Software patents - Obstacles to software development

Richard Stallman

Software patents don't cover individual programs, they cover ideas.

-But richard, isn't that the whole point of a patent?

Inellectual property sums up a number of entirely different ideas into one.

Copyrights dont cover ideas (they cover the expression of a work), parents do.

Copyrights can last as long as 150 years. Patents only last 20 years.

Patents cover ideas even if you come up with them individually.

During the 18 months a patent may take to process application is secret. Eg in 1984 the compress
program was written, then in 1985 a patent for LZW compression was released.

Patents are unclear and may use unusual terminology so you might not find the required patents
when you write.

The Australian government studied the patent system in the 1980's, it concluded that aside from
international pressure there was no reason to have a patent system.

There are three ways of dealing with a patent:

1). Avoid the patent

Eg; the authors of XyWrite downgraded their software to take out the facility to pre-define
abbreviations.

BT holds a patent on using hyperlinks with dial up access, public key encryption was protected until
1997.

2). Licensing the patent

They can refuse, or charge alot.

If you are a big company you can trade patents, avoiding the problem of the patenting system.

"The patent system is like a lottery" - The Economist

If you are a small vendor and you threaten them with a patent, they will just claim your patent
infringes their patents. Suckers.

Some companies exist just to sue people over patents.

Patents with pharmaceuticals cover just the chemical.

The complexity of software outranks that of eg car parts considerably, so a company has to be rich
(and able to deal with patents) to build a 100,000 piece car but doesn't have to be to deal with a
100,000 piece of software.
Introduction to Security
Unconditional security: Not enough information to decide whether one plain text possibility is
more likely than another.
Electronic code book: Split into n-bit blocks, apply cipher function to each individually. Its crap.

CBC: Use output of each block as part of input for next block O(the first input is random data)

MAC is like CBC put the block each time isn't outputted-you just get the final output (and the first
input is plaint text). It is useful as a secure checksum.

A Fesitel cypher is a block cypher structure that includes muliple rounds of encryption.

The basic operation is as follows:

Split the plaintext block into two equal pieces, (L0, R0)

For each round , compute Li = Ri − 1

where f is the round function and Ki is the sub-key.Then the ciphertext is (Ln, Rn).

Decryption is accomplished via Ri − 1 = Li

One advantage of this model is that the round function f used does not have to be invertible, and
can be very complex. Note the reversal of the subkey order for decryption; this is the only
difference between encryption and decryption:

In cryptography, a pseudorandom permutation, abbreviated PRP, is an idealized block cipher. It

means the cipher that cannot be distinguished from a random permutation (that is, a permutation
selected at random with uniform probability, from the family of all permutations on blocks of that
size) with less computational effort than specified by the cipher's security parameters (this usually
means the effort required should be about the same as a brute force search through the cipher's
key space).

Three rounds are required. After one, the left half appears unmodified. After two, a single bit
change in the right half of P causes just a single bit-change in the right half of C.

Diffie-Hellman key exchange

● Alice and Bob both select a suitably large prime number p, a base g (greater than 1, less than
p-1), and each a random integer (from 1 to p-2) x and y respectively

● Alice sends Bob ga mod p

● Bob sends Alice ga mod p

● Both can form (gx)y = (gy)x from

Alice computes (gb mod p)a mod p
Bob computes (ga mod p)b mod p
And can now use a hash of (gy)x as a key.
ElGamal Encryption
In practice, rather than encrypting a whole message with this key, it will be used to encrypt a
different key for decrypting the rest of the message with a good efficient block cipher.

ElGamal signature

If A has published (p,g,gx) as her public key and kept x as her private key, then in order to sign a
message M she generates a random number y and solves the linear equation
x . gy + y . s = M (mod p) (1)
for s and sends to the verifier B the signed message

A -> B: M, gymod p, s = (M - x . g y)/y mos p

who will raise g to the power of both sides of (1) and test the resulting equation

(gx)gy . (gy)s = gM (mod p)

Public-key infrastructure
Public key encryption and signature algorithms allow the establishment of confidential and
authenticated communication links with the owners of public/private key pairs.

In the absence of a personal exchange of keys, this can be mediated via a trusted third party. Such
a certification authority C issues a digitally signed public key certificate

CertC(A) = { A, KA, T, L} KC-1

gelongs to A starting at time T and that this confirmation is valid for the
in which C confirms that the public key K
A
time interval L, andall this is digitally signed with C's private signing key KC-1
Anyone who knows C's public key KC from a trustworthy source can use it o verify the certificate
CertC(A) and obtain a trustworthy copy of A's key KA this way

We can use the operator o to describe the extraction of A's public key KA from a certificate CertC(A)
with the certification authority publickey KC:
KC o CertC(A) = { KA if certificate valid, failure otherwise }

Identification and entity authentication

Humans can be identified by something they are (dna), something they do (signature), something
they have (id card), something they know (password) where they are (GPS).

Some techniques to ensure security involve CTRL+ALT+DEL to close any GUI applications when
logging in, passwords are stored hashed, don't use dictionary passwords, ensure minimum length
and randomly generate.

Authentication Protocols

Alica and Bob share a secret Kab

Password:

B -> A Kab
Problems: Eavesdropper can capture secret and replat it. A can't confirm identity of B.
Simple challenge response:

A-> B N

B-> A h(Kab|N)

Mutual Challenge Response:

A->B Na
B->A {Na,Nk}K ab
A->B Nb

One time password:

B->A C,{C}K ab
A counter increases by one with each transmission, commonly used with car-keys to prevent replay.

Key generating key:

Each smart card Ai contains its serial number i and its card key Ki = {i}K. The master key K (key
generating key) is only stored in the verifiation device B. Example with simple challenge response:
Ai -> B i
B ->Ai N
Ai -> B h(Ki|N)

Kerberos

User A and server B do'nt share a secret key initially, but authentication server S shares secret

Authentication protocol attack

Remember simple mutual authentication:

A-> B Na

B -> A {Na, Nb} Kab

A -> B Nb

Impersonation of B by B', who intercepts all messages to B and starts a new session to A
simultaneously to have A decrypt her own challenge.

A->B': Na
B'->A Na
A->B' {Na,N'a} K ab
B'->A {Na,Nb = N'a}K ab
A->B' Nb

Discretionary Access Control

Access to objects (files etc.) is permitted based on user identity. Each object is owned by a user.
Owners can specifiy freely (at their discretion) how they want to share their objects with other
users, by specifying which other users can have which form of access to their objects.
In its most generic form usually formalized as an Access Control Matrix M of the form

M=(Mso)sЄ S,oЄO with

where

S = set of subjects

O = set of objects

A = set of access privileges

Columns stored with objects "access control list"

Rows stored with subjects "capabilities"

Elevated Rights

Many programs need access rights to files beyond those of the user, eg passwd

Unix files carry two additional permission bits for this purpose:

● set user ID - file owner determines process permissions

● set group-ID 0 file group ID determines process permissions

The user and group ID of each process comes in three flavours:

effective - the identity that determines the access rights

real - the identity of the calling user

saved - the effective identity when the program was started

A normal process started by user U will have the same value U stored as the effective, real and
saved user Id and cannot change any of them.

When a program file owned by user O and with the set user ID bit set is started by user U, then
both the effective and the saved user ID of the process will be set to O, whereas the real user ID
will be set to U.

The program can now switch the effective user ID between U and O. Similarly with the group ID.

If a malicious user can crash a program that is running as root, they can often end up on the shell
with root privileges.

Mandatory Access Control Policies

Unlike chmod where the user controls access, system policies enforce MAC. MAC mechanisms are
aimed at preventing untrusted application software.
Bell Model

Formal policy for mandatory access in a military environment. All subjects are labeled with a
confidentiality level, eg

Unclassified < Confidential < Secret < Top Secret

A process that reads Top Secret becomes tagged as Top Secret by the OS, as will all files it writes
into afterwards.

Covert Channel Problem

Preventing high level processes leaking to low level processes.

Eg if high level process has already created file F, a low level process will fail when trying to create
a file of same name -> 1 bit information

Trusted Computing Base

The trusted computing base are the parts of a system that enforce a security policy.

A good security design should attempt to make the TCB as small as possible.

The TCB must be protected from external interference.

Stack overflow attack

If you don't check for the size of data in you're program its vulnerable to the return address being
overwritten etc.

Similarly, input data should be checked in CGI scripts for malicious shell code.