Hiding Information in Software With Respect to a White-box Security Model

Abstract

In the digital society we rely upon our devices to both function correctly and securely. With more and more general purpose devices these properties become increasingly difficult to assure. Traditionally hardware specific devices with dedicated usage scenarios have been used to provide a safe environment for safety critical applications. With more complex devices, such as smartphones, it is however very difficult to guarantee a safe execution environment. This thesis will investigate the possibilities of hiding sensitive information in an insecure host environment. By combining several state of the art obfuscation techniques such as white-box cryptography and control flow attening a proof of concept implementation have been created and evaluated. Although security through obscurity will offer far from perfect protection it can increase the cost of an attack. Depending on the level of security required and the types of adversaries expected it can in some scenarios offer an acceptable protection level.