Showing 1–4 of 4 results for author: Regano, L

Design, Implementation, and Automation of a Risk Management Approach for Man-at-the-End Software Protection

Authors: Cataldo Basile, Bjorn De Sutter, Daniele Canavese, Leonardo Regano, Bart Coppens

Abstract: The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NI… ▽ More The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings. △ Less

Submitted 27 March, 2023; originally announced March 2023.

Comments: Preprint submitted to Computers & Security. arXiv admin note: substantial text overlap with arXiv:2011.07269

Man-at-the-End Software Protection as a Risk Analysis Process

Authors: Daniele Canavese, Leonardo Regano, Cataldo Basile, Bart Coppens, Bjorn De Sutter

Abstract: The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according… ▽ More The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) of a decision support system that automates many activities in the risk analysis methodology towards the protection of software applications. Despite still being a prototype, the PoC validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox, and that it can actually assist decision making in industrially relevant settings △ Less

Submitted 1 March, 2022; v1 submitted 14 November, 2020; originally announced November 2020.

Assessment of Source Code Obfuscation Techniques

Authors: Alessio Viticchié, Leonardo Regano, Marco Torchiano, Cataldo Basile, Mariano Ceccato, Paolo Tonella, Roberto Tiella

Abstract: Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfusc… ▽ More Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation. △ Less

Submitted 7 April, 2017; originally announced April 2017.

Comments: Post-print, SCAM 2016

Ethical issues of ISPs in the modern web

Authors: Leonardo Regano, Ali Safari Khatouni, Martino Trevisan, Alessio Viticchie

Abstract: In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements r… ▽ More In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements retrievable through inspection of network traffic. Nevertheless, in some cases they can carry personal information about the users exposed to monitoring, and so generates several ethical issues. Modern web is very different from the one we could experience few years ago; web services converged to few protocols (i.e., HyperText Transfer Protocol (HTTP) and HTTPS) and always bigger share of encrypted traffic. The aim of this work is to provide an insight about which information is still visible to ISPs in the modern web and to what extent it carries personal information. We show ethical issues deriving by this new situation and provide general guidelines and best-practices to cope with the collection of network traffic measurements. △ Less

Submitted 22 March, 2017; originally announced March 2017.

Comments: 9 pages, 3 figures