On the need for more human studies to assess software protection

Programs often run under strict usage conditions (e.g., license restrictions) that could be broken in case of code tampering. Possible attacks include malicious reverse engineering, tampering using static, dynamic and hybrid techniques. Many code protection techniques (e.g., code obfuscation) have been proposed to mitigate the problem of attacks to software integrity, by turning code resilient to attacks or just more difficult to understand and, consequently, to attack. Effectiveness of software protection in limiting or retarding attacks is often assessed by using various code metrics. However, metrics alone give a limited (and potentially biased) quantification of the level of protection. Human studies are required to validate metrics and to objectively quantify how effective is code protection in blocking malicious tampering. Human studies would shown if metrics approximate the actual effort required by an attacker break protections. However, these studies are very expensive and time consuming. The contribution of the whole research community is required to achieve this demanding objective.