Software Security

Professor Clark Thomborson

Computer Science Department

Auckland University

21st Anniversary Symposium, 14th February 2001

What do we want from Security? Our home & office security systems should

– allow authorised access, and– prevent unauthorised access.

Security systems are imperfect. They will– deny access to an authorised user (type-1 fault),– allow unauthorised access (type-2 fault), and– misdefine “authorised” or “access” (type-3 fault).

Type-1 and type-2 faults are technical defects in implementation or operation.

Type-3 faults result from misunderstandings, disagreements or ignorance of law, ethics, economics, psychology, politics, technology…

Technological Utopia Most technologists prefer “open systems”. Physical analogy: an open door allows access to

anyone (who can “walk up to the door”). Examples of open-access systems:

– Free-to-air television allows unrestricted viewing (if you have a TV in a broadcaster’s area);

– The world-wide web allows unrestricted viewing (if you have a computer, web-browser software, and an ISP).

Virtues:– extreme simplicity;– no type-2 faults (there are no unauthorised accesses!);– wonderful possibilities for interoperability with other

systems.

Type-1 Faults in Open Systems Open systems may be overloaded, denying access

from time to time. Open systems may be subverted, becoming inoperable

from time to time.– A hacker may overwrite my website. (Type-3 fault? I

intend my website to allow open-access for viewing, but not open-access for writing!)

– My email may contain a virus. (Type-3 fault? I intend my email ‘inbox’ to be open-access for incoming mail, and I like the “easy-open features” of MS OE, but I don’t want to lose control of my computer!)

Type-3 Faults in Open Systems

Economic: donations, advertising revenues, subsidies, or other indirect funding may be insufficient to sustain operations.

Legal: civil (e.g. infringement through MP3 downloads) or criminal (e.g. supplying pornography).

Ethical: is it appropriate to value our “right to know” above our “right to privacy” and our “right to fair compensation for work”?

Extreme Solutions

Open systems avoid type-2 faults. Non-responsive systems avoid type-1 faults:

they never allow an unauthorised access! Most well-designed systems have some access

restrictions, in three layers:– Prevention, to limit type-1 and type-2 faults.– Detection, to discover faults.– Response, to minimise future faults.

Prevention Techniques (Controls)

There are three main classes of control:– Ethical controls, e.g. “Thou shalt not steal”;

– Legal controls, enforced by the state;

– Technical controls, enforced by systems design. Examples: passwords, smartcards, biometrics.

Software security systems allow (and require) new forms of control.

Challenge: the informal access controls in “physical systems” may not have analogues in “virtual systems”.

Informal Access Controls Physical location. A person robbing a physical bank

vault must travel to the vault, and transport the spoils. A person robbing a “virtual bank” may do so from anywhere on the planet.

Time per access. Virtual systems may operate at inhumanly-fast speeds, overrunning our ability to respond to a new type of attack. “Changing the locks” on a door may be too late.

Identity of actors. Existing security systems for the physical world rely on millennia of practical and legal experience in establishing identity and responsibility. “Virtual identity” is in its infancy.

Authorisation in a Virtual World In a traditional library, a person must walk through a

door, in order to view a copy of a book. Technology: locks, library cards, magnetic strips & detectors, ...

In a virtual library, a person delegates authority to a software proxy.– A 14-digit code, when typed on my computer keyboard, will

authorise my web-browsing software to act as my proxy at my University’s online library.

– My proxy can make copies of library materials.– Technology: access codes, passwords, proxies, …– Security issues: unauthorised copying, impersonation.

Type-3 question: What access controls are appropriate for a virtual library?

“Encoding the Law into Digital Libraries” Pamela SamuelsonComm. ACM, April 1998

“One of the burning questions in the field of cyberlaw is to what extent law or public policy should intervene to tell technologists what they can and can’t code.”

A Murky Question in Copyright

Can a copyright owner insist that their document be “destroyed” after expiration of the copyright?– Yes, if the purchaser agrees to sign the contract.

– No, such contracts are unenforceable because the “public good” served by a copyright (of a limited-term monopoly to control access) would be subverted. Note: the term is 75 years or more in the US.

– Which legal theory will apply in the US? Elsewhere?

– If restricted-use contracts are unenforceable in some jurisdictions, will all libraries be able to purchase a full range of materials?

Another Murky Question Can a copyright holder insist that a digital library add

software security, to severely limit unauthorised readings and “private performances”?– Yes, this is a reasonable restriction, otherwise a single copy

at an online library will make it very difficult for an author to sell any more copies of their work.

