JH
Uploaded byJames Hamilton
1,243 views

Static Software Watermarking

The document discusses software watermarking, explaining its purposes, types (static and dynamic), and the limitations of each. It highlights the vulnerabilities to semantics-preserving transformations and the challenges of using watermarks as proof of ownership. Ultimately, the conclusion questions the effectiveness and necessity of watermarking in software protection.

Embed presentation

Downloaded 72 times
0 1 0 0 0 0 1 1 0 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 0 1 02/20/11 Software Watermarking James Hamilton, PhD Student 0 0 0 1 1 1 0 1
Software Watermarking - Motivation 0001010101010101101111 0001010101010101101111 0101001011010101101010 0101001011010101101010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 software software company 'thief' 2
Software Watermarking – what is it? 0001010101010101101111 0001010101010101101111 010100MICROSOFT11010 010100MICROSOFT11010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 Allows the software author to prove ownership. software software company 'thief' 3
Software Fingerprinting – what is it? 0001010101010101101111 0001010101010101101111 0101001234567890101010 0101001234567890101010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 Allows the software author to prove the source of the copied software software. software company 'thief' 4
Software Watermarking – what is it not? • It does not prevent copying software. • It does not prevent decompilation or program understanding. • But it could be used in-conjunction with obfuscation (need to be careful the obfuscation doesn't remove the watermark). public class HelloWorld { public String wm = “Microsoft”; public static void main(String[] args) { System.out.println(“Hello World”); Decompile } } Obfuscate 5
Static Software Watermarking 6
Dynamic Software Watermarking • Embeds code to generate a watermark at run-time. • Recogniser uses a debugger to extract watermark. • Should be resilient to semantics-preserving transformations. . 7
Code Replacement & Addition • Very basic, early algorithms simply replaced sections of code, or data, with watermark code. • Susceptible to collusive attacks if the watermarks are placed in the same location in every copy of a program. • Monden et al. [1] encode the watermark as a sequence of bytecode sequences which replace instructions in a dummy method. – difficult to generate code which is similar to the original program – easily remove by semantics-preserving transformations 8 [1] A. Monden, H. Iida, K.-ichi Matsumoto, K. Inoue, and K. Torii, “A practical method for watermarking java programs,” Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International, Washington, DC, USA: IEEE, 2002, p. 191–197.
Code Re-Ordering • The watermark is encoded as the nth permutation of some set • Davidson and Myhrvold [1] encode the watermark as the nth permutation of the set of basic blocks in a method. – higly unstealthy due to a greater ratio of goto instructions [2] • Another option, in Java, is to re- order the constant pool (Gong et al.) • Requires the original program from comparison 9 [1] R.I. Davidson and N. Myhrvold, “Method and system for generating and auditing a signature for a computer program,” US Patent 5,559,884, Sep. 1996. [2] Myles, G. et al., 2005. The evaluation of two software watermarking algorithms. Softw. Pract. Exper., 35(10), 923–938. [3] D. Gong, F. Liu, B. Lu, and P. Wang, “Hiding Informationin in Java Class File,” International Symposium on Computer Science and Computational Technology, 2008. ISCSCT ’08., IEEE Computer Society, 2008, pp. 160-164.
Register Allocation • the watermark is encoded in the interference graph, which is used to model the relationship between variables. • each vertex represents a variable and an edge between the two variables indicates that their live ranges overlap. • we colour the graph in order to minimise the number of registers and ensure that two live variables do no share a register. • QP algorithm [1] adds edges to the graph • QP is flawed; QPS, QPI, CC and CP followed with a similar idea. 10 [1] G. Qu and K. Potkonjak, “Analysis of watermarking techniques for graph coloring problem,” Computer-Aided Design, 1998. ICCAD 98. Digest of Technical Papers. 1998 IEEE/ACM International Conference on, San Jose, California, United States: IEEE, 2005, p. 190–193.
Graph Watermarking • Venkatesan et al. [1] encode the watermark in a CFG and 'connect' it to the original program. 11 [1] R. Venkatesan, V. Vazirani, and S. Sinha, “A graph theoretic approach to software watermarking,” Information Hiding, Springer, 2001, p. 157–168.
Example of a bad watermarking algorithm push 4 push 52 push 34 push 12 pop pop pop pop Optimiser push 1 push 23 push 1 push 4 pop pop pop pop 12
Problems with static watermarks in general • can be unstealthy, if the watermark code is compared with 'normal' code • highly susceptible to semantics-preserving transformations – static watermarks rely on syntactic properties • without perfect tamper-proofing techniques an attacker can apply any semantics-preserving transformation to a program – tamper-proofing is hard & unstealthy • especially in Java Conclusion • Static watermarks are not good for software protection 13
What about dynamic watermarks? • in theory, should not be susceptible to semantics-preserving transformations (but some current ones are). • but, they can only protect a complete program rather than single modules, classes, methods etc. • can be susceptible to additive attacks Conclusion • Better than static watermarks, but still not great. 14
Watermark Stealthiness • Some watermarking algorithms are unstealthy – easy to find – 'strange looking' code – doesn't act like the rest of the program • statistical analysis of instructions (e.g. ratio of goto instructions) • program slicing metrics 15
Program slicing public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; return b; slicing criteria } Program Slice [1]: An independent program guaranteed to faithfully represent the original program within the domain of the specified subset of behaviour 16 [1] Weiser, M., 1981. Program slicing. In ICSE '81: Proceedings of the 5th international conference on Software engineering. Piscataway, NJ, USA: IEEE Press, p. 439―449.
Program slicing public void w() { program slice shown in red int a = 1; b = a + 1; String wm = “mywatermark”; return b; slicing criteria } 17
Program slicing public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; slicing criteria return b; } 18
Opaque predicates • A predicate that's outcome is known a-priori • Can be used to protect watermarks from slicing attacks public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; if(PF) { b = wm.length(); } return b; } • Introduces false dependencies to stop slicing 19
Problems with watermarks in general Prove that the software is yours judge here's my watermark software software company 'thief' 20
Problems with watermarks in general who can I believe? judge and here's my watermark software software company 'thief' 21
Problems with watermarks in general I've examined the watermark recogniser carefully, and believe I that only one recogniser is genuine independent software expert judge software software company 'thief' 22
Problems with watermarks in general show me your source-code. independent software expert judge the real author could demonstrate ownership by showing the source- code of their software (without the need for software watermarks) software software company 'thief' 23
Decompilation • The attacker could decompile the the program to get their own source-code to demonstrate they own the code • But it will 'look' decompiled – incoherent variable names – no comments – verbose code – extraneous instructions • The attacker will probably have little understanding of the code and will have trouble answering trivial questions about it 24
Conclusion • There are many static watermarking algorithms but they are all susceptible to trivial semantics-preserving transformation attacks. • Dynamic watermarks are better but can also be susceptible to attacks. • Unstealthy watermarks give an attacker clues and allow them to remove a watermark easier. • Program slicing may be able to give clues about watermarks, and/or help remove them. • Maybe watermark is not actually needed or useful. 25
Thanks Any comments or questions? 26 http://www.gold.ac.uk/computing http://jameshamilton.eu/

