arizonaedu Abstract A software birthmark is a unique characteristic of a program that can be used as a software theft detection technique In this paper we present and empirically evaluate a novel birthmarking technique Whole Program Path Birthmarking ID: 38700
Download Pdf The PPT/PDF document "Detecting Software Theft via Whole Progr..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
DetectingSoftwareTheftviaWholeProgramPathBirthmarksGingerMylesandChristianCollbergDepartmentofComputerScience,UniversityofArizona,Tucson,AZ,85721,USAAsoftwarebirthmarkisauniquecharacteristicofaprogramthatcanbeusedasasoftwaretheftdetectiontechnique.InthispaperwepresentandempiricallyevaluateanovelbirthmarkingtechniqueWholeProgramPathBirthmarkingwhichuniquelyidentiesaprogrambasedonacompletecontrolowtraceofitsexecution.Toeval-uatethestrengthoftheproposedtechniqueweexaminetwoimportantproperties:credibilityandtoleranceagainstprogramtransformationssuchasoptimizationandobfuscation.Ourevaluationdemonstratesthat,forthedetectionoftheftofanentireprogram,WholeProgramPathbirthmarksaremoreresilienttoattackthanpreviouslyproposedtechniques.Inaddition,weillustrateseveralinstanceswhereabirth-markcanbeusedtoidentifyprogramtheftevenwhenanembeddedwatermarkwasdestroyedbyprogramtransformation.Keywords:softwarepiracy,copyrightprotection,softwarebirthmark.1IntroductionSupposeAlicecreatesaprogramwhichshesellstoBob.Subsequently,AlicediscoversBobissellingaprogramwhichisremarkablysimilarto.AlicesuspectsBobcopiedandisresellingitunderthenewname.Inordertotakelegalaction,Aliceneedstobeabletoprovethatisindeedacopyof.Inthispaperwewilldescribeatechniqueknownassoftwarebirthmarkingwhichcanbeusedtoprovidesuchproof.Asoftwarebirthmarkisauniquecharacteristic,orsetofcharacteristics,thataprogrampossessesandwhichcanbeusedtoidentifytheprogram.Thegeneralideaisthatiftwoprogramsbothhavethesamebirthmarkthenitishighlylikelythatoneisacopyoftheother.Therearetwoimportantpropertiesofabirthmarkingtechniquethatmustbeconsidered:thedetectorshouldnotproducefalsepositives(i.e.itshouldnotsaythatoriginatefromthesamesource,if,infact,theydonot),anditshouldberesilienttosemanticspreservingtransformations(suchasoptimizationandobfuscation)thatanat-tackermaylaunchinordertodefeatthedetector.InthispaperweproposeandevaluateanewsoftwarebirthmarkingtechniquewecallWholeProgramPath(WPPB).WPPBisatechnique,relyingontheexecutionpatternoftheprogramtodetectthebirthmark.ThisisincontrasttopreviouslyK.ZhangandY.Zheng(Eds.):ISC2004,LNCS3225,pp.404 415,2004.Springer-VerlagBerlinHeidelberg2004 DetectingSoftwareTheftviaWholeProgramPathBirthmarks405proposedtechniqueswhichare,i.e.theycomputethebirthmarkbasedonthecharacteristicsoftheprogramsourceorbinarycode.WewillshowthattheWPPBtechniqueismoreresilienttoattacksbysemantic-preservingtransfor-mationsthanpublishedstatictechniques.Thispapermakesthefollowingcontributions:1.Weintroduceanewcategoryofsoftwarebirthmarkswhichwecall2.WeproposeandevaluateanewdynamicbirthmarkingtechniquebasedonWholeProgramPathsPaths3.WeevaluatethefourstaticbirthmarkingtechniquesproposedbyTamada,etal.[23,24]andshowthattheyareeasilydefeatedbycurrentcodeobfuscationtools.4.WeprovideanempiricalevaluationbetweenourWPPBtechniqueandTamadasbirthmarks,anddemonstratethatWPPBsarelessvulnerabletoattacksbysemantics-preservingtransformations.5.Finally,weshowthatbirthmarkscanbeusedtoidentifyprogramtheftevenwhenanembeddedwatermarkhasbeendestroyedbyaprogramtransfor-2RelatedWorkTherearethreemajorthreatsrecognizedagainsttheintellectualpropertycon-tainedinsoftware.Softwarepiracyistheillegalresellingoflegallyobtainedcopiesofaprogram.Softwaretamperingistheillegalmodicationofaprogramtocircumventlicensechecks,toobtainaccesstodigitalmediaprotectedbythesoftware,etc.Maliciousreverseengineeringistheextractingofapieceofaprograminordertoreuseitinonesown.Avarietyoftechniqueshavebeenproposedtoaddresstheseattacks.Eachtechniquetargetsadierentattackandcanoftenbecombinedtoproduceastrongerdefense.Codeobfuscation[12]isatechniquedevelopedtoaidinthepreventionofreverseengineering.Anobfuscationisasemantics-preservingtrans-formationwhichmakestheprogrammorediculttounderstandandreverseengineer.Probablythemostwell-knowntechniquefordetectingsoftwarepiracysoftwarewatermarking[7,9,11,14,17,20,22,25].Thebasicideaistoembedauniqueidentierintheprogram.Piracyisconrmedbyprovingtheprogramcontainsthewatermark.AlesserknowntechniqueforthedetectionoftheftissoftwarebirthmarksSoftwarebirthmarksdierfromsoftwarewatermarksintwoimportantways.First,itisoftennecessarytoaddcodetotheapplicationinordertoembedawatermark.Inthecaseofabirthmarkadditionalcodeisneverneeded.Insteadabirthmarkreliesonaninherentcharacteristicoftheapplicationtoshowthatoneprogramisacopyofanother.Secondly,abirthmarkcannotproveauthorshiporbeusedtoidentifythesourceofanillegalredistribution.Rather,abirthmarkcanonlyconrmthatoneprogramisacopyofanother.Astrongbirthmarkwill 406G.MylesandC.Collbergbeabletoprovidesuchconrmationevenwhencodetransformationshavebeenappliedtothecodebytheadversaryinordertohidethetheft.OneoftherstoccurrencesoftheuseofthetermbirthmarkwasbyGrover[15]wherethetermwasusedtomeancharacteristicsoccurringintheprogrambychancewhichcouldbeusedtoaidinprogramidentication.Thistermwasdistinguishedfromangerprintinthatthecharacteristicsusedtoem-bedthengerprintareintentionallyplacedinthecode.Thegeneralideaofasoftwarebirthmarkissimilartothatofacomputervirussignature.AnearlyexampleoftheuseofbirthmarkswasinanIBMcourtcase[6].InthiscaseIBMusedtheorderinwhichtheregisterswerepushedandpoppedtoprovethattheirPC-ATROMhadbeenillegallycopied.Tamada,etal.[23,24]haveproposedfourbirthmarksthatarespecictoJavaclassles:constantvaluesineldvariables(CVFV),sequenceofmethodcalls(SMC),inheritancestructure(IS),andusedclasses(UC).TheCVFVbirth-markextractsinformationaboutthevariablesdeclaredintheclass.Foreachvariablethetypeisextractedalongwiththeinitialvalue.Thebirthmarkisthenthesequence((,...,)).SMCexaminesthesequenceofmethodcallsastheyappearintheclass,butnotnecessarilyinexecutionorder.Becauseitiseasytochangethenamesofthemethodswithintheap-plicationonlythosemethodcallswhichareinasetofwell-knownclassesareconsideredinthesequence.ISextractstheinheritancestructureoftheclass.Thebirthmarkisconstructedbytraversingthesuperclassesoftheclassback.Allclasseswhichareinthesetofwell-knownclassesareincludedinthesequence.TheUCbirthmarkexaminesallclasseswhichareusedbyagivenclass,i.e.theyappearasasuperclassofthegivenclass,thereturnorargumenttypesofamethod,thetypesofelds,etc.Allclassesinthesetofwell-knownclassesareincludedinthesequencewhichisthenarrangedinalpha-beticalorder.AswewillseeinSect.5Tamadasbirthmarksareeasilydefeatedbyapplyingsimplecodeobfuscatingtransformationstotheprogram.Plagiarismdetectionisanotherareawhichisverysimilartosoftwarebirth-marking.Avarietyofplagiarismdetectiontechniqueshavebeenproposed(e.g.Moss[5,21],Plaque[26],andYAP[27])whichhavebeenquitesuccessfulatde-tectingplagiarismwithinstudentprograms.Unfortunately,thesesystemscom-putesimilarityatthesourcecodelevel.Inmanyinstancessourcecodeisun-available.Inaddition,thesesystemsdonotconsidersemantics-preservingtrans-formationsandtheeectsofdecompilationontheformattingofthesourcecode.Forexample,itwasshownbyCollberg,etal.[10]thatgiventhesourcecodeofaJavaapplication,simplycompilingthendecompilingwillcauseMosstoindicate0%similaritybetweentheoriginalandthedecompiledsourcecode.3SoftwareBirthmarksBeforewecanpreciselydenetheideaofabirthmarkwemustdenewhatitmeansforaprogramtobeacopyofanotherprogram.Themostobviousdenitioniswhereisanexactduplicateof.However,inordertohidethe DetectingSoftwareTheftviaWholeProgramPathBirthmarks407factthatcopyinghastakenplaceanattackermightapplysemantics-preservingtransformationsto.Forexample,alloftheidentiersinmighthavebeenrenamedoranoptimizingregisterallocatormighthavebeenappliedtosothatnowhavedierentregisterassignments.Inthiscasewewouldstillliketobeabletosaythatisacopyof.Inaddition,itisimportantthatourdenitionreectsthatifisacopyofshouldexhibitthesameexternalbehavior.(Notethatthereverseofthispropertydoesnotnecessaryhold.Itispossibletondtwoprogramswhichexhibitthesameexternalbehaviorbutarenotcopies.Anexampleisiterativeandrecursiveversionsofthesamefunction.)Thefollowingdenitionofasoftwarebirthmarkisarestatementofthedef-initiongivenbyTamada,etal.[23,24].Denition1(Birthmark).Letp,qbeprograms.Letbeamethodforextract-ingasetofcharacteristicsfromaprogram.Thenisabirthmarkofisobtainedonlyfromitself(withoutanyextrainformation),andisacopyofAswithsoftwarewatermarkingwecancharacterizeabirthmarkaseitherstaticordynamic.Astaticbirthmarkextractsthesetofcharacteristicsfromthestaticallyavailableinformationinaprogramsuchasinformationaboutthetypesorinitialvaluesoftheelds.Adynamicbirthmarkreliesoninformationgatheredfromtheexecutionoftheapplication.Adynamicalgorithmtypicallyworksattheprogramlevelwhereasastaticalgorithmtargetsanentireprogramorindividualmoduleswithintheprogram.Thesamedistinctionistruewithstaticanddynamicwatermarkingalgorithms.Adynamicalgorithmcanprovideevidenceifanentireprogramisstolenandastaticalgorithmmaybeabletodetectthetheftofasinglemodule.ThefourbirthmarktechniquesproposedbyTamada,etal.arecharacterizedasstaticandtargetclass-leveltheft.Denition1abovedenesastaticbirthmark.Denition2(DynamicBirthmark).Letp,qbeprogramsandaninputtotheseprograms.Letbeamethodforextractingasetofcharacteristicsfromaprogram.Thenp,iisadynamicbirthmarkofp,iisobtainedonlyfromitselfbyexecutingwiththegiveninput,andisacopyofp,iq,iTheWholeProgramPathBirthmarkproposedinthispapercomputesthebirthmarkfromtheexecutiontraceoftheprogram.Itistherefore,adynamicbirthmarkdesignedtodetectprogramleveltheft.3.1EvaluatingSoftwareBirthmarksWewouldlikeabirthmarktechniquetosatisfythefollowingtwoproperties.Property1(Credibility).beindependentlywrittenprogramswhichaccomplishthesametask.Thenwesayisacrediblemeasureif 