Given enough computer power, desire, brains and some luck, the security of most systems can be broken. But there are cryptographic and algorithmic security techniques, ideas and concepts out there that add a level of algorithmic mystification that could be built into programs that would make them close to unbreakable.
+More on Network World: World’s craziest Halloween coffins+
That’s what the Defense Advanced Research Projects Agency (DARPA) wants for a new program called Safeware.
From DARPA: “The goal of the SafeWare research effort is to drive fundamental advances in the theory of program obfuscation and to develop highly efficient and widely applicable program obfuscation methods with mathematically proven security properties.”
The basic (and I mean basic) idea of software obfuscation is to make the important underlying code or intelligence of an application untouchable (or as untouchable as possible) by an intruder or anyone else looking to access its information.
There is a great description of obfuscation by Johns Hopkins University research professor Matthew Green here if you’d like a seriously more in-depth description of the ideas behind obfuscation.
For its part DARPA says it is looking to discover and develop of new mathematical foundations and new implementation paths for provably- secure program obfuscation.
While many would call obfuscation a black art, DARPA is pretty certain about what it wants to see. For example the agency stated that any proposals for the SafeWare program must satisfy all of the following criteria:
• The method requires the solution of a computationally hard mathematical problem as a necessary condition of a successful de-obfuscation attack.
• The method is not substantially diminished in effectiveness even if they are fully understood by the adversary.
• The method produces an increase in adversary work factor that scales exponentially with respect to a polynomial increase in program runtime overhead.
• The method has general purpose applicability to standard, non-pathological program types.
• The method does not depend on special hardware or special physical resources.
On the flip side, DARPA stated it doesn’t want to see security obfuscation research methods and reverse engineering countermeasures like these:
• Methods whose security does not rely on the hardness of a mathematical problem (typified by, but not limited to control-flow flattening, opaque predicates or breaking abstractions, etc.);
• Methods that require the use of a cryptographic key or any kind of token (hardware or software) for the operation of the program;
• Methods that require encrypted hardware, distributed computation or distributed storage;
• Methods that require exotic physical states or resources not found on commodity digital hardware (typified by, but not limited to coherent quantum states, analog physical states, biological degrees of freedom, etc.)
Check out these other hot stories: