Towards a unified software attack model to assess software protections

Attackers can tamper with programs to break usage conditions. Different software protection techniques have been proposed to limit the possibility of tampering. Some of them just limit the possibility to understand the (binary) code, others react more actively when a change attempt is detected. However, the validation of the software protection techniques has been always conducted without taking into consideration a unified process adopted by attackers to tamper with programs. In this paper we present an extension of the mini-cycle of change, initially proposed to model the process of changing program for maintenance, to describe the process faced by an attacker to defeat software protections. This paper also shows how this new model should support a developer when considering what are the most appropriate protections to deplo

Reactive attestation : automatic detection and reaction to software tampering attacks

Anti-tampering is a form of software protection conceived to detect and avoid the execution of tampered programs. tamper detection assesses programs’ integrity with load- or execution-time checks. Avoidance reacts to tampered programs by stopping or rendering them unusable. General purpose reactions (such as halting the execution) stand out like a lighthouse in the code and are quite easy to defeat by an attacker. More sophisticated reactions, which degrade the user experience or the quality of service, are less easy to locate and remove but are too tangled with the program’s business logic, and are thus difficult to automate by a general purpose protection tool. In the present paper, we propose a novel approach to antitampering that (i) fully automatically applies to a target program, (ii) uses Remote Attestation for detection purposes and (iii) adopts a server-side reaction that is difficult to block by an attacker. By means of Client/Server Code Splitting, a crucial part of the program is removed from the client and executed on a remote trusted server in sync with the client. If a client program provides evidences of its integrity, the part moved to the server is executed. Otherwise, a server-side reaction logic may (temporarily or definitely) decide to stop serving it. Therefore, a tampered client application can not continue its execution. We assessed our automatic protection tool on a case study Android application. Experimental results show that all the original and tampered executions are correctly detected, reactions are promptly applied, and execution overhead is on an acceptable level

Empirical assessment of the effort needed to attack programs protected with client/server code splitting

Context. Code hardening is meant to fight malicious tampering with sensitive code executed on client hosts. Code splitting is a hardening technique that moves selected chunks of code from client to server. Although widely adopted, the effective benefits of code splitting are not fully understood and thoroughly assessed. Objective. The objective of this work is to compare non protected code vs. code splitting protected code, considering two levels of the chunk size parameter, in order to assess the effectiveness of the protection - in terms of both attack time and success rate - and to understand the attack strategy and process used to overcome the protection. Method. We conducted an experiment with master students performing attack tasks on a small application hardened with different levels of protection. Students carried out their task working at the source code level. Results. We observed a statistically significant effect of code splitting on the attack success rate that, on the average, was reduced from 89% with unprotected clear code to 52% with the most effective protection. The protection variant that moved some small-sized code chunks turned out to be more effective than the alternative moving fewer but larger chunks. Different strategies were identified yielding different success rates. Moreover, we discovered that successful attacks exhibited different process w.r.t. failed ones.Conclusions We found empirical evidence of the effect of code splitting, assessed the relative magnitude, and evaluated the influence of the chunk size parameter. Moreover, we extracted the process used to overcome such obfuscation technique

Software Attestation with Static and Dynamic Techniques

L'abstract è presente nell'allegato / the abstract is in the attachmen

On the impossibility of effectively using likely-invariants for software attestation purposes

Invariants monitoring is a software attestation technique that aims at proving the integrity of a running application by checking likely-invariants, which are statistically significant predicates inferred on variables’ values. Being very promising, according to the software protection literature, we developed a technique to remotely monitor invariants. This paper presents the analysis we have performed to assess the effectiveness of our technique and the effectiveness of likely-invariants for software attestation purposes. Moreover, it illustrates the identified limitations and our studies to improve the detection abilities of this technique. Our results suggest that, despite further studies and future results may increase the efficacy and reduce the side effects, software attestation based on likely-invariants is not yet ready for the real world. Software developers should be warned of these limitations, if they could be tempted by adopting this technique, and companies developing software protections should not invest in development without also investing in further research

Конфигурирование встроенных и мобильных устройств на основе решения оптимизационной задачи.

The paper encompasses design and analysis of combined protection mechanisms applied to complex communication systems containing embedded and mobile devices. A notion of configuration is proposed in order to represent a combination of particular security building blocks deployed to support security of the device as well as software services it provides. Starting from functional and non-functional properties of specific building blocks the optimization problem allows arranging the search of the most effective configuration. Effectiveness evaluation of the configuring approach is conducted by means of its comparing with alternative configuring strategies, including ―manual‖ configuring scenarios realized by an operator of the system without using any automated tools for enumeration and evaluation of configurations.Исследование посвящено изучению вопросов проектирования и анализа комбинированных механизмов защиты сложных коммуникационных систем со встроенными и мобильными устройствами. В работе вводится понятие конфигурации устройства, которая представляет собой комбинацию компонентов защиты, развертываемых для поддержки безопасности устройства, а также предоставляемых им программных сервисов. На основе решения оптимизационной задачи с учетом функциональных и нефункциональных свойств отдельных компонентов защиты производится поиск наиболее эффективной конфигурации. Анализ эффективности предложенного подхода к конфигурированию осуществляется на основе экспериментов путем его сравнения с альтернативными стратегиями конфигурирования. В частности, производится сравнение со стратегией «произвольного конфигурирования», которая представляет сценарий «ручного» конфигурирования, проводимого оператором системы без использования автоматизированных средств перебора и оценки возможных конфигураций

Evaluation Methodologies in Software Protection Research

Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 572 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks

Digital Transformation in Transport, Construction, Energy, Government and Public Administration

This report provides an analysis of digital transformation (DT) in a selection of policy areas covering transport, construction, energy, and digital government and public administration. DT refers in the report to the profound changes that are taking place in all sectors of the economy and society as a result of the uptake and integration of digital technologies in every aspect of human life. Digital technologies are having increasing impacts on the way of living, of working, on communication, and on social interaction of a growing share of the population. DT is expected to be a strategic policy area for a number of years to come and there is an urgent need to be able to identify and address current and future challenges for the economy and society, evaluating impact and identifying areas requiring policy intervention. Because of the very wide range of interrelated domains to be considered when analysing DT, a multidisciplinary approach was adopted to produce this report, involving experts from different domains. For each of the four sectors that are covered, the report presents an overview of DT, DT enablers and barriers, its economic and social impacts, and concludes with the way forward for policy and future research.JRC.B.6-Digital Econom

Water in the Arab World

This volume is intended to serve as a water handbook. It represents the collective knowledge about water resources management acquired over recent years, both within the World Bank water team and with counterparts working in the Arab countries of North Africa and the Middle East (MNA). The chapters offer a cornucopia of ideas and themes. Some chapters are based on background papers prepared for the 2007 "MNA Development Report on Water." Others draw on sector work prepared at the request of client countries. Yet others summarize observations based on study tours or other learning events sponsored by the World Bank. Upon reviewing this lodestone of embedded knowledge, we realized that bringing together our observations and analyses could serve a useful purpose for public officials, other practitioners, academics, and students who are interested in learning more about the complexities of managing water resources management in one of the driest parts of the world