Evaluation Methodologies in Software Protection Research

Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 572 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks

Hardware-assisted code obfuscation

Zsfassung in dt. SpracheSoftware obfuscation is a longstanding and open research challenge in computer security. While theoretical results indicate that provably secure obfuscation in general is impossible to achieve, many application areas (e.g. malware, commercial software, etc.) show that software obfuscation is indeed employed in practice. Still, it remains largely unexplored to what extent today's software obfuscation state-of-the-art can keep up with the progress in code analysis and where we stand in the arms race between attackers and defenders. The first part of this thesis thus analyzes how effective software obfuscation is in the presence of ever more sophisticated deobfuscation techniques and off-the-shelf code analysis tools. To this end, we develop a novel classification scheme for the resilience of different types of obfuscations in specific attack scenarios. The answer heavily depends on the goals of the attacker and his available resources. Even simple obfuscation techniques can be quite effective against analysis techniques employing pattern matching or static analysis, which explains the unbroken popularity of obfuscation among malware writers. Dynamic analysis methods, in particular if assisted by a human analyst, are much harder to cope with; this makes software obfuscation for the purpose of intellectual property protection highly challenging. The subsequent part of this thesis therefore concentrates on code obfuscation for the protection of intellectual property in software. Software diversification is an effective method for preventing that automated attacks developed against one instance of a program work against other instances (class break). However, distribution of diversified software is challenging as each copy has to be different. The second research problem we consider in this thesis is the development of a concept for software diversification which does not require the individual copies of the program to be different on the binary code layer and thus provides a solution to the distribution problem. We introduce a novel code obfuscation scheme that applies the concept of software diversification to the control flow graph of the software. Our approach makes dynamic reverse-engineering considerably harder as the information an attacker can retrieve from the analysis of a single run of the program with a certain input is useless for understanding the program's behavior on other inputs. While the resilience of code obfuscation remains unclear and ultimately depends only on available resources and patience of the attacker, hardware-based solutions (trusted computing) provide a wide range of protection mechanisms such as remote attestation and secure storage for secrets. However, until now almost no systematic research has been done on the interplay between hardware- and software-based protection mechanisms. The third research problem we tackle in this thesis is how code obfuscation can be assisted by lightweight hardware. We propose minimal modifications to Intel¿s AES-NI instruction set in order to make it suitable for application in software protection scenarios and use these modifications for parametrization of our control flow obfuscation scheme. The combined approach provides strong hardware-software binding and restricts the attack context to pure dynamic analysis ¿ two major limiting factors of reverse-engineering. In the final part of this thesis, we focus on the problem of malware obfuscation. Recently, the concept of semantic-aware malware detection has been proposed in the literature. Instead of relying on a syntactic analysis (i.e., comparison of a program to pre-generated signatures of malware samples), semantic-aware malware detection tries to model the effects a malware sample has on the machine and thus does not depend on a specific syntactic implementation. For this purpose a model of the underlying machine is used. The fourth research problem we deal with in this thesis is the implementation of hidden functionality based on properties that are difficult to cover with a model of the hardware. We present COVERT COMPUTATION, a concept for the implementation of functionality in side effects of the microprocessor. We further give a comprehensive analysis of side effects in the x86 architecture and demonstrate the suitability of COVERT COMPUTATION for malware obfuscation.10

Editorial: Special issue on ARES 2022

In the rapidly evolving landscape of technology, modern society critically relies on a multitude of complex and sophisticated systems. These technological solutions play an indispensable role in various aspects of our daily lives, from communication and transportation to healthcare and entertainment. Given their pervasive nature, it is crucial to explore research areas related to the availability, reliability, and security of these systems. The objective of this special issue is thus to collect innovative research contributions that tackle different open challenges related to the availability, reliability, and security of modern systems. In particular, this special issue was open to the authors of papers accepted at the 17th International Conference on Availability, Reliability, and Security (ARES 2022), which was held at the University of Vienna in Vienna, Austria. Since 2005, ARES has served as an important platform to exchange, discuss, and transfer knowledge related to various aspects of dependability. The 2022 edition has seen contributions tackling several important research topics, including: privacy, cloud security, web security, secure software, and malware detection, network and hardware security, awareness and incident response, threat intelligence and intrusion detection, cryptography, and authentication