Opinion
Architecture and Hardware Legally speaking

Apple’s Challenge to Virtualization Software

Is it okay for security researchers to virtualize software to look for vulnerabilities?
Posted
  1. Introduction
  2. Corellium's Product
  3. What Is Fair Use?
  4. Apple's Claims
  5. Corellium's Defense
  6. Amicus Briefs
  7. Conclusion
  8. Author
colored cards with Apple logo, illustration

Corellium makes a Software product, CORESEC, which enables security researchers to create virtualized versions of Apple's iOS to study that code's functionalities and possible vulnerabilities. In mid-2018, Apple executives were sufficiently impressed with CORSEC that Apple offered to buy the company. Corellium declined that offer. A year later, however, Apple sued Corellium for copyright infringement because its product makes copies of iOS software in the course of interacting with the iOS when Corellium's customers use CORSEC to study the iOS.

In December 2020, Corellium persuaded a federal trial court judge in Florida that it had made fair uses of the Apple software. Apple has appealed the fair-use ruling.

This column explains why I believe the trial court's fair-use ruling was sound (which is why I am a signatory on the intellectual property (IP) professors amicus curiae brief filed in support of Corellium). It also briefly reviews arguments made in two other amicus curiae briefs supporting Corellium.

Back to Top

Corellium's Product

Corellium developed CORSEC to enable security researchers to study how the Apple iOS software works, to detect bugs and vulnerabilities, and to inform their own development projects. CORSEC permits Corellium's licensed users to create tailored virtual models of iPhones using iOS files after they download those files without charge or license restrictions from an Apple website.

Corellium licenses one version of CORSEC for use online in the cloud on its servers. A second version of this software enables licensed users to work with virtualized iOS software on hardware supplied by Corellium, which licensees use on their own premises.

Because Corellium recognizes some prospective users of CORSEC might use it for nefarious purposes, the company has established a vetting process to determine the bona fides of prospective users to whom it sells directly. Corellium retains the right and power to terminate users of the online version of the software if they misuse it. Its appeal brief attests that it has terminated some users for misusing CORSEC.

As CORSEC's users download the Apple iOS, CORSEC dynamically unpacks the files to enable the creation of a virtualized iOS for security research purposes. CORSEC provides tools with which users can, among other things, see and halt iOS running processes, modify the kernel, view system calls, and take live snapshots of iOS operations.

Corellium's customers include security researchers, private companies, federal agencies, and defense contractors.

Back to Top

What Is Fair Use?

Fair use is a defense to charges of copyright infringement in the U.S. To assess whether a challenged use of a copyrighted work is fair or unfair, the statute (codified as 17 U.S.C. § 107) directs courts to consider four non-exclusive factors: the purpose and character of the challenged use; the nature of the copyrighted work; the amount and substantiality of the use; and effects the challenged use will have on the market for or value of the copyrighted work.

Among the statutorily favored fair use purposes are research and scholarship. Courts also tend to favor fair use when the defendant has made what courts call "transformative" uses of the plaintiff's work, which includes making a copy of the plaintiff's work for a different purpose than the original author's purpose. Transformative uses are more likely to be fair than non-transformative uses, and noncommercial uses are more favored than commercial uses. However, the commerciality of a defendant's use may be mitigated if the use is transformative.

The nature-of-work factor generally focuses on the degree of expressiveness of the plaintiff's work. Artistic and fanciful works tend to be highly expressive, so it is generally more difficult to win fair use defenses involving such works. Fact-intensive and highly functional works tend, by contrast, to have a lesser quantum of expressive content. Hence, fair use may be easier to establish in cases involving such works.

Courts view the amount a defendant took from the plaintiff's work both in quantitative and qualitative terms. However, making a copy of the whole of another's work may be a fair use if this is reasonable in light of the defendant's transformative purpose, as when someone reverse-engineers software to discern its interfaces.

When the plaintiff's and defendant's works compete in the same or closely proximate markets, a defendant's copying of the plaintiff's work is likely to have a negative effect on the market for that work. When a defendant uses some or all of the plaintiff's work in a very different market, that tends to weigh in favor of fair use.

Back to Top

Apple's Claims

Apple claims that CORSEC routinely makes non-transformative copies of iOS software for a commercial purpose, merely transplanting the iOS software to a different medium. Moreover, CORSEC copies the whole of what Apple describes as its highly creative iOS software as well as the colorful icons and wallpaper that the iOS displays when working within CORSEC's system. Apple claims the icons and wallpaper as separately copyrightable part of the iOS software.

Apple argues this copying harms Apple's markets because Apple has developed a licensing market for iOS software customized for security researchers. It has also developed an iOS Simulator product to enable security researchers to study the iOS software. It further claims that CORSEC unfairly competes with that software. In addition, Apple argues that if Corellium continues to be able to exploit iOS in CORSEC, this will compete with Apple's forthcoming Xcode cloud offering that provides a virtualization alternative to CORSEC. Corellium thereby "dulls otherwise sharp incentives for developers to enroll in and pay for Apple's Developer Program, through which Apple distributes the iOS Simulator and plans to distribute iOS via the Xcode cloud."

