Historically, this has meant two things in practice: The modified software takes up more memory in your computer, and it runs more slowly. Our approach sidesteps both of those problems by spreading the additional code out in tiny pieces throughout the software. So far, it has caused very little reduction in speed."

Arxan is currently testing the security measures on Windows systems in several corporate environments. The system can easily be modified for other operating systems, and the company plans to market versions for Mac and Linux systems as well. Arxan has licensed the technology from Purdue based on several patent applications.

The company is based in Purdue's Research Park, which currently encompasses 619 acres about two miles north of Purdue University's West Lafayette campus. Almost 150 acres have been developed with approximately 1 million square feet owned or leased by more than 100 companies. More than 40 of these companies are growing within the research park's high-tech incubation complex, which is the largest university-affiliated business incubator in the country. Many of these ventures are developing Purdue-licensed technologies.

Initial funding for the research was provided by Purdue's Center for Education and Research in Information Assurance and Security (CERIAS).