More Related Content

PPTX
Watermarking in Source Code: Applications and Security Challenges
byShyamsundar Das
 
PPT
Malware and Modern Propagation Techniques
byJoseph Bugeja
 
PDF
Condroid WSN/DTN Gateway - Verification Rest Report
byLaili Aidi
 
PPT
Cloud computing for agent based urban transportation system vinayss
byVinay Sirivara
 
PDF
International Journal of Engineering Inventions (IJEI)
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
PDF
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
byChinnappa Doss
 
DOC
Generic lossless visible watermarking—a
byAgnianbu Wrong
 
PPTX
Providing fault tolerance in extreme scale parallel applications
byhjjvandam
 
Watermarking in Source Code: Applications and Security Challenges
byShyamsundar Das
 
Malware and Modern Propagation Techniques
byJoseph Bugeja
 
Condroid WSN/DTN Gateway - Verification Rest Report
byLaili Aidi
 
Cloud computing for agent based urban transportation system vinayss
byVinay Sirivara
 
International Journal of Engineering Inventions (IJEI)
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
byChinnappa Doss
 
Generic lossless visible watermarking—a
byAgnianbu Wrong
 
Providing fault tolerance in extreme scale parallel applications
byhjjvandam
 

Similar to Static Software Watermarking

PPTX
Digital watermarking
byAnkush Kr
 
PDF
Hydan
byFranciny Salles
 
PDF
Designing and Attacking DRM (RSA 2008)
byNate Lawson
 
PPTX
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
byAndrey Karpov
 
PDF
Cloning Considered Harmful Considered Harmful
byNicolas Bettenburg
 
PDF
Version based software watermark
byeSAT Publishing House
 
PDF
Version based software watermark
byeSAT Journals
 
PDF
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
bySwati Patel
 
PDF
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
bySwati Patel
 
PDF
Extension and Evolution
byEelco Visser
 
PDF
Combating Software Piracy Using Code Encryption Technique
bytheijes
 
PPT
B-Sides Seattle 2012 Offensive Defense
byStephan Chenette
 
PPTX
Light And Dark Side Of Code Instrumentation
byPositive Hack Days
 
PPT
Hrishikesh Choudhari - Overview Of Cracks
byHrishikesh Choudhari
 
PDF
Intro to Software Engineering for non-IT Audience
byYuriy Guts
 
DOC
Student x
byguesta20cea
 
PPTX
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
byShellmates
 
PPTX
Software basics brushup brownbag
byMichael Gower
 
PDF
19 water marking 9
byAlexander Decker
 
PDF
Lecture 2011.05A - FOSS Fundamentals (Digital Sustainability)
byMarcus Dapp
 
Digital watermarking
byAnkush Kr
 
Hydan
byFranciny Salles
 
Designing and Attacking DRM (RSA 2008)
byNate Lawson
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
byAndrey Karpov
 
Cloning Considered Harmful Considered Harmful
byNicolas Bettenburg
 
Version based software watermark
byeSAT Publishing House
 
Version based software watermark
byeSAT Journals
 
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
bySwati Patel
 
Software Birthmark Based Theft/Similarity Comparisons of JavaScript Programs
bySwati Patel
 
Extension and Evolution
byEelco Visser
 
Combating Software Piracy Using Code Encryption Technique
bytheijes
 
B-Sides Seattle 2012 Offensive Defense
byStephan Chenette
 
Light And Dark Side Of Code Instrumentation
byPositive Hack Days
 
Hrishikesh Choudhari - Overview Of Cracks
byHrishikesh Choudhari
 
Intro to Software Engineering for non-IT Audience
byYuriy Guts
 
Student x
byguesta20cea
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
byShellmates
 
Software basics brushup brownbag
byMichael Gower
 
19 water marking 9
byAlexander Decker
 
Lecture 2011.05A - FOSS Fundamentals (Digital Sustainability)
byMarcus Dapp
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

Static Software Watermarking

  • 1.
    0 1 0 0 0 0 1 1 0 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 0 1 02/20/11 Software Watermarking James Hamilton, PhD Student 0 0 0 1 1 1 0 1
  • 2.
    Software Watermarking -Motivation 0001010101010101101111 0001010101010101101111 0101001011010101101010 0101001011010101101010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 software software company 'thief' 2
  • 3.
    Software Watermarking –what is it? 0001010101010101101111 0001010101010101101111 010100MICROSOFT11010 010100MICROSOFT11010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 Allows the software author to prove ownership. software software company 'thief' 3
  • 4.
    Software Fingerprinting –what is it? 0001010101010101101111 0001010101010101101111 0101001234567890101010 0101001234567890101010 1010010101010101010101 1010010101010101010101 1010010000000101010101 1010010000000101010101 1010010101011111111010 copy 1010010101011111111010 Allows the software author to prove the source of the copied software software. software company 'thief' 4
  • 5.
    Software Watermarking –what is it not? • It does not prevent copying software. • It does not prevent decompilation or program understanding. • But it could be used in-conjunction with obfuscation (need to be careful the obfuscation doesn't remove the watermark). public class HelloWorld { public String wm = “Microsoft”; public static void main(String[] args) { System.out.println(“Hello World”); Decompile } } Obfuscate 5
  • 6.
  • 7.
    Dynamic Software Watermarking • Embeds code to generate a watermark at run-time. • Recogniser uses a debugger to extract watermark. • Should be resilient to semantics-preserving transformations. . 7
  • 8.
    Code Replacement &Addition • Very basic, early algorithms simply replaced sections of code, or data, with watermark code. • Susceptible to collusive attacks if the watermarks are placed in the same location in every copy of a program. • Monden et al. [1] encode the watermark as a sequence of bytecode sequences which replace instructions in a dummy method. – difficult to generate code which is similar to the original program – easily remove by semantics-preserving transformations 8 [1] A. Monden, H. Iida, K.-ichi Matsumoto, K. Inoue, and K. Torii, “A practical method for watermarking java programs,” Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International, Washington, DC, USA: IEEE, 2002, p. 191–197.
  • 9.
    Code Re-Ordering • The watermark is encoded as the nth permutation of some set • Davidson and Myhrvold [1] encode the watermark as the nth permutation of the set of basic blocks in a method. – higly unstealthy due to a greater ratio of goto instructions [2] • Another option, in Java, is to re- order the constant pool (Gong et al.) • Requires the original program from comparison 9 [1] R.I. Davidson and N. Myhrvold, “Method and system for generating and auditing a signature for a computer program,” US Patent 5,559,884, Sep. 1996. [2] Myles, G. et al., 2005. The evaluation of two software watermarking algorithms. Softw. Pract. Exper., 35(10), 923–938. [3] D. Gong, F. Liu, B. Lu, and P. Wang, “Hiding Informationin in Java Class File,” International Symposium on Computer Science and Computational Technology, 2008. ISCSCT ’08., IEEE Computer Society, 2008, pp. 160-164.
  • 10.
    Register Allocation • the watermark is encoded in the interference graph, which is used to model the relationship between variables. • each vertex represents a variable and an edge between the two variables indicates that their live ranges overlap. • we colour the graph in order to minimise the number of registers and ensure that two live variables do no share a register. • QP algorithm [1] adds edges to the graph • QP is flawed; QPS, QPI, CC and CP followed with a similar idea. 10 [1] G. Qu and K. Potkonjak, “Analysis of watermarking techniques for graph coloring problem,” Computer-Aided Design, 1998. ICCAD 98. Digest of Technical Papers. 1998 IEEE/ACM International Conference on, San Jose, California, United States: IEEE, 2005, p. 190–193.
  • 11.