Apple observes that CORSEC can be used for nefarious purposes and for purposes other than security research. Although CORSEC may be used by some legitimate security researchers, Apple points out that Corellium promotes CORSEC as a tool through which its customers can develop "exploits" to take advantage of security flaws in the iOS and sell those exploits to the highest bidder. Apple further complains that Corellium does not require its licensees to report security vulnerabilities to Apple.

Back to Top

Corellium's Defense

Corellium argues CORSEC has a very different purpose than Apple had when it created the iOS software to run on iPhones, and hence, it has a "transformative" purpose. One cannot, for instance, make telephone calls, send texts, or take photographs with the iOS software in its virtualized state. CORSEC "allows researchers to observe the otherwise inaccessible details of iOS functionality so they can understand how it works and what its vulnerabilities might be."

Because the iOS software is highly functional and CORSEC only uses it so that its customers can understand its functionality, Corellium contends that the nature-of-work factor supports its fair use defense.

Corellium points out it does not actually make copies of the iOS software. Rather, its customers do when they download iOS software from Apple and then when they use CORSEC to virtualize that software to study the iOS functionality. Yet even assuming that Corellium does make copies of Apple's software, doing so is necessary to "properly test and understand how an actual iPhone would perform in the hands of end users." This includes studying the graphical interface icons and wallpaper because "vulnerabilities can and do arise in unexpected places."

As for market harm, Corellium emphasizes all versions of the iOS software are available for download without charge and without license restrictions. CORSEC does not compete with iOS at all. Making CORSEC available to security researchers cannot have any effect on the market for or value of the iOS software. Besides, insofar as CORSEC has a transformatively different purpose than the iOS, courts consider only whether the defendant's work supplants demand for the original work. CORSEC does not do this.

The fact that Apple has developed or is developing other products that enable virtualization of iOS software is irrelevant. Only the market for the work being copied is relevant to Corellium's fair use defense. "If Apple makes other products that serve the same transformative purpose as CORSEC, that simply means Apple has elected to compete with Corellium in a different market, one in which Apple holds no lawful monopoly."

Although Apple insinuated Corellium encouraged unlawful uses of CORSEC, it presented no evidence of such misuse caused by CORSEC users. CORSEC users can, of course, develop exploits that they offer for sale to third parties, but exploits "can profitably be sold to Apple itself."


The fact that Apple has developed or is developing other products that enable virtualization of iOS software is irrelevant.


Corellium also argues that CORSEC has public benefits. Apple on its own, Corellium observes, cannot find all of the vulnerabilities in the iOS software. To the extent that CORSEC is used to identify vulnerabilities that Apple can then fix, it has beneficial uses. Moreover, "[t]hird-party security research also fosters public and developer confidence in the [Apple] platform, thereby encouraging developer investment in the ecosystem."

The trial court found Corellium's fair use defense to be persuasive on all points.

Back to Top

Amicus Briefs

In addition to the IP professor amicus curiae (friend of the court) brief mentioned earlier, a group of computer security researchers also filed a brief in support of Corellium, reinforcing the arguments made in Corellium's brief.

In addition, a computer scientist (CS) amicus curiae brief focused on the many benefits that flow from the ability to virtualize existing software. This brief speaks of virtualization as an "essential tool" that has been widely accepted as beneficial technology since the 1960s. Virtualization is "not just used to create virtual phones, but also to enable cloud computing, enhance hardware efficiency, allow cross-platform software usage, and test the security of the system."

Virtualization is a mature industry, says the CS brief, usually involving three players: the makers of the software being virtualized, developers of virtualization tools, and end users who employ the tools to study the virtualized software. Very often the developer of the software being virtualized has not granted permission for the virtualization to occur.

The purpose of virtualizing software is "to build new functionality on top of existing functionality." It is necessary, the CS brief says, to use the entire work to virtualize software." The virtualized version of software is not a substitute for or competitive with the unvirtualized version of the software.

For the appellate court to rule in Apple's favor in the Corellium case, the CS amici assert, "would create legal uncertainty over the entire field of virtualization and threaten multiple areas of research and industry."

The American Antitrust Institute, along with more than a dozen IP and antitrust scholars, filed an amicus curiae brief in support of Corellium. That brief urges the appellate court to reject Apple's overly broad interpretation of copyright law because doing so would cut off legitimate and valuable competition between Corellium and Apple in the market for software to enable virtualization of iPhones for security research purposes.

The antitrust brief points out that the public interest is served by the existence of software that enables independent security researchers to perform their work. Also in the public interest is the existence of a tool such as CORSEC that enables members of the public to "jailbreak" iPhones so their owners can obtain apps from sources other than Apple's app store. This promotes beneficial competition and ongoing innovation in the market for apps.

The antitrust brief recognizes "fair use allows creators to build upon existing works when developing new ones that are transformative and that serve different markets." It also prevents right-sholders "from expanding their limited exclusive rights beyond the legitimate scope of copyright and, in the process, unduly restraining competition, limiting innovation, and harming consumers."

Back to Top

Conclusion

I am optimistic that the appellate court will affirm the ruling in Corellium's favor, especially given the Supreme Court's 2021 Google v. Oracle decision recognizes the important role of fair use in promoting competition and innovation in the software industry. The Google decision emphasized the role of fair use as a "context-based check that can help keep a copyright monopoly within bounds." It directed courts to consider the public benefits of a challenged use, not just the benefits to the copyright owner who wants to control the development of products that have a different purpose than their works.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More