Turning computer code into a kind of math puzzle may hold the key to protecting software from hackers. A consortium of universities developing the idea, called mathematical obfuscation, recently received a $5 million grant from the U.S. government as part of a broader cybersecurity initiative.
Researchers involved in the program, which received the obfuscated name of Center for Encrypted Functionalities, will work on encryption methods capable of masking or "obfuscating" the inner workings of computer programs. The goal is preventing any unwanted tampering with software by hackers looking for security flaws or trying to reverse engineer the program's capabilities.
Conventional programs require compilers that translate source code (which humans can understand) into machine code (which computers can execute). The obfuscation method adds extra steps to that translation process. It requires a special "obfuscating compiler" that breaks up the source code into encrypted chunks.
This set of encrypted pieces form a kind of "mathematical jigsaw puzzle," as Amit Sahai, a professor of computer science at the University of California, Los Angeles, has described it. A verifier program would fit together the pieces to create a completed "puzzle" that tells the CPU how to produce the correct output. (See IEEE Spectrum’s “Scrambled Code Keeps Software Safe”.)
"We're doing a lot of the basic research on trying to understand how obfuscation works," said Susan Hohenberger, a professor of computer science at Johns Hopkins University, in a press release. "We're scrambling the code in a mathematical way so that you can run it, but you can't do anything but run it."
Researchers at UCLA and the University of Texas at Austin have already begun work with IBM Research on a version of mathematical obfuscation called indistinguishability obfuscation—a method for protecting code that could only be broken if attackers spent an impractical amount of time and resources. But the vast amount of computation required to create an obfuscated program means that this method is itself impractical today.
The new center, funded by the National Science Foundation, will attempt to change that. Participants include Johns Hopkins, UCLA, Stanford, UT Austin, and Columbia University. The effort represents just one small part of the NSF's $74.5 million Secure and Trustworthy Cyberspace initiative, which covers 225 cybersecurity projects.