408G.MylesandC.CollbergProperty2(ResistancetoTransformation).beaprogramobtainedfrombyapplyingsemantics-preservingtransformations.ThenwesayisresilientProperty1isconcernedwiththepossibilityofthebirthmarkfalselyindicat-ingthatisacopyof.Thiscouldoccurwithindependentlyimplementedpro-gramswhichperformthesametask.Itishighlyunlikelythattwoindependentlyimplementedalgorithmswillcontainallofthesamedetailssothebirthmarkshouldbedesignedtoextractthosedetailswhicharelikelytodier.Property2addressestheissueofidentifyingacopyinthepresenceofatrans-formation.Withtheproliferationoftoolsforcodeoptimizationandobfuscation,forexample[1,2,3,4],itishighlyprobablethatanattackerwillapplyatleastonetransformationpriortodistributinganillegallycopiedprogram.Itisdesirablethatabirthmarkbeabletodetectacopyevenifatransformationhasbeenappliedtothatprogram.4WholeProgramPathBasedBirthmarksInthenextsectionwepresenttherstknowndynamicbirthmarktechnique.ThroughexperimentswehaveperformedonthefourtechniquesproposedbyTamada,etal.webelievetheyaresusceptibletoavarietyofsimpleprogramtransformations.Thus,thereareothercharacteristicsofaprogramwhichcouldbeusedtoconstructastrongerbirthmarktechnique.4.1WholeProgramPathsWholeProgramPaths(WPP)isatechniquepresentedin[16]torepresentaprogramsdynamiccontrolow.TheWPPisconstructedbycollectingatraceofthepathexecutedbytheprogram.Thetraceisthentransformedintoamorecompactformbyidentifyingitsregularity,whichisrepeatedcode.Tocollectthetracetheedgesoftheprogramscontrolowgraphareinstrumented,byuniquelylabelingeachedge.Astheprogramexecutestheedgesarerecorded,producingatrace.ThetraceisthenrunthroughtheSEQUITURalgorithmwhichcompressesitandrevealsitsinherentregularity[18,19].TheoutputoftheSEQUITURalgorithmisacontext-freegrammarfromwhichadirectedacyclicgraph(DAG)isproduced.Eachruleofthegrammariscomposedofanon-terminalandasequenceofsymbolswhichthenon-terminalrepresents.ToconstructtheDAGrepresentationofthegrammaranodeisaddedforeachuniquesymbol.Foreachruleanedgeisaddedfromthenon-terminaltoeachofthesymbolsitrepresents.ThenalDAGistheWPP.TheconstructionoftheWPPisillustratedinFig.1.Atacontrolowgraphwith6basicblocksand8edgesisconstructedfromtheinputprogram.Thecontrolowgraphisinstrumentedsothateachedgeislabeled.Atprogramisexecutedproducinganedgetrace.ThetraceisrunthroughtheSEQUITURalgorithmattoproducethegivencontext-freegrammar.This DetectingSoftwareTheftviaWholeProgramPathBirthmarks409grammarcontains3uniquenon-terminalsand8uniqueterminals.AtaDAGwith3internalnodes,8leafnodes,and14directededgesisconstructedwhichrepresentsthegrammar. i=0;i5;i++) a=1; a=2; a 2345678 1R1R1R2R28 c d R1 R2 3 4 2 R1 R2 Fig.1.AnillustrationofthestagesinvolvedinconstructingaWholeProgramPath(WPP).Theconstructionbeginswithaprogram.Aprogramcontrolowgraphisconstructedandinstrumented.Byexecutingtheprogramonagiveninputanedgetraceisconstructed.ThistraceisrunthroughtheSEQUITURalgorithmtoproduceacontext-freegrammar.ThegrammaristhenusedtoconstructadirectedacyclicgraphwhichrepresentstheWPP.AllterminalnodesandcorrespondingedgesareremovedfromtheWPPtoconstructtheWPPbirthmark.OurWPPbirthmarkisconstructedinanidenticalmannerastheWPPwiththeexceptionoftheDAGinthenalstage.Anessentialpropertyofabirthmarkisthatitcapturesaninherentcharacteristicabouttheprogramwhichisdiculttomodifythroughsemantics-preservingtransformations.TheWPPbirthmarkcapturestheinherentregularityinthedynamicbehaviorofaprogram.SinceweareonlyinterestedintheregularityweeliminateallterminalnodesintheDAG.Itistheinternalnodeswhichwillbemorediculttomodifythroughprogramtransformations.Thus,theDAGinFig.1istransformedintothebirthmarkoftheexampleprogramat 