-
Design, Implementation, and Automation of a Risk Management Approach for Man-at-the-End Software Protection
Authors:
Cataldo Basile,
Bjorn De Sutter,
Daniele Canavese,
Leonardo Regano,
Bart Coppens
Abstract:
The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NI…
▽ More
The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings.
△ Less
Submitted 27 March, 2023;
originally announced March 2023.
-
Man-at-the-End Software Protection as a Risk Analysis Process
Authors:
Daniele Canavese,
Leonardo Regano,
Cataldo Basile,
Bart Coppens,
Bjorn De Sutter
Abstract:
The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according…
▽ More
The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) of a decision support system that automates many activities in the risk analysis methodology towards the protection of software applications. Despite still being a prototype, the PoC validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox, and that it can actually assist decision making in industrially relevant settings
△ Less
Submitted 1 March, 2022; v1 submitted 14 November, 2020;
originally announced November 2020.
-
Assessment of Source Code Obfuscation Techniques
Authors:
Alessio Viticchié,
Leonardo Regano,
Marco Torchiano,
Cataldo Basile,
Mariano Ceccato,
Paolo Tonella,
Roberto Tiella
Abstract:
Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfusc…
▽ More
Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.
△ Less
Submitted 7 April, 2017;
originally announced April 2017.
-
Ethical issues of ISPs in the modern web
Authors:
Leonardo Regano,
Ali Safari Khatouni,
Martino Trevisan,
Alessio Viticchie
Abstract:
In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements r…
▽ More
In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements retrievable through inspection of network traffic. Nevertheless, in some cases they can carry personal information about the users exposed to monitoring, and so generates several ethical issues. Modern web is very different from the one we could experience few years ago; web services converged to few protocols (i.e., HyperText Transfer Protocol (HTTP) and HTTPS) and always bigger share of encrypted traffic. The aim of this work is to provide an insight about which information is still visible to ISPs in the modern web and to what extent it carries personal information. We show ethical issues deriving by this new situation and provide general guidelines and best-practices to cope with the collection of network traffic measurements.
△ Less
Submitted 22 March, 2017;
originally announced March 2017.