Advanced Software Protection: Integration, Research and Exploitation

Traditional security solutions based on custom hardware like smart cards, set-top boxes, and dongles, are not convenient on mobile devices like smartphones and tablets. Software protection is therefore utterly important; it can be a maker and breaker in domains like multi-screen mobile TV, software licensing, and credentials and sensitive data stored on mobile devices. However, current software protection techniques are incredibly hard to deploy. Moreover, they cost too much and limit innovation. Therefore many stakeholders in mobile devices need more trustworthy, cheaper software security solutions and more value for the money they spend on security.In this project, three market leaders in security ICT solutions and four academic institutions join forces to protect the assets of service, software and content providers. From their perspective, mobile devices and their users, which can engage in so-called Man-At-The-End (MATE) attacks, are not trustworthy.Our goal is to establish trustworthy software execution on untrusted mobile platforms that have a persistent or occasional network connection to a trusted entity at their disposal. With the ASPIRE solutions, we want mobile software security to become (1) trustworthy by leveraging on the available network connection and developing a layered security approach of strong protections; (2) measurable by developing practical metrics based on validated attack and protection models; (3) cheaper by integrating support for the protections into an industrial-strength ASPIRE Framework; (4) more valuable by enabling shorter time-to-markets; and (5) more productive by being more widely applicable.To provide software protection that is equally strong as the existing hardware-based protection, we will develop software protection techniques along five mutually strengthening lines of defense: data hiding, algorithm hiding, anti-tampering, remote attestation, and renewability. We will integrate compiler support for all lines of defense into the framework to enable service, software and content providers to automatically protect the assets in their mobile apps with the most appropriate local and network-based protection techniques. A decision support system will assist non-security-expert software developers to tune the tool chain for their assets and protection needs. This decision support system will reduce their time-to-market and lower their market entry ticket price. Research into appropriate models and metrics, as well in a protection evaluation methodology will support the system's design and development.We will demonstrate and validate the developed technology on three real-world use cases from the industrial partners in the mentioned domains, and in a public challenge. Whereas Europe currently leads in hardware protection, the ASPIRE project will allow it to remain competitive in the rapidly growing global mobile economy and society by allowing its mobile service providers to embrace software protection.