– No, private performances and “fair use” copying (e.g. for education and research, within limits) is expressly allowed by US copyright law. The library cannot impose stricter limits, and no software system can exactly match the legal limits.

– Which legal theory will apply in the US? Elsewhere?

“Code as Code”

Software code will increasingly act as a legal code. Technological imperatives (?) in software systems:

– Authorisation decisions (access limits) must be computable.

– Authorisations must be uniform world-wide (because there is no firm concept of location in our “virtual world”).

Many legal distinctions, developed over centuries in various jurisdictions, will be obscured if technologists implement a “copyright enforcement” mechanism in software.

Copyright in the French Revolution

Prior to 1789, “privileged booksellers” were prey to pirates, and authors had few rights.

Privilege was abolished in the Revolution. Culture suffered when no “serious books” or

“great texts of the Enlightenment” were published.

In 1793, authors were given power over their own work lasting until ten years after their death.

A Brief History of (British and) American Copyright 1557: Stationers’ Company gains control of all

printing and book sales, authors have few rights. 1710: Writers gain control of works, but only for 14

years (renewable once). 1774: House of Lords affirms that the rights of authors

and publishers are temporary so that the “products of the mind always return to their real state: owned by no one, usable by everyone.”

1776: US declares independence, starts to develop its own laws and theories of copyright.

American Copyright Since 1776 1790: US Copyright Act passed: 14 year term with one

renewal. 1790-1998: US Congress repeatedly extends the term

of copyright. 1998: Copyright protection is extended to databases. 1998: Digital Millennium Copyright Act makes it

illegal (in the US) to subvert “©-chips”. This is an admission of technological defeat: technical controls are insufficient, legal controls are necessary – if copyright is to be protected!

How might copyright be protected outside the US?

Ethical Analysis of Copyright Samuel Johnson: “For the general good of the world,”

a writer’s work “should be understood as belonging to the publick.” (The public’s right to information.)

Richard Aston: it is “against natural reason and moral rectitude” that a government should “strip businesses of their property after fourteen years.” (The publisher’s right to compensation.)

A Chinese Ethics of Copyright? Pirated software is easily available in Hong

Kong. What is “fair compensation for work” in China?

– Multinationals might pay USD $0.11/hour for labour, is this consistent with copyright charges?

The Confucian ethic of “Wen” implies that Mandarins should produce (but not sell) art.

What were Mao’s thoughts on copyright? China is a signatory to international copyright

agreements. The government promises to enforce the agreements, but I wonder about the process of developing an ethic of compliance.

“Steal this Software”Hillary RosnerThe Standard.com, 19 June, 2000

“Never paying for software is a point of pride among tech insiders. The Internet is making it easier for outsiders to join this jolly band of software pirates. … [Adobe] estimates that as much as 50 percent of the company’s software in use today is stolen.”

Software Piracy in Hotline “Cracked” software (“warez”) can be

downloaded inexpensively, if you go through a series of links to obtain a username and password to a Hotline server.

“Most Hotline servers are maintained by people who have no interest in software and are just in it for the money they can make when software seekers click through the ads.”

“The rest are college kids and anarchic programmers in it for the thrill.”

Emergent Ethics of Software Piracy?

“Insider’s entitlement”: if you’re clever enough to find “warez” then you deserve to have it without paying.

However… A “lamer” is someone who “scams codes off others, rather than doing cracks or really understanding the fundamental concepts.” [The New Hacker’s Dictionary http://www.tuxedo.org/~esr/jargon]

Technical Controls on Software Piracy (my research)

We can “obfuscate” software.– Obfuscated software is very difficult for a human to

understand, so it resists “reverse engineering”.– Obfuscated software is functionally identical to the

unobfuscated version. Obfuscation will limit unauthorised

modification of software. It is very difficult to prevent unauthorised

copying, reuse, and resale of software.

Software Watermarking

We can add indelible “watermarks” or “fingerprints” to software.

Any copy of the software, even after common translations (such as decompiling and recompiling) will carry the watermark.

A watermark can identify the manufacturer. A fingerprint can identify the licensed owner. Unauthorised copying can be detected.

Summary Security systems suffer three types of faults:

– Denial of authorised access– Allowing unauthorised access– Inappropriate specification

Access can be controlled by ethical, legal and technological means.

Informal access controls, such as physical location, speed and identity, are lacking in software systems.

Authorisation for copyright materials is a complex subject. Software security is in its infancy, however there are

partial solutions.