What is software tamper-proofing?

Tamper-proofing is to code as encryption is to data. ™


Obfuscation, checksums and much more

When software has been made tamper-proof, it is protected against reverse engineering and modifications. Tamper-proofing is a combination of many techniques.

For White Hawk’s way of tamper-proofing, the use of a computer is essential: we apply thousands of code transformations and other techniques. Each aspect of this protection adds an individual defense to the code, or prevents a certain attack method. Most importantly, these transformations protect each other and provide a synergistic effect enabling that the protection strength in sum of these techniques is much more than the sum of its individual protection measures.

Tamper-proofing contains large elements of obfuscation
Obfuscated software “cannot” be understood by humans. The way a reverse engineer breaks obfuscated software is well known: The attacker changes one bit and observes the consequences of that change. He keeps doing this until the software is understood. But, tamper-proofing prevents this attack on obfuscation from succeeding.

Tamper-proofing is more than encryption
Encryption is very useful and necessary. Encrypted software needs to be decrypted first before an attacker knows what it does. Tamper-proofing uses lots of encryption but adds an extra element: it hides how the decryption works or what encryption key is used. Note this interesting relationship: Typically users employ encryption to protect data and tamper-proofing to protect the code or encryption keys.

Tamper-proofing contains elements of checksums and hashcodes
These are necessary to detect changes in the protected code. Tamper-proofing also helps hiding the checksums and hash codes.

A few technologies related to tamper-proofing:

Tamper-proofing compared to virus-checking
1) Virus checking protects the computer as a whole at its perimeter and scans the file system. Tamper-proofing protects a particular application inside the computer.
2) Traditional virus checking is based on a large data base of patterns to recognize malicious software. Tamper-proofing does not recognize unwanted software, but it detects changes in the protected software or its behavior.
Virus checking catches the majority of old fashioned attacks. Tamper-proofing is an active defense against modern or Zero day attacks. Nevertheless, tamper-proofing and virus checking should support each other.

Tamper-proofing compared to license checking
License checking is a function within a program which verifies conditions for using the program.
License checking software usually uses tamper-proofing internally to protect itself from being disabled.

Tamper-proofing compared to copy-protection
These are quite different: Tamper-proofed software in theory can easily be copied. However the copy is as tamper-proof as the original. If the original would work on one computer only, so would the copy. Copy protection is mostly done with some hardware support. Tamper protection is a good addition to harden the copy protection.

Tamper-proofing compared to trusted hardware modules
Both try to provide similar services. However, in reality they don’t compete but rather have synergistic effects. Trusted hardware relies on very complex support software and obviously requires hardware support. Both cannot always be assumed to be present or correct. Trusted hardware can add a huge benefit to tamper-proofing, and vice versa, tamper-proofing can augment trusted hardware. Tamper-proofing can (most of the time) be applied without any hardware support. Tamper-proofing can not make absolute security guarantees, but it can be made as tough as you require.

Tamper-proofing compared to a firewall
The firewall is a perimeter feature. It prevents malware from entering, but typically does not protect against new (unknown) or sophisticated attacks. Once the malware is inside the computer, a firewall can only detect anomalies in the communications. Tamper-proofing on the other hand stays active, no matter where an attack originated from. A firewall is a good solution for generic protection; tamper-proofing protects exactly the software which needs protection.


Is tamper-proofing fool safe?
No. Mathematics can show where tamper-proofing has its limits. However, for good tamper-proofing, these limits are far beyond any attackers capabilities or patience (similarly, with enough brain power, encryption can often be decoded). Tamper-proofing is not a single measure. It consists of many different transformations which individually protect each other as well as the software to be protected. Weak protection may suffer from the so called zipper-effect: One measure after the other can be cracked in the right order. Strong protection not only has no visible zipper effect, but the protection as a whole is stronger then the sum of the individual measures.

Does tamper-proofing have performance impacts?
Yes. There is NO software protection which doesn’t. The impact can be minor or may become considerable. Good tamper-proofing tools allow the programmer to carefully direct the tamper-proofed regions, so that the total performance impact can be held in control. A software provider can decide between choosing extreme tamper-protection or providing the highest performance.

Does tamper-proofing make the software larger?
Yes, it does. That is, however, usually an advantage and not a disadvantage; it makes the attacker’s job harder.

Can tamper-proofing be used to protect malware?
Yes, malware traditionally uses tamper-proofing to hide itself. However: The protection methods from White Hawk Software do not hide the software. Similar to encryption, tamper-proofing can be in plain view and nevertheless succeed in protecting the code.

Tamper-proofing in theory:

This is a small, not representative number of external links, but provides great insights.Book cover from surreptitious software