The ASPIRE Framework for Software Protection

Sutter, Bjorn De; Basile, Cataldo; Ceccato, Mariano; Falcarin, Paolo; Zunke, Michael; Wyseur, Brecht; d'Annoville, Jerome

doi:10.1145/2995306.2995316

Cited by 5 publications

(7 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We do confirm, however, that all attacks considered as relevant in the scope of the ASPIRE project by both its academic and its industrial partners, are covered by our meta-model. From this discussion, and from the final validation report [43] of the ASPIRE project, we conclude that requirements R1-R6 are met with respect to the concepts and relations considered relevant in the scope of the ASPIRE project.…”

Section: Validation On Software Protection Tool Chainmentioning

confidence: 81%

“…Security experts from the industrial partners determined the assets in the C code, as well as their security requirements. A pseudonomynous list of them can be found in Section 5 of the ASPIRE Validation Report [43]. The security experts, together with the developers of the ACTC, then also determined which configurations of protections have to be deployed on each asset to achieve sufficient protection against attacks on the assets.…”

Section: Validation Of Work Flow On Industrial Use Casesmentioning

confidence: 99%

See 1 more Smart Citation

A meta-model for software protections and reverse engineering attacks

Basile

Canavese

Regano

et al. 2019

Journal of Systems and Software

Self Cite

View full text Add to dashboard Cite

Software protection techniques are used to protect valuable software assets against man-at-the-end attacks. Those attacks include reverse engineering to steal confidential assets, and tampering to break the software's integrity in unauthorized ways. While their ultimate aims are the original assets, attackers also target the protections along their attack path. To allow both humans and tools to reason about the strength of available protections (and combinations thereof) against potential attacks on concrete applications and their assets, i.e., to assess the true strength of layered protections, all relevant and available knowledge on the relations between the relevant aspects of protections, attacks, applications, and assets need to be collected, structured, and formalized. This paper presents a software protection meta-model that can be instantiated to construct a formal knowledge base that holds precisely that information. The presented meta-model is validated against existing models and taxonomies in the domain of software protection, and by means of prototype tools that we developed to help non-modelling-expert software defenders with populating a knowledge base and with extracting and inferring practically useful information from it. All discussed tools are available as open source, and we evaluate their use as part of a software protection work flow on an open source application and industrial use cases.

show abstract

Section: Validation On Software Protection Tool Chainmentioning

confidence: 81%

Section: Validation Of Work Flow On Industrial Use Casesmentioning

confidence: 99%

A meta-model for software protections and reverse engineering attacks

Basile

Canavese

Regano

et al. 2019

Journal of Systems and Software

Self Cite

View full text Add to dashboard Cite

show abstract

“…Tigress [11] and ASPIRE framework [6] are source code level obfuscation tools published in academic research. These are source-to-source obfuscators that also contain controlflow obfuscation techniques.…”

Section: A Source-level Obfuscation Techniquesmentioning

confidence: 99%

“…This paper considers two locations for obfuscation techniques in software: at the source code level and the binary level-or both [6] 1 . When distributors need to disseminate source code of a piece of software, it is likely that source code, or source-level, obfuscation will be applied.…”

Section: Introductionmentioning

confidence: 99%

SCORE: Source Code Optimization & REconstruction

Suk

Lee

2020

IEEE Access

View full text Add to dashboard Cite

The main goal of obfuscation is to make software difficult to analyze. Although obfuscation is one useful method to protect programs, the ability to analyze malware is greatly reduced if used for malicious purposes. The obfuscation technique is most applicable at the binary level, but it can also be applied at the source code level. Although source-level techniques can be applied regardless of the target platform, these are often optimized and eliminated during compilation. However, when controlflow obfