Code Renewability for Native Software Protection

Abrath, Bert; Coppens, Bart; Broeck, Jens Van den; Wyseur, Brecht; Cabutto, Alessandro; Falcarin, Paolo; Sutter, Bjorn De

doi:10.1145/3404891

Cited by 4 publications

(2 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is particularly the case when irregular communication patterns can be linked to unauthorized activities such as running multiple copies in parallel or executing program fragments in a debugger in orders or frequencies not consistent with authorized uses. Such patterns can occur from communications present in the original applications, or from online SPs such as code renewability [2] and client-server code splitting [19]. Importantly, the use of non-monitoring communication does not require the implementation of reaction mechanisms in the protected application to be effective.…”

Section: Risk Monitoring Of the Released Applicationmentioning

confidence: 99%

“…It is based on a survey among the developers of all protections integrated in the ASPIRE project [6], whom we asked to score the impact of their protections on a range of attack activities in terms of concrete, clearly differentiated forms of impacts. These include impact on human comprehension difficulty by increasing code complexity, impact by moving relevant code fragments from the client-side software to a secure server not under control of an attacker [2,16,73], impact on difficulty of tampering through anti-tampering techniques with different reaction mechanisms and present monitoring capabilities [73], and impact of preventive protections such as anti-debugging [1,3]. The survey results were complemented with security expert feedback, and validated in pen test experiments with professional and amateur pen testers [20,21].…”

Section: Risk Mitigationmentioning

confidence: 99%

See 1 more Smart Citation

Man-at-the-End Software Protection as a Risk Analysis Process

Canavese¹,

Regano²,

Basile³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, and security-through-obscurity is omnipresent in this field. In this paper, we present a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the risk management activities, to instigate the necessary actions for adoption. We highlight the open issues that the research community has to address. We discuss the benefits that such an approach can bring to all stakeholders, from software developers to protections designers, and for the security of all the citizens. In addition, we present a Proof of Concept (PoC) of a decision support system that automates the risk analysis methodology towards the protection of software applications. Despite being in an embryonic stage, the PoC proved during validation with industry experts that several aspects of the risk management process can already be formalized and that it is an excellent starting point for building an industrial-grade decision support system. CCS Concepts: • Security and privacy → Software security engineering; • Information systems → Decision support systems; • Software and its engineering → Risk management; Software reverse engineering; • General and reference → Computing standards, RFCs and guidelines.

show abstract

Section: Risk Monitoring Of the Released Applicationmentioning

confidence: 99%

Section: Risk Mitigationmentioning

confidence: 99%

Man-at-the-End Software Protection as a Risk Analysis Process

Canavese¹,

Regano²,

Basile³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Design, implementation, and automation of a risk management approach for man-at-the-End software protection

Basile

Sutter

Canavese

et al. 2023

Computers & Security

View full text Add to dashboard Cite

Evaluation Methodologies in Software Protection Research

De Sutter,

Schrittwieser,

Coppens

et al. 2024

ACM Comput. Surv.

View full text Add to dashboard Cite

Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 571 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks and formulate a number of concrete recommendations for improving the evaluations reported in future research papers.

show abstract

Code Renewability for Native Software Protection

Cited by 4 publications

References 47 publications

Man-at-the-End Software Protection as a Risk Analysis Process

Man-at-the-End Software Protection as a Risk Analysis Process

Design, implementation, and automation of a risk management approach for man-at-the-End software protection

Evaluation Methodologies in Software Protection Research

Contact Info

Product

Resources

About