PACE Anti-Piracy was honoured to sponsor, exhibit, and present at AES’s 5th International Conference on Automotive Audio *. We came away inspired by the exciting innovation in the in-vehicle audio space. Given that new algorithms are driving most of that innovation, protecting the value being built means protecting those audio algorithms.
Automotive scenarios are some of the most challenging for audio deployments. Engine and tire noise, wind, and poor acoustic dynamics of vehicle cabs all contribute to pollute the listening experience. Nevermind trying to hold a clear and intelligent phone conversation. Combating these challenges means that advanced audio algorithms need to be developed, increasingly using AI and ML.
These advanced audio algorithms are valuable. Valuable in terms of the revenue they can generate, and valuable in terms of how intellectual property can underpin a company’s worth.
Of course this is true for all algorithms, not just for those found in automotive audio.
History repeats itself with algorithm protection
We see it time and again at PACE: a small company with a brilliant innovative idea goes to market with their intellectual property (IP) properly protected and they reap the rewards. We also regularly see the flip side, companies with equally brilliant ideas coming to us after their IP has been stolen and they are struggling to generate revenue.
The unfortunate truth is that in this increasingly competitive and globalized world, valuable algorithms are targeted by hackers and unscrupulous competitors alike. They are looking to gain from your developers’ hard work. Algorithms are reverse engineered to learn their secrets, or simply lifted wholesale and used in unlicensed deployments.
How does software IP get stolen?
To understand how software IP is stolen, it’s important to understand how it gets deployed.
Software engineers turn algorithms into code. That code gets compiled down to a machine executable format and then deployed. When it is deployed to the edge (e.g in-vehicle or within a desktop application) it is at its most vulnerable.
The trouble is that the compiled code is not deployed into a nicely locked safe. Far from it. Code deployed at the edge, particularly onto open platforms, is easily accessible by hackers. That means they are able to access and lift those machine executable blocks of code.
While it’s compiled code, tools are available that allow developers to reverse engineer the code and get back to your algorithm: your valuable IP.
Hackers will decompile your code to put it back into a human readable form to analyze it statically.
And they will observe your code running using debugging tools to analyze it dynamically. This is sometimes called binary instrumentation.
To look at it another way, inside that safe is a book. The book details your algorithm. Attackers open the safe by accessing the code on the device. Then they start reading the book (static analysis). But what they really want to do is watch the movie reveal its secrets on the big screen (dynamic analysis). Or even better, play the virtual reality interactive video game so they can prod and poke at the algorithm to find out how it reacts.
Unfortunately, this isn’t fiction. There are plenty of resources online—and even university courses—that explain how to do it. And there are plenty of freely available tools to help hackers do it! In many cases, those tools are the same as those used to develop the software in the first place.
Unprotected algorithms are a business risk
So, we understand that code effectively and efficiently documents our algorithms, and attackers can get to that documentation using reverse engineering. But what does that mean for our businesses?
In one word: RISK.
And, unfortunately, it’s not just a theoretical technical risk; it’s a real-world business risk.
We spend time and money developing IP because it brings us business benefits. Developing IP means we can do something no one else can. That means we can solve problems for our customers faster or more efficiently or simply better than the competition. The dream is to develop IP that makes us the only company capable of solving a particular high-value problem for our customers.
This is why successful engineering companies develop IP. Because it gives them a:
- Competitive advantage. We can do something no one else can.
- Monetization opportunity. Customers will pay for good algorithms because it gives them a competitive advantage.
- Increased valuation. Having valuable IP makes our companies more valuable.
The flip side, of course, is that if the IP is exposed and others can leverage your hard work without applying the same effort, then these benefits are lost.
Worse than that, you’ve also spent engineering effort ($) for zero net gain.
How do we make sure that our engineering spend gives the business benefits it should?
Ensuring that engineering spend gives the business benefits it should means protecting the IP produced by that effort. The only way to do that is to prevent IP theft in the first place because, once revealed, there isn’t an effective response that will hide our IP secrets again.
This should be viewed as a cybersecurity problem, because, let’s face it, reverse engineering code is a form of cyber attack.
Given that the algorithms are executing at the edge and we can’t rely on the host software platform to prevent access to the code, we have to look at options to add the necessary security.
In many cases, the first option considered is to add a hardware security module to the computing platform. Options include a secure element, which is a tamper resistant mini-computer similar to the chip in your credit card, or a trusted execution environment, which is a secure enclave in the main processor. If you have access to one of these, it enables you to install small programs, often called applets, and safely execute that code knowing that no one can access it or the data.
The challenge with these hardware options is that they are costly, and computationally they are limited, so squeezing our sophisticated algorithms in there may be a challenge.
They also assume we control the hardware. If we are providing applications that run on PCs or mobile devices, then full access to a hardware security module is a challenge.
An alternative option is to do everything within our own code, using a pure software solution called white-box cryptography, often referred to simply as white-box.
Introducing white-box cryptography for algorithm protection
White-box technology provides a means to run algorithms securely in a pure software environment. Originally designed to protect cryptographic operations, PACE has extended the technology to protect any algorithm and the data upon which it operates.
White-boxes protect algorithms by combining code and data, including any security keys, with a range of computational and mathematical techniques. All of this together makes the operation unintelligible to hackers, preventing them from extracting the secrets.
As it is a pure software approach, it is very easy to deploy and is very flexible in terms of the algorithms you can run within the white-box, even chaining together multiple algorithms so complex operations can be performed without ever exposing data in the clear.
While white-box technology doesn’t necessarily stop someone accessing your software, it does stop them from reverse engineering the crucial algorithms with it. This isn’t basic obfuscation that is traditionally blanket applied to your whole software package. With its nature of being very targeted, white-box technology can achieve far stronger levels of protection.
This prevents attackers from understanding or reusing your IP. This in turn means we can safely deploy our IP at the edge with much less risk to its value.
White-Box Works for protecting your value and algorithms
PACE brings this technology to algorithms deployed at the edge—whether in-vehicle, in a mobile companion app, or in a desktop application. Our product, White-Box Works, represents a third generation of white-box solutions.
What sets White-Box Works apart is its extended usage beyond cryptographic operations. It’s a development tool capable of taking any algorithm you can define in code and generating a protected version of it.
By ‘protected,’ we mean going beyond obfuscation with highly targeted protection. Our tool creates a version of your algorithm that is virtually impossible to analyze, whether through static or dynamic techniques. This safeguards your intellectual property from reverse engineering risks.
To learn more about White-Box Works and protecting the value of your algorithms, reach out to PACE.
* We were amused to learn that it was actually the 6th AES Automotive conference.