by Sebastian Schrittwieser (University of Vienna) and Michele Ianni (University of Calabria)
Software is gaining unprecedented importance in many industries. The automotive sector is a prime example of this massive change: once primarily confined to embedded systems such as engine control units, software now serves as the central interface for almost all vehicle components. Features such as advanced driver assistance systems, infotainment and connectivity services all rely heavily on software. In addition, cost considerations are driving the replacement of hardware components with software equivalents - from analogue switches and buttons being replaced by a central touchscreen with software-based controls, to dedicated hardware sensors such as LIDAR being replaced by vision-based artificial intelligence (AI). This shift not only reduces manufacturing costs, but also enables entirely new business models. Concepts such as over-the-air updates, paid activation of modular features and subscription models are only possible through software-centric approaches.
However, this increased reliance on software brings new security challenges. In so-called Man-At-The-End (MATE) attacks, reverse engineers have full control over the systems on which they execute, analyze, and modify the targeted software. Such attacks pose significant threats to new business models, including unauthorized activation of functionality, software piracy, and intellectual property infringement. Software integrity is also critical. Modified software can lead to unintended side effects, potentially compromising human safety in critical situations. Fundamentally, ensuring robust software security to protect against analysis and modification is not only a business imperative, but also a safety requirement.
Similar to many other domains, AI is already having a significant impact on software security. Large Language Models (LLMs), such as GPT-4, are improving code analysis and semantic understanding of software, leading to remarkable improvements in both speed and quality. These models can automatically generate code documentation, identify vulnerabilities, and suggest optimisations. While research is currently focused on code analysis, the field of software protection is poised to benefit significantly from AI advances in the coming years as well. AI can be used to develop more sophisticated protection strategies, including code diversification - syntactic variations of software copies to prevent so-called class breaks, where attacking one instance allows adversaries to compromise all other instances as well.
However, AI-driven advances in software security do not come without challenges. Obfuscation, for example, is a widely used technique that AI could enhance in the future. Obfuscation aims to make code harder to understand by transforming its structure, adding irrelevant code, increasing the complexity of the control flow, and encrypting data. The primary goal is to prevent reverse engineering and protect intellectual property. Despite its usefulness in securing software, obfuscation also presents significant challenges. While it provides protection by hiding the inner workings of code, attackers, including malware developers, can weaponise obfuscation techniques. Bad actors can use the same strategies to hide malware, making it harder for security systems to detect and for analysts to understand the intent of the code. Obfuscated malware can evade signature-based detection mechanisms and slow down reverse engineering efforts, creating a dangerous gap in software security.
Similarly, watermarking is another key technique for protecting software, particularly in the fight against piracy and unauthorized copying of programs. By embedding invisible marks in software, developers can trace the origin of pirated copies or unauthorized modifications. This can be crucial in legal disputes or intellectual property enforcement. However, like obfuscation, watermarking is not immune to abuse. In malicious hands, watermarking can be exploited to make compromised software appear to belong to a legitimate source, complicating the attribution process and potentially implicating innocent parties. This illustrates the double-edged nature of many software protection strategies: while they are essential for securing legitimate software, they also present new challenges when adopted by adversaries.
The risks associated with software exploitation are not limited to intellectual property theft or software piracy. Exploitation can lead to serious vulnerabilities that threaten data security, financial stability of companies, and even human safety. A critical problem is the exploitation of zero-day vulnerabilities - previously unknown flaws in software that can be exploited before developers can patch them. These vulnerabilities can be sold or shared among attackers, making them extremely difficult to defend against in real time. Software exploitation, particularly in critical sectors such as automotive, medical or finance, can have catastrophic consequences if attackers are able to manipulate the software to perform unintended actions.
Mitigating these risks requires a multi-layered approach in software security. Patching software and regularly addressing known vulnerabilities is a basic defense mechanism. In addition, adopting secure coding practices, where software is designed with security in mind from the outset, can help reduce the attack surface. AI-driven solutions also play an important role in identifying vulnerabilities earlier, allowing for faster patching and response. For example, AI models can sift through massive code bases and pinpoint areas that are likely to contain vulnerabilities based on past patterns. This automation allows developers to focus their efforts on the most critical parts of the software.
One area that remains particularly vulnerable is the Internet of Things (IoT). IoT devices, from smart home appliances to industrial sensors, are notoriously difficult to secure. Many IoT devices are low-cost and designed with limited computing power, which means they lack the robust security features of more sophisticated systems. Moreover, these devices are often not regularly updated, leaving them vulnerable to known vulnerabilities long after they have been discovered. IoT devices are a prime target for attackers because, once compromised, they can be used as an entry point into wider networks or reused in large-scale attacks such as distributed denial of service (DDoS) campaigns. The security challenges associated with IoT are exacerbated by the decentralized nature of these devices and their widespread deployment. Securing the IoT requires cross-industry collaboration, with standards, regulations and lightweight security measures that can be effectively implemented on resource-constrained devices.
Analyzing software for vulnerabilities relies on a variety of techniques. Static analysis, which examines code without executing it, can help identify potential vulnerabilities by analyzing code structure, syntax and control flow. Dynamic analysis, on the other hand, observes software in action and detects runtime vulnerabilities by observing how the software behaves under different conditions. Combining these approaches with techniques such as fuzzing - where random inputs are thrown at the software to discover unexpected behavior - can help uncover vulnerabilities that would otherwise remain hidden. AI and machine learning models are increasingly being used to enhance both static and dynamic analysis, speeding up the process and improving accuracy by detecting subtle signs of potential threats that might elude human analysts.
From a European perspective, the approach to software security and intellectual property protection presents its own unique set of challenges and opportunities. Europe has always placed a strong emphasis on privacy and data protection, as evidenced by regulations such as the General Data Protection Regulation (GDPR). However, while the region leads the way on privacy, it lags behind the US, Japan and China in most areas of software innovation. Europe needs to increase its focus on defending against MATE attacks and protecting intellectual property, especially as software becomes central to new business models. The example of Skype - a European-developed VoIP software that became a market leader primarily through its innovative technology, but also because of its superior software protection which prevented clones for many years - illustrates how robust security practices can provide a competitive advantage. However, to maintain this edge, Europe must continue to evolve its software security strategies, especially as AI-driven threats become more sophisticated.
Three key EU legislative frameworks— the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2), and the Cyber Resilience Act (CRA)—have been established to enhance cybersecurity and operational resilience across various sectors. Each of these initiatives emphasizes stringent security requirements for software, including secure development practices, lifecycle management, and risk assessments. Collectively, these frameworks push organizations to adopt more secure software development practices, invest in advanced security technologies, and ensure continuous compliance with evolving regulations. By embedding security into every stage of the development process, organizations not only comply with these regulations but also improve their overall resilience against cyber threats, positioning themselves to navigate the increasingly complex cybersecurity environment effectively. While these regulations represent a crucial step toward enhancing software security, it is more important than ever for organizations to prioritize it. Doing so is essential for safeguarding digital assets and maintaining resilience in an increasingly interconnected world.
The articles in this special theme section offer a comprehensive panorama of the current European research activities in software security and protection. By showcasing a diverse range of studies and innovative approaches, they highlight the ongoing advancements and key developments shaping the future of the field.
Please contact:
Sebastian Schrittwieser
University of Vienna, Austria
Michele Ianni
University of Calabria, Italy