410G.MylesandC.Collberg4.2SimilarityofWPPBirthmarksTheWPPbirthmarkisintheformofaDAG.Supposewehavethebirthmarksforprograms)and)arethesameiareisomorphic.Sinceitisunlikelythatisanidenticalcopyofwouldliketobeabletosaysomethingaboutthesimilaritybetween)and).Inotherwords,wewouldliketobeabletoconcludethatisacopyofeveninthepresenceofsemantics-preservingtransformations.Tocomputesimilarityweuseaslightlymodiedversionofthegraphdistancemetricin[8].Thesimilarityisbasedonndingamaximalcommonsubgraph,,between.Thepercentageofthatweareabletoidentifyinbyndingthemaximalcommonsubgraphindicatesthesimilaritybetweenthetwoprograms.ThereasonwearecomparingthesizeofofthemaximumofisthatwearetryingtoidentifyacopyofWethereforewanttoknowhowmuchofiscontainedinDenition3(GraphDistance).Thedistanceoftwonon-emptygraphsisdenedas whereisthemaximumcommonsubgraphofDenition4(Similarity).Letbebirthmarksex-tractedfromprograms.Thesimilaritybetweenisdened5EvaluationToevaluatetheeectivenessoftheWPPbirthmarkingtechniqueweexamineditsabilitytosatisfythetwopropertiesfromSect.3.WelookatwhetherWPPbirthmarkswillproducefalsepositivesgiventwoindependentlywrittenappli-cationswhichaccomplishthesametaskandthetoleranceofthebirthmarkagainstprogramtransformations.Asanadditionalevaluationwedemonstratehowbirthmarkscanbeusedinconjunctionwithwatermarking.5.1CredibilityToevaluatethecredibilityofWPPbirthmarksweexaminedtheabilitytodis-tinguishbetweentwoindependentlywrittenapplicationswhichperformedthesametask.Welookedattwoproblems:calculatingafactorialandgeneratingFibonaccinumbers.Eachoftheseproblemscanbesolvedrecursivelyanditera-tively.TheWPPbirthmarkfoundthefactorialprogramstobe50%similarandtheFibonacciprograms7%similar.Fromtheseresultsweareabletoconclude DetectingSoftwareTheftviaWholeProgramPathBirthmarks411thattherecursiveanditerativeformsoftheprogramswereprobablywrittenindependently.Tamada,etal.[23,24]statethattheirbirthmarktechniquesareunabletodistinguishbetweenindependentlywrittenapplicationswhicharesmall.ThisistruegiventheFactorialandFibonacciprograms.UsingthefourbirthmarksproposedbyTamada,etal.therecursiveanditerativeversionsarefoundtobe100%similar.TheonlyexceptionwasSMConfactorialwhichhadasimilar-ityof16%.Thus,withrespecttosmallapplicationsandcredibilitytheWPPbirthmarksprovidestrongerresults.5.2ResistancetoTransformationToevaluatetheWPPbirthmarksresistancetotransformationweappliedvari-ousobfuscationsandoptimizationstoautomaticallytransformourtestprogramintoanequivalent,butnotidenticalprogram.ToperformthetransformationsweusedZelixKlassmaster(ZKM)[4],Smokescreen[3],Codeshield[1],andSand-Mark[2].ZKM,Smokescreen,andCodeshieldallincludenameobfuscation,theeliminationofdebugginginformation,andsometypeofcontrolowobfucations.Additionally,SmokescreensupportsdeadcodeeliminationandZKMincludesstringencryption.OurtestprogramwasaJavaprogramthatworksliketheUNIXwcprogram.ForeachofthetoolsexceptSandMarkweappliedthetoolwiththestrongestlevelofobfuscation.TheSandMarktoolpermittedustopickandchoosewhichobfuscationswereappliedtotheprogram.SandMarkincludes31obfuscationalgorithmswhichweappliedindividuallytoobtaining31obfuscatedprograms.Inaddition,weappliedmultipleobfuscationsinsuccessiontoWecomputedtheWPPbirthmarkforeachofthetransformedapplications,the31fromSandMarkplusthethreeadditional,aswellastheoriginalIneverycasethesimilaritybetweentheoriginalandtheobfuscatedapplicationswasfoundtobe100%.WeperformedthesameevaluationofthefourtechniquesproposedbyTamada,etal.Table1showsacomparisonoftheresultswithourWPPbirth-markusingZKM,Smokescreen,andCodeshield.ThetableshowsthatonlyWPPandIScompute100%foreachofthethreeobfuscatedprograms.EventhoughIScomputes100%similaritywebelievethetechniqueisnotstrongenoughtobeusedonitsown.Thereasonforthisisthatthetechniquecouldproducemanyfalsepositivesforindependentlyimplementedprogramswhichbothdoanddonotperformthesametask.Wealsotestedthefourstaticbirthmarksagainsteachofthe31obfusca-tionsincludedintheSandMarktool.ForCVFV,SMC,andUCwewereabletondobfuscationswhichcastdoubtonthesimilaritybetweentheoriginalandobfuscatedversion.UsingtheCVFVbirthmarkalessthan100%similar-itywasdetectedfortheobfuscationsBogusFields(75%),NodeSplitter(0%),Objectify(66%),OpaqueBranchInsertion(75%),andTransparentBranchIn-sertion(75%).Whenallveoftheseobfuscationswereappliedinconjunctiontowc.jarCVFVdetecteda0%similarity.TheSMCbirthmarkdetectedalessthan 412G.MylesandC.Collberg100%similarityonfourobfuscations:BuggyCode(69%),PrimitivePromoter(5%),StaticMethodBodies(82%),andTransparentBranchInsertion(83%).Asimilarityof1%wasdetectedwhenallfourobfuscationswereapplied.Fourob-fuscationsalsocausedtheUCbirthmarktodetectalessthan100%similarity:Objectify(92%),OpaqueBranchInsertion(92%),PrimitivePromoter(56%),andTransparentBranchInsertion(92%).Thecombinationoftheobfuscationsyieldeda52%similarity.TheseinitialresultsindicatethattheWPPbirthmarkisstrongerthenthefourtechniquesproposedin[23,24]whentheftofanentireapplicationisinquestion.Table1.Similaritypercentagefoundusingeachbirthmarktechniqueonanoriginalandobfuscatedversionof ZKM Smokescreen Codeshield WPP 100% 100% 100% CVFV 66.7% 83.3% 83.3% SMC 25.0% 15.9% 100% IS 100% 100% 100% UC 100% 100% 45.0% WedoknowoftwoattacksthattheWPPbirthmarkiscurrentlyvulnerableto.Therstisanylooptransformationthatalterstheloopinwayssimilartoloopunrollingorloopsplitting.Executingtheloopbackwards,however,willnoteecttheWPPbirthmark.WPPbirthmarksarealsovulnerabletomethodinliningincertaininstances.Ifthemethodcalloccursinsideofalooptheninliningwillnotalterthebirthmark.Ontheotherhand,ifthemethodisahelpermethodwhichiscalledfromvariouslocationsthroughouttheprogram,inliningthemethodcallwillhaveaneectonthebirthmarksimilarity.5.3BirthmarksandWatermarksOnelimitationofsoftwarebirthmarksisthattheyprovideweakerevidencethansoftwarewatermarks.Theyareonlyabletosaythatoneprogramislikelytobeacopyofanothernotwhotheoriginalauthorisorwhoisguiltyofpiracy.However,birthmarkscanbeusedininstanceswherewatermarkingisnotfeasiblesuchasapplicationswherecodesizeisaconcernandthewatermarkwouldinsertadditionalcode.Birthmarkscanalsobeusedinconjunctionwithwatermarkingtoprovidestrongerevidenceoftheft.OnesuchexampleisthewatermarkingalgorithmproposedbyStern,etal.[22]whichprovidesaprobabilitythataspecicwatermarkiscontainedintheprogram.Ifthewatermarkingalgorithmdoesnot100%guaranteethatthewatermarkiscontainedintheprogramthenabirthmarkcouldbeusedasadditionalevidenceoftheft.Therearealsoinstanceswherewatermarksfail,e.g.anattackerisabletoapplyanobfuscationwhichdestroysthewatermark.Intheseinstancesabirthmarkmaystillbeableto DetectingSoftwareTheftviaWholeProgramPathBirthmarks413provideproofofprogramtheftsincethebirthmarkmaybemoreresilienttoWewereabletoveryeasilyconstructthreeinstancesusingthegramwhereawatermarkisdestroyedbyanobfuscation,butWPPbirthmarksstilldetect100%similaritybetweentheprograms.Intherstinstanceweusedaverysimplestaticwatermarkingalgorithmwhichembedsthewatermarkbysplittingitinhalfandusingthersthalftonameaneweldandthesecondinanameofanewmethod.Wethenappliedanobfuscationwhichaddsadditionaleldstotheprogram.Inthesecondinstancethesamewatermarkingalgorithmisusedbutthistimetheobfuscationrenamesalloftheidentiersinthepro-gram.InthethirdinstancewewatermarkedtheprogramusingthealgorithmproposedbyArboit[7]whichencodedthewatermarkinopaquepredicates[13]thatareappendedtovariousbranchesthroughouttheprogram.Wethenap-pliedanobfuscationwhichaddsopaquepredicatestoeverybooleanexpressionthroughouttheapplication.Ineachoftheseinstancethewatermarkisdestroyedwhichwouldhavepreventedpiracydetection,buttheWPPbirthmarkwasabletodetect100%similarity.6FutureWorkThemostpressingfutureworkistoconductamoreextensiveevaluationoftheWPPbirthmarktechnique.Theevaluationconductedinthispaperwasonlypreliminaryandthuswewouldliketostudytheeectivenessonalargersetoftestapplicationsaswellasmorecombinationsofobfuscations.AswasdiscussedinSect.5.2WPPbirthmarksaresusceptibletovariouslooptransformations.Toaddressthisproblemwewanttoevaluatetheeective-nessofincorporatingtransformations,suchaslooprerolling,inapreprocessingstagethatwouldreversethetransformation.Inaddition,wewouldliketoaddfunctionalitytothetechniquewhichwouldmakeitpossibletotargetmodulelevelaswellasprogramleveltheft.OncethisfunctionalityhasbeenaddedwewouldliketoevalutetheeectivenessofWPPbirthmarksinthedetectionofplagiarismwithinstudentprograms.Anotherinterestingareaofsoftwarebirthmarksthatshouldbeexploredisthecombinationofstaticanddynamicbirthmarks.Unlikewatermarks,whereitispossibletodestroyonewatermarkwithanother,twoormorebirthmarkscanalwaysbeusedinconjunctiontoprovidestrongerevidenceoftheft.7SummaryInthispaperweexpandedontheideaofsoftwarebirthmarkingbyintroducingdynamicbirthmarksandinparticularaspecicdynamicbirthmarkcalledWholeProgramPaths.Weevaluatedthetechniquewithrespecttotwoproperties:credibilityandresistancetotransformation.Inbothevaluationsthetechniquedemonstratedpromisingresults.WPPbirthmarksdidnotfalselyidentifytwoindependentlywrittenprogramsasbeingcopieseventhoughtheyperformthe 414G.MylesandC.Collbergsametask.Basedonthetestprogram,,andtheavailableobfuscationsWPPbirthmarkscalculatedasimilarityof100%betweentheoriginalandthetransformedprogram.Wealsodemonstratedhowbirthmarkscanbeusedinconjunctionwithwatermarksandinsomeinstancesareabletodetectpiracyevenwhenthewatermarkhasbeendestroyed.1.Codeshieldjavabytecodeobfuscator.http://www.codingart.com/codeshield.html.2.Sandmark.http://www.cs.arizona.edu/sandmark/.3.Smokescreenjavaobfuscator.http://leesw.com.4.Zelixklassmaster.http://www.zelix.com/klassmaster/index.html.5.AlexAiken.Moss asystemfordetectingsoftwareplagiarism.http://www.cs.berkeley.edu/aiken/moss.html.6.RossJ.AndersonandFabienA.P.Petitcolas.Onthelimitsofsteganography.IEEEJournalofSelectedAreasinCommunications,16(4):474 481,May1998.Specialissueoncopyright&privacyprotection.7.Genevi`eveArboit.Amethodforwatermarkingjavaprogramsviaopaquepred-icates.InTheFifthInternationalConferenceonElectronicCommerceResearch,2002.8.H.BunkeandK.Shearer.Agraphdistancemetricbasedonthemaximalcommonsubgraph,1998.9.C.Collberg,E.Carter,S.Debray,A.Huntwork,C.Linn,andM.Stepp.Dynamicpath-basedsoftwarewatermarking.InACMSIGPLANConferenceonProgram-mingLanguageDesignandImplementation(PLDI04),2004.10.ChristianCollberg,GingerMyles,andMikeStepp.Cheatingcheatingdetectors.TechnicalReportTR04-05,UniversityofArizona,2004.11.ChristianCollbergandClarkThomborson.Softwarewatermarking:Modelsanddynamicembeddings.InInConferenceRecordofPOPL99:The26thACMSIGPLAN-SIGACTSymposiumonPrinciplesofProgrammingLanguages(Jan.,1999.12.ChristianCollberg,ClarkThomborson,andDouglasLow.Ataxonomyofobfus-catingtransformations.TechnicalReport148,DepartmentofComputerScience,UniversityofAuckland,July1997.13.ChristianCollberg,ClarkThomborson,andDouglasLow.Manufacturingcheap,resilient,andstealthyopaqueconstructs.InPrinciplesofProgrammingLanguages1998,POPL98,SanDiego,CA,January1998.14.R.L.DavidsonandN.Myhrvold.Methodandsystemforgeneratingandauditingasignatureforacomputerprogram.USPatent5,559,884,Assignee:MicrosoftCorporation,1996.15.DerrickGrover.Programidentication.InDerrickGrover,editor,TheProtectionofComputerSoftware ItsTechnologyandApplications,pages122 154.Cam-bridgeUniversityPress,1989.16.JamesR.Larus.Wholeprogrampaths.InACMSIGPLANConferenceonPro-grammingLanguageDesignandImplementation(PLDI99),1999.17.A.Monden,H.Iida,K.Matsumoto,KatsuroInoue,andKojiTorii.Apracticalmethodforwatermarkingjavaprograms.Incompsac2000,24thComputerSoftwareandApplicationsConference,2000. DetectingSoftwareTheftviaWholeProgramPathBirthmarks41518.C.G.Nevill-ManningandI.H.Witten.Compressionandexplanationusinghier-archicalgrammars.TheComputerJournal,40(2/3),1997.19.C.G.Nevill-ManningandI.H.Witten.Linear-time,incrementalhierarchyinferenceforcompression.InProceedingsoftheDataCompressionConference(DCC97)20.GangQuandMiodragPotkonjak.Hidingsignaturesingraphcoloringsolutions.InformationHiding,pages348 367,1999.21.SaulSchleimer,DanielWilkerson,andAlexAiken.Winnowing:Localalgorithmsfordocumentngerprinting.InProceedingsofthe2003SIGMODConference22.JulienP.Stern,GaelHachez,FrancoisKoeune,andJean-JacquesQuisquater.Ro-bustobjectwatermarking:Applicationtocode.InInformationHiding,pages368 378,1999.23.HaruakiTamada,MasahideNakamura,AkitoMonden,andKenichiMatsumoto.Detectingthetheftofprogramsusingbirthmarks.InformationScienceTechnicalReportNAIST-IS-TR2003014ISSN0919-9527,GraduateSchoolofInformationScience,NaraInstituteofScienceandTechnology,Nov2003.24.HaruakiTamada,MasahideNakamura,AkitoMonden,andKenichiMatsumoto.Designandevaluationofbirthmarksfordetectingtheftofjavaprograms.InProc.IASTEDInternationalConferenceonSoftwareEngineering(IASTEDSE2004)pages569 575,Feb2004.25.RamarathnamVenkatesan,VijayVazirani,andSaurabhSinha.Agraphtheo-reticapproachtosoftwarewatermarking.In4thInternationalInformationHiding,Pittsburgh,PA,April2001.26.GeoWhale.Identicationofprogramsimilarityinlargepopulations.,33:140 146,1990.27.MichealJ.Wise.Detectionofsimilaritiesinstudentprograms:Yapingmaybepreferabletoplagueing.In23rdSIGCSETechnicalSymposium,pages268 271,