Software Protection Evaluation Bjorn De Sutter ISSISP 2017 – Paris 1
Software Protection Evaluation • Four criteria (Collberg et al) • Potency : confusion, complexity, manual effort • Resilience : resistance against (automated) tools • Cost : performance, code size • Stealth : identification of (components of) protections 2
Resilience (Collberg et al, 1997) 3
Software Protection Evaluation • Four criteria (Collberg et al) of what? what task? • Potency : confusion, complexity, manual effort by who? how computed? existing and non-existing? • Resilience : resistance against (automated) tools operated by who? to achieve what? • Cost : performance, code size no other impacts on software-development life cycle? • Stealth : identification of (components of) protections where and when does this matter? which identification techniques? 4
Lecture Overview 1. Protection vis-à-vis attacks • attacks on what? • attack and protection models 2. Qualitative Evaluation 3. Quantitative Evaluation • complexity metrics • tools 4. Human Experiments 5
What is being attacked? Security Asset category Examples of threats Requirements Private data Confidentiality Impersonation, illegitimate authorization (keys, credentials, tokens, Privacy Leaking sensitive data private info) Integrity Forging licenses Public data Forging licenses Integrity (keys, service info) Impersonation Unique data Confidentiality Service disruption, illegitimate access (tokens, keys, used IDs) Integrity Build emulators Global data (crypto & app Confidentiality Circumvent authentication verification bootstrap keys) Integrity Traceable data/code (Watermarks, finger-prints, Non-repudiation Make identification impossible traceable keys) Code (algorithms, protocols, Confidentiality Reverse engineering security libs) Application execution (license checks & limitations, Execution Circumvent security features (DRM) authentication & integrity correctness Integrity Out-of-context use, violating license terms 6 verification, protocols)
What is being attacked? PROTECTION 1 PROTECTION 5 PROTECTION 2 PROTECTION 6 ASSET PROTECTION 3 PROTECTION 7 ADDITIONAL CODE PROTECTION 4 PROTECTION 8 1. Attackers aim for assets, layered protections are only obstacles 2. Attackers need to find assets (by iteratively zooming in) 3. Attackers need tools & techniques to build a program representation, to analyze, and to extract features 4. Attackers iteratively build strategy based on experience and confirmed and revised assumptions, incl. on path of least resistance 5. Attackers can undo, circumvent, or overcome protections with or without tampering with the code 7
Protection againts MATE attacks software analysis tools FPGA sampler oscilloscope developer boards screwdriver JTAG debugger 8
Economics of MATE attacks €/day protection engineering exploitation time a.k.a. identification 9
Economics of MATE attacks €/day diversity protection engineering exploitation time a.k.a. identification 10
Economics of MATE attacks €/day diversity protection renewability engineering exploitation time a.k.a. identification 11
Attack Modelling: Attack Graphs (AND-OR Graphs) • relate attack goal, subgoals, (and protections) Breaking checksum AND Locate Compare trace Forge correct Trace Data checksums with binary checksum thwarts OR Trace Polymorphic Debug App Process <-> O.S. selfcheckers interaction 13
’ “What’s ” “ ” “ ” � � � ⊆ ∪ � ∪ ≠Ø ∩ = Attack Modelling: Petri Nets (Wang et al, 2012) • Model attack paths • places are reached subgoals (with properties) • transitions are attack steps ’ • can model AND-OR • can be simulated for protected and unprotected applications p t 2 1 p p p t p t t 4 0 1 5 3 2 0 t 4 13 …… ……
’ “What’s ” “ ” “ ” � � � ⊆ ∪ � ∪ ≠Ø ∩ = Attack Modelling: Petri Nets ’ • What is outcome of transition? • Identification of feature or asset? • Simplified program (representation) • Tampered program p t 2 1 • Reduced search space • Analysis result p p t p t p t 4 0 1 5 3 2 0 • What determines effort? • What code fragments are relevant? t 4 • Generic attack steps vs. concrete attack steps? • How to aggregate information? …… • Effort …… • Probability of success • How to build the Petri Net? (backward reasoning & knowledge base) 14
Example attack: One-Time Password Generator (P. Falcarin) • Step 1: get working provisioning & OTP generation bypass PIN code tampering identify PIN code static or dynamic steal PIN code injection 15
Example attack: One-Time Password generator (P. Falcarin) • Step 2: retrieve seed of OTP generation • during OTP generation isolate XOR chain isolate OTP structural matching observe seed generation code debugging debugging 16
Example attack: One-Time Password generator (P. Falcarin) • Step 2: retrieve seed of OTP generation • alternatively, during provisioning T7: identify AES code dynamic analysis on untampered, reinstalled app observe seed debugging dummy identify AES code dynamic analysis preparation: debugging fake server (T4) tampering for multiple runs (T5) 17
Lecture Overview 1. Protection vis-à-vis attacks • attacks on what? • attack and protection models 2. Qualitative Evaluation 3. Quantitative Evaluation • complexity metrics • tools 4. Human Experiments 18
�� �� � ���������������������������������������������������������������� �� ���������������������������������������������������������������������� �� 25 Years of Software Obfuscation – Can It Keep Pace with Progress in Code Analysis? ���������������������������������������������������������������� �� ���������������������������������������������������������������������������������������� (Schrittwieser et al, 2013) �� � ���������������������������������������������������������������������� � ������������������������������������������ �� ����������������������������������������������������������������� �� � �������������������������������������������������������������������� �� 19 �� �� � ������������������������������������������������������������������������� ��
Recommend
More recommend