    Graph Watermarking • Venkatesan et al. [1] encode the watermark in a CFG and 'connect' it to the original program. 11 [1] R. Venkatesan, V. Vazirani, and S. Sinha, “A graph theoretic approach to software watermarking,” Information Hiding, Springer, 2001, p. 157–168.
  • 12.
    Example of abad watermarking algorithm push 4 push 52 push 34 push 12 pop pop pop pop Optimiser push 1 push 23 push 1 push 4 pop pop pop pop 12
  • 13.
    Problems with staticwatermarks in general • can be unstealthy, if the watermark code is compared with 'normal' code • highly susceptible to semantics-preserving transformations – static watermarks rely on syntactic properties • without perfect tamper-proofing techniques an attacker can apply any semantics-preserving transformation to a program – tamper-proofing is hard & unstealthy • especially in Java Conclusion • Static watermarks are not good for software protection 13
  • 14.
    What about dynamicwatermarks? • in theory, should not be susceptible to semantics-preserving transformations (but some current ones are). • but, they can only protect a complete program rather than single modules, classes, methods etc. • can be susceptible to additive attacks Conclusion • Better than static watermarks, but still not great. 14
  • 15.
    Watermark Stealthiness • Some watermarking algorithms are unstealthy – easy to find – 'strange looking' code – doesn't act like the rest of the program • statistical analysis of instructions (e.g. ratio of goto instructions) • program slicing metrics 15
  • 16.
    Program slicing public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; return b; slicing criteria } Program Slice [1]: An independent program guaranteed to faithfully represent the original program within the domain of the specified subset of behaviour 16 [1] Weiser, M., 1981. Program slicing. In ICSE '81: Proceedings of the 5th international conference on Software engineering. Piscataway, NJ, USA: IEEE Press, p. 439―449.
  • 17.
    Program slicing public void w() { program slice shown in red int a = 1; b = a + 1; String wm = “mywatermark”; return b; slicing criteria } 17
  • 18.
    Program slicing public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; slicing criteria return b; } 18
  • 19.
    Opaque predicates • A predicate that's outcome is known a-priori • Can be used to protect watermarks from slicing attacks public void w() { int a = 1; b = a + 1; String wm = “mywatermark”; if(PF) { b = wm.length(); } return b; } • Introduces false dependencies to stop slicing 19
  • 20.
    Problems with watermarksin general Prove that the software is yours judge here's my watermark software software company 'thief' 20
  • 21.
    Problems with watermarksin general who can I believe? judge and here's my watermark software software company 'thief' 21
  • 22.
    Problems with watermarksin general I've examined the watermark recogniser carefully, and believe I that only one recogniser is genuine independent software expert judge software software company 'thief' 22
  • 23.
    Problems with watermarksin general show me your source-code. independent software expert judge the real author could demonstrate ownership by showing the source- code of their software (without the need for software watermarks) software software company 'thief' 23
  • 24.
    Decompilation • The attacker could decompile the the program to get their own source-code to demonstrate they own the code • But it will 'look' decompiled – incoherent variable names – no comments – verbose code – extraneous instructions • The attacker will probably have little understanding of the code and will have trouble answering trivial questions about it 24
  • 25.
    Conclusion • There are many static watermarking algorithms but they are all susceptible to trivial semantics-preserving transformation attacks. • Dynamic watermarks are better but can also be susceptible to attacks. • Unstealthy watermarks give an attacker clues and allow them to remove a watermark easier. • Program slicing may be able to give clues about watermarks, and/or help remove them. • Maybe watermark is not actually needed or useful. 25
  • 26.
    Thanks Any comments or questions? 26 http://www.gold.ac.uk/computing http://jameshamilton.eu/