Embed Size (px)
Citation preview
An Expert System forAutomatic Software Protection
Doctoral Program in Computer and Control Engineering
XXXI cycle
DAUIN – Department of Control and Computer Engineering
Leonardo Regano
Tutor:
Prof. Antonio Lioy
Cataldo Basile, Ph.D.
Coordinator:
Prof. Matteo Sonza Reorda
Why is software security needed?
• software is used in (almost) every aspect of everyday life• e-banking, entertainment, e-government and many more
• attacks on weakly or non-protected software have a great impact on software companies• loss of intellectual property• loss of revenues: 46 billions $ in 20181
• using unlicensed software is dangerous• malware usually contained in pirated software• disclosure of sensitive data and/or identity theft
12018 BSA Global Security Survey: https://gss.bsa.org/
1/19
Software protection techniques
• objective: safeguard security requirements of software assets• assets: algorithms IP, license schemes, users´ data…
• security requirements: confidentiality, integrity
• Man At The End (MATE) scenario• attacker has white-box access to application
• no perfect software protection exists• but protections can defer attacks
2/19
How to protect the software?
• protections decided and applied manually/empirically: several issues• long and complex vulnerability analysis
• high expertise needed to choose the best protections
• different platform+OS require different analysis
• an automatic approach? desirable• for the expert: can provide a good starting point
• for the beginner: one click and do everything
3/19
Expert system for Software Protection (ESP)
• objective: provide an optimal protection solution for a given application• decide protections best able to safeguard the application assets
• preserving the user experience
• can drive automatic protection tools• for a fully automated protection workflow
• implemented as a set of Eclipse plug-ins
4/19
Automated software protection workflow
Source code analysis
Risk assessment
Asset protection
Application source code
Asset hiding
Solution deployment
Protected binary Knowledge Base
Expert knowledge
Attacks against assets
Protection solutions
Application structure
Functions Variables
Call graph Assets
5/19
Automated software protection workflow
Source code analysis
Risk assessment
Asset protection
Application source code
Asset hiding
Solution deployment
Protected binary Knowledge Base
Expert knowledge
Attacks against assets
Protection solutions
Application structure
Protection techniques
Protection tools
Attack toolsAttacker profiles
Security requirements
Attack step types
5/19
Software security meta-model4
• formalizes all data handled by expert system• software security experts’
general knowledge• application-specific data• results of expert system
• OWL2 ontology
• classes and associations to describe:• application structure• assets and security
requirements• attacks against assets• protections
Datum Type
Code
Call
Call Parameter
File
Application Part
Datum
has type
accesses
refers to4C. Basile, D. Canavese, L. Regano, P. Falcarin, B. De Sutter, A meta-model for software protections andreverse engineering attacks, Journal of Systems and Software, Volume 150, 2019
6/19
Application Part
Security Requirement
Attack Path
Asset
threatens affects
Attacker Expertise
requires
Attack Step Type
Attack Tool
Attack Step
has
has type
implements
Software security meta-model4
• formalizes all data handled by expert system• software security experts’
general knowledge• application-specific data• results of expert system
• OWL2 ontology
• classes and associations to describe:• application structure• assets and security
requirements• attacks against assets• protections
4C. Basile, D. Canavese, L. Regano, P. Falcarin, B. De Sutter, A meta-model for software protections andreverse engineering attacks, Journal of Systems and Software, Volume 150, 2019
6/19
Software security meta-model4
• formalizes all data handled by expert system• software security experts’
general knowledge• application-specific data• results of expert system
• OWL2 ontology
• classes and associations to describe:• application structure• assets and security
requirements• attacks against assets• protections
enforces
Application Part
Security Requirement
Asset
Attack Step Type
ProtectionTool
ProtectionInstance
Protection
has
enforces mitigates
applied on
AppliedProt. Instance
Solution
has type
has type
4C. Basile, D. Canavese, L. Regano, P. Falcarin, B. De Sutter, A meta-model for software protections andreverse engineering attacks, Journal of Systems and Software, Volume 150, 2019
6/19
Risk assessment phase5
• infers possible attacks• on the unprotected application
• able to breach assets’ security requirements
• attack steps = simple attacker actions• expressed as Prolog inference rules
• attack paths = ordered sequences of attack steps• against actual assets
5L. Regano, D. Canavese, C. Basile, A. Viticchié, A. Lioy, Towards Automatic Risk Analysis and Mitigation of Software Applications, 2016 Workshop in Information Security Theory and Practice (WISTP), 2016
7/19
Risk assessment phase:attack paths
integrity of license_check() is breached
license_check() is changed skip license_check()
statically change license_check()
statically locate license_check()
dynamically change license_check()
dynamically locate license_check()
statically changemain()
statically locatemain()
dynamically change main()
dynamically locatemain()
8/19
Asset protection phase
• infers the optimal protection solution best able to defer attack paths
• takes into account:• structure of application• assets+security requirements• attack paths from risk assessment phase• interactions among protection techniques• protected application slow-down
• decision based on• experts knowledge• quantitative asset metrics (e.g. cyclomatic complexity)
9/19
Asset protection phase:protections vs. attacks
execution correctness of license_check() is breached
license_check() is changed skip license_check()
statically change license_check()
statically locate license_check()
dynamically change license_check()
dynamically locate license_check()
statically changemain()
statically locatemain()
dynamically change main()
dynamically locate main()
Anti-debugginglicense_check()
Anti-debuggingmain()
10/19
Asset protection phase:protections vs. attacks
execution correctness of license_check() is breached
license_check() is changed skip license_check()
statically change license_check()
statically locate license_check()
dynamically change license_check()
dynamically locate license_check()
statically changemain()
statically locatemain()
dynamically change main()
dynamically locate main()
Code mobilitylicense_check()
Code mobilitymain()
10/19
Asset protection phase:protections vs. attacks
execution correctness of license_check() is breached
license_check() is changed skip license_check()
statically change license_check()
statically locate license_check()
dynamically change license_check()
dynamically locate license_check()
statically changemain()
statically locatemain()
dynamically change main()
dynamically locate main()
SW attestationlicense_check()
SW attestationmain()
10/19
Asset protection phase:valid protection solutions
• must be able to defer all attack paths
• business logic of the application must remain unaltered
• ordering among protections applied on the same asset is important
• protected application slow-down must be below user-defined limits
11/19
Asset protection phase:game-theoretic approach
root1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack
attack
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack attack
attack
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack attack
attackattack
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack attack
attackattack
solution
1
2
Protection Index
Asset
12/19
Asset protection phase:game-theoretic approach
root
solution
attack attack
attackattack
solution
1
2
Protection Index
Asset
attack
12/19
Asset protection phase:game-theoretic approach
root
solution
attack attack
attackattack
solution
1
2
Protection Index
Asset
attack
attack
12/19
Asset protection phase:game-theoretic approach
root
solution solution solution
attackattackattack
attack attack attackattack attack
attackattack 1
attack
attack
12/19
Asset protection phase:game-theoretic approach
root
solutionoptimalsolution
solution
attackattack
attack
attack 1
attack
attack
12/19
Asset hiding phase6
• problem: software protections might expose a ''fingerprint''• fingerprints: code patterns, peculiar behaviors, etc.
• attackers locate assets looking for protection fingerprints
• solution: Asset Hiding (AH) phase• apply protections to hide fingerprints
• trade-off between fingerprint hiding and overhead
• state of the art: manually obfuscate as much code as possible
6L. Regano, D. Canavese, C. Basile, A. Lioy, Towards Optimally Hiding Protected Assets in Software Applications, 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2017
13/19
Fingerprint example:Control Flow Flattening
…
BB 2 BB 3
BB 4
BB 5
…
BB 1
14/19
Fingerprint example:Control Flow Flattening
…
loop head
BB 1 BB 2 BB 3
…
BB 4 BB 5
14/19
fingerprint
Fingerprint example:Control Flow Flattening
14/19
Asset hiding phase:strategies
• Asset Hiding strategies:• fingerprint replication• protected area enlargement• fingerprint shadowing
• deciding AH protections is difficult:• not all strategies are useful to
hide all protections• some strategies may lower AP
protections security• overhead must be taken into
account
asset
binary code
15/19
asset
Asset hiding phase:approach
• objective: maximize the confusion index• confusion index: how much the attacker is expected do be delayed
by the AH in finding the assets
• applying an AH protection increases the confusion index
• custom Mixed Integer-Linear problem• based on the well-known Knapsack Problem
• capacity constraints: overhead limits (e.g. CPU time, memory)
16/19
Validation by experts
• ESP tested on three real-life use-cases• OTP generator, application licensing scheme, DRM video player
• ESP results validated by software security experts• attack paths cover real attacks by tiger teams
• protection solutions effectively block attacks
• protection solutions leave applications business logic unaltered
• protection solutions introduce limited overhead
17/19
Experimental results
0
20
40
60
80
100
120
140
160
4 8 12 16 20
seco
nd
s
Protection Instances
Application A
Risk assessment
Asset protection
Asset hiding
Total
0
50
100
150
200
250
300
350
400
4 8 12 16 20
seco
nd
s
Protection Instances
Application B
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
4 8 12 16 20
seco
nd
s
Protection Instances
Application C
Application SLOC Functions Assets
A 443 18 4
B 1029 47 15
C 3749 178 39
18/19
Conclusions and future work
• completely automated workflow for software protection• user must only identify assets and security requirements• infers attacks against assets• decides best protection to defer attacks• deploys protections by driving automatic protection tools
• results validated by software security experts
• future work: empirical assessment of software protections• master students asked to attack protected applications…• …to assess how much attackers are deferred by protections• useful data to drive ESP reasoning processes
19/19
Thank youfor your attention!
Questions?
