August 05, 2005
More on Investigating Software and Source Code TheftJason Coombs
With modern development tools, it's theoretically possible to create an application without writing a single line of code. Nonetheless, the end product can still express an original idea. Software intellectual property begins where creative effort begins, and it ends where creative effort ends.
(Part 2 of 2) Proving that software is a trade secret is challenging if the software has ever been shipped to a customer who did not sign a confidentiality agreement. It’s also a challenge to prove trade secrets when clarifying additional technical definitions to law enforcement officials. It is rarely disputed that software is both code and data supplied to a microprocessor. However, this definition is usually viewed as overly limiting in practice. A more practical definition of software comes from observation of the work product and process of software engineers, the business practices of software developers and software vendors, as well as the behaviors and commercial expectations of customers who pay for and make use of software products. Software engineers today use several engineering tools including a programming language, a compiler, a linker, an IDE, a UI design tool, a version-control system, third-party source code and object code libraries, CASE tools, and so on that both facilitate the software engineering process and contribute substantially to the intellectual property that is its end result. It is uncommon for new software to be written in its entirety from scratch without the help of such tools. As a result, modern software is frequently defined in terms of the original intellectual property contributed by a particular developer that imparts unto the software its special quality. In practice this means that software begins where creative effort begins, and it ends where creative effort ends. Dissecting software during litigation, a computer forensic expert is able to carve away the creative effort made by the parties that resulted in the software that is at issue, and consider that effort apart from the intellectual property of third parties (used with permission under license) and the impact of modern software engineering tools in the creation of the final software products. Many times it is discovered that the software developer in fact never created, directly or indirectly, a single operation code instruction that is supplied to the microprocessor during program execution. However, the facts of the software developer's skill and competency in their art, the apparent success of their business venture, and the developer's claim that keeping secret some particular code and data enables the business to be successful, make it plain that the developer's efforts resulted in something that is valuable. Copyright and trade secrets, when embodied in computer software, may therefore exist only in that special sequence of information created by a developer that the developer claims nobody else has the right to look at, decompile, or disassemble. Source Code as De Facto Trade SecretsIt is widely believed that source code is always a trade secret, particularly when effort is made to keep the source code secret or control its distribution only to authorized persons. There are any number of examples in the literature and in case law that support this view, including successful criminal prosecutions [1] of individuals who obtain unauthorized copies of source code. Even when disclosed publicly, as were portions of the Windows source code [2] in early 2004, the end of secrecy does not necessarily deprive the owner of the source code of that party's various property rights to trade secrets contained therein. There are many ways, however, for source code to be obtained without permission of the software owner that do not necessitate theft of source code. For example, disassembly of a software program will result in human-readable and easily modified assembly code. Some software programs are written entirely using assembly language. A conventional software debugger tool typically includes a disassembler, and many resources exist to help programmers, information security specialists, forensic analysts, and others perform sophisticated analysis and manipulation of assembly code. Reverse engineering tools are routinely employed by computer professionals to examine malicious software, perform forensic audits, or to demonstrate security vulnerabilities in practice. For example, the Metasploit Project [3] provides a free information security tool known as the Metasploit Framework that is an advanced open-source (no source secrecy) platform for developing, testing, and using exploit code. Security professionals use Metasploit in conjunction with disassemblers to purposefully tamper with software to examine or test for security flaws. Decompilers take reverse engineering a step further, enabling a copy of a software program to be used to recreate an approximation of the source code for that program. As demonstrated by the author of one decompiler program, Cristina Cifuentes [4] from the Queensland University of Technology (QUT) in Australia, a software program that contains a fibonacci algorithm can be compiled from source code into machine code that any Intel-compatible microprocessor is able to execute, as Cifuentes shows here in hex: 55 8B EC 83 EC 04 56 57 1E B8 94 00 50 9A Then, using the decompiler program written by Cifuentes, source code that is functionally equivalent to the original source code of the fibonacci software program can be produced. In order to sell and deliver to customers any operational software product, a software developer has no choice but to release all of the operation code and data necessary for another party to reverse engineer the subject software and extract from it trade secrets or even a full replica of source code. This means a computer forensic analyst is presented, in a criminal investigation or a civil dispute, with a complex set of unknowns and technical possibilities that are each equally viable as hypotheses of wrongdoing with respect to either party. In software litigation, the parties may literally argue over who was the first to conceive and implement a particular sequence of operation codes or data, with both parties claiming, at best, that they developed their sequences and data completely independent of one another. That such independent creation may be true compels open collaboration between computer experts and the court or prosecutor, in order not to curtail access to computer evidence or allow abuse of process. As the recent Cisco and Internet Security Systems complaint against ISS researcher Michael Lynn suggests, a company that is able to claim theft of trade secrets has a very wide range of civil and criminal legal mechanisms available based on the presumption that they were genuinely harmed by somebody else's actions. In many cases, however, the truth is that the software or source code was not improperly obtained, and wasn't a trade secret in the first place. Some companies take advantage of engineers' relative lack of understanding of these issues in order to bully them into doing or not doing something. To stop a bully requires at least one person to refuse to comply with the bully's demands, no matter what the consequences. A bully relies on their ability to inspire terror, and law enforcement know what to do with such people; if you are confronted with such a situation, all you need to do is explain these technical issues to law enforcement and ask them for help defending yourself against a bully and in most cases you will receive it. If you are truly a victim of an intrusion that resulted in theft of trade secrets, then you still must explain these technical issues in order not to be viewed as a bully. Hopefully these articles and references are helpful to you in communicating with law enforcement or your attorney in either case. References
[1] "FORMER ENGINEER OF WHITE PLAINS SOFTWARE COMPANY RECEIVES TWO YEARS IN
PRISON FOR THEFT OF TRADE SECRET. Last accessed on September 25, 2004: http://www.cybercrime.gov/kissaneSent.htm
Jason Coombs <jasonc@science.org> works as a freelance computer forensic analyst and security incident response investigator. He also serves as a technical expert witness in civil and criminal court cases. Jason thinks he knows a thing or two about information security and forensics, but he may be mistaken; he may in fact be your typical corporate programmer geek with a slightly unusual résumé, which is mostly the result of a refusal to work in a cubicle and a desire to earn far more than he is probably worth.
|
 |
|
|||||||||||||||||||||||||||
|
|
|
