Protecting Software through Obfuscation:Can It Keep Pace with Progress in Code Analysis?

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.</jats:p

A Decision Framework Model for Migration into Cloud: Business, Application, Security and Privacy Perspectives

Cloud computing offers a different, affordable approach for supporting the IT needs of organisations. However, despite the unprecedented benefits cloud migration may bring, there are numerous difficulties involved in moving business critical applications, legacy systems or corporate data into the cloud. It is necessary to consider a broad view over all business areas, and taking into account the technical and business minutiae of a full scale cloud migration, as well as the wider concerns of security, privacy and other business and technical risks. A detailed understanding of all these areas is required in order to make the correct decisions concerning cloud migration. This paper aims to take a broad view of the issues relating to migration. We propose a process model to identify risks and requirements, as well as to provide control assurance during the migration decision. We also define an outline migration strategy by focusing on the context of the organisation

A Framework for Security Transparency in Cloud Computing

Individuals and corporate users are persistently considering cloud adoption due to its significant benefits compared to traditional computing environments. The data and applications in the cloud are stored in an environment that is separated, managed and maintained externally to the organisation. Therefore, it is essential for cloud providers to demonstrate and implement adequate security practices to protect the data and processes put under their stewardship. Security transparency in the cloud is likely to become the core theme that underpins the systematic disclosure of security designs and practices that enhance customer confidence in using cloud service and deployment models. In this paper, we present a framework that enables a detailed analysis of security transparency for cloud based systems. In particular, we consider security transparency from three different levels of abstraction, i.e., conceptual, organisation and technical levels, and identify the relevant concepts within these levels. This allows us to provide an elaboration of the essential concepts at the core of transparency and analyse the means for implementing them from a technical perspective. Finally, an example from a real world migration context is given to provide a solid discussion on the applicability of the proposed framework

Migration goals and risk management in cloud computing: A review of state of the art and survey results on practitioners

Organizations are now seriously considering adopting cloud into the existing business context, but migrating data, application and services into cloud doesn’t come without substantial risks. These risks are the significant barriers for the wider cloud adoption. Cloud computing has obtained a lot of attention by both research and industry communities in recent years. There are works that consolidate the existing work on cloud migration and technology. However, there is no secondary study that consolidates the state of the art research and existing practice on risk management in cloud computing. It makes difficult to understand the risks management trend, maturity, and research gaps. This paper investigates the state of the art research and practices relating to risk management in cloud computing and discusses survey results on migration goals and risks. The survey participants are practitioners from both public and private organizations of two different locations, i.e., UK and Malaysia. We identify and classify the relevant literature and systematically compare the existing works and survey results. The results show that most of the existing works do not consider the existing organization and business context for the risk assessment only emphasize on security and privacy risks. Our study results also reveal that risk management in cloud computing research and practice is still not in a mature stage but gradually advancing. Our observation emphasizes the necessity of a comprehensive risk management framework to support the migration decision and to monitor the risks after migration. Finally, we propose a risk assessment approach based on the six prioritized cloud migration goals using analytic hierarchy process and determine the relative importance of these migration goals from two real migration use cases

Governance, Risk & Compliance (GRC) Status Quo and Software Use: Results from A Survey Among Large Enterprises

The focus on governance, risk and compliance (GRC) is steadily increasing as companies are facing increased risk and a growing number of legal, regulatory and other compliance requirements. Enterprises start to emphasise the integration and automation of GRC activities in order to efficiently manage them. This research evaluates how integrated GRC and GRC software are perceived and applied in large enterprises. Through a survey among large enterprises several key findings are derived. Even though integrated GRC is deemed useful and integration efforts are ongoing, many companies are unsure about the importance of an integrated approach. Half of organisations have deployed integrated GRC software that helps leverage the benefits of GRC. Solutions developed in-house are more often used than standard solutions. Participants are unsatisfied with their current reporting solutions. The authors recommend actions for research to follow up on each of the findings

A Risk Management Framework for Cloud Migration Decision Support

Managing risks is of paramount importance for enabling a widespread adoption of cloud computing. Users need to understand the risks associated with the process of migrating applications and data, so that appropriate mechanisms can be taken into consideration. However, risk management in cloud computing differs from risk management in a traditional computing environment due to the unique characteristics of the cloud and the users’ dependency on the cloud service provider for risk control. This paper presents a risk management framework to support users with cloud migration decisions. In particular, the framework enables users to identify risks, based on the relative importance of the migration goals and analyzed the risks with a semi-quantitative approach. This allows users to make accurate cloud migration decisions, based on specific migration scenarios. Our framework follows basic risk management principles and proposes a novel and structured process and a well-defined method for managing risks and making migration decisions. A practical migration use case about collaborative application such as e-mail and document migration is considered to demonstrate the applicability of our work. The results from the studied context show that risks in cloud computing mainly depend on the specific migration scenario and organization context. A cloud service provider is not alone responsible for mitigating all the risks; hence, depending on the type of risk, the cloud user is also responsible for risk mitigation

Analyzing UTXO-Based Blockchain Privacy Threats

While blockchain technologies leverage compelling characteristics in terms of decentralization, immutability, and transparency, user privacy in public blockchains remains a fundamental challenge that requires particular attention. This is mainly due to the history of all transactions being accessible and available to anyone, thus making it possible for an attacker to infer data about users that is supposed to remain private. In this paper, we provide a threat model of possible privacy attacks on users utilizing the Bitcoin blockchain. To this end, we followed the LINDDUN GO methodology to identify threats and suggest possible mitigation