Researchers with a DARPA-led team are looking into new ways to combat reverse engineering by using obfuscation to tidy up shoddy commercial and government security.
Researchers with the unit, dubbed the SafeWare program, are hoping to develop new methods, bolstered by encryption, to obscure software code in hopes it its further deployment can lead to “provably secure protections for intellectual property.”
SafeWare first solicited research proposals regarding program obfuscation last fall but it wasn’t until this past month that it officially got underway.
The program, expected to last four years, is comprised of professors from the New Jersey Institute of Technology (NJIT), the Massachusetts Institute of Technology (MIT), the University of California San Diego (UCSD), and Raytheon BBN Technologies.
Kurt Rohloff, an Associate Professor of Computer Science professor at NJIT, who heads up SafeWare, spoke to Signal Magazine today about the group’s work and insisted that while there are plenty of challenges ahead, the group is still in the early stages and that there is no particular application it was focusing on yet.
“I have a particular interest in supporting military-relevant applications, but the challenge that we’re facing right now is that this was just a brand spanking new theoretical innovation and there hasn’t been any real serious effort to get this thing to work in a way that would be practical,” Rohloff told the magazine.
“The immediate goal that we’re focusing on is knocking off a couple orders of magnitude to get a handle on how efficient these things can be so we can get a handle on what are the specific operations,” Rohloff said, adding that eventually he hopes SafeWare can eventually develop a sort of “open-source library for lattice crypto technology.”
Claiming that existing obfuscation programs lack what he calls “quantifiable security models,” Dr. Michael Hsieh, a Program Manager at DARPA’s Information Innovation Office – the office that oversees SafeWare, hopes the project can distance itself from the “security through obscurity” mantra – “typified by inserting passive junk code into a program’s source code” that’s often entwined with program obfuscation now.
Instead Hsieh writes, the researchers are aiming to find a balance between something quantifiable and something difficult for an attacker to de-obfuscate.
“If successful, SafeWare technologies will provide provably-secure protection of sensitive intellectual property and algorithmic information in software that is vulnerable to capture and dissection,” Hsieh writes on the project’s website.
It was just over two years ago that researchers at UCLA devised a new obfuscation mechanism designed to help thwart attackers hoping to reverse engineer software.
At the time that research, outlined in a paper, “Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits,” (.PDF) was expected to be an important tool for protecting intellectual property in the future. Rohloff still lauds the mechanism, but also calls it “extremely inefficient and time consuming.”
The UCLA research figures into SafeWare’s research, but the researchers claim the collective’s main goal is to build on the concept, make it faster, and give it a quantifiable security model.