We propose to build a Random Obfuscating Compiler (ROC), a tool and a process for systematic research and testing of strategies for protecting software from reverse engineering using differential analysis. The US is at war. Our enemies will strive to reverse engineer valuable legacy software ,in order to eliminate US strategic technological advantages, and sabotage critical system performance. We think the ROC is feasible now. Our investigators, Fred Smith, PI, and Benjamin Smith are experienced developers who have already produced somewhat similar software. They have been developing cyber security technologies which are crucial to countering reverse engineering for the past six years. Fred Smith has expertise in assembler, which is required to manipulate compiled executables and provides unique strategies for defeating differential analysis. The ROC will obfuscate executables and libraries given only the information in the binaries themselves. This technique can be inexpensively and rapidly applied to a large body of legacy software. The ROC will test strategies for detecting debuggers, disassemblers, falsified operating environments, protecting files and memory and obfuscating executables. ROC test results, a UML documented design, and a Phase I prototype will provide a basis for Phase II research on an integrated secure software processing system. The anticipated benefits for DoD are: ú Test results comparing efficacy of various reverse engineering strategies ú Testing of strategies for countering differential analysis of software applicaionts; ú At least one method of rapidly and inexpensively protecting legacy software from reverse engineering by obfuscating executables ú Development of techniques to detect hostile reverse engineering applications such as debuggers and disassemblers ú A method for automatically obfuscating executables, libraries, and other binaries ú Development of techniques to detect hostile reverse engineering applications such as debuggers and disassemblers ú Multiple, overlapping layers of security for critical software applications ú Defense against reverse engineering techniques that we think are presently only theoretical but are feasible ú Defeat side channel attacks ú Methods of authenticating network nodes used for HPC computing ú Capacity to prevent reverse engineering of an obfuscated executable ú Development of random confusion technology Potential commercial applications include: ú Army, Navy, and Air Force, all of which are developing new combat information systems which require protection from reverse engineering ú NASA ú A ROC for securities firms and banks which have an obligation to protect client information from disclosure and lots of legacy software they would like to protect without rewriting ú A ROC for software companies to use against industrial espionage
