CD Laboratory for Assurance and Transparency in Software Protection

Software protection to prevent unauthorized copying or malicious code modification has not always been possible: Some applications did not allow it due to correctness and transparency requirements. However, methodological research in this CD Laboratory should enable the use of software protection even in such cases.

A "man at the end" attack is when human analysts have a software application (purchased or otherwise obtained) and have complete control over the system on which they run, analyze, and modify that software, for example to remove copy protection or insert malicious malware backdoors. Software vendors strive to prevent such "MATE" attacks, but this is made more difficult by the fact that the software is no longer under their own control, but is stored on this computer system specifically set up for hacking purposes.

This CD Laboratory is therefore dedicated to the challenges of software protection in complex application scenarios, such as safety and time-critical software: verifying the correctness of code transformations is a particularly important point here. Computer programs are written by humans in programming languages that they understand, but this "source code" must be translated by a "compiler" (a specialized program) into machine-readable "binary code" consisting of zeros and ones in order to be executed.

To protect the software, the source code must be modified by special code transformations to include measures against software analysis, modification, and the making of unauthorized copies, but without changing the functionality of the software. Separate verification of source code and software modified by software protection transformations to ensure that the functionality of both codes is equivalent (and nothing is "lost in translation") is too time-consuming in practice for large software.

The basic research of this CD Laboratory, on the other hand, is aimed at laying the foundations for applying complex software protection during the translation phase (i.e., while the compiler is translating source code into binary code) in such a way that the code transformations can be checked for correctness and the protection can be seamlessly integrated into the existing software development process.

Other areas of research include combinations of different types of protection, and the as yet unsatisfactorily answered question of how such combinations affect the overall strength of software protection. In addition, hardware-based measures for software protection, which have been used much less frequently than software-based measures, will also be addressed.

Based on the knowledge gained in the CD Laboratory, future research and development of correct, transparent and efficient software protection technologies for critical software (e.g. in the high-security sector) will be enabled and existing business models will be protected at the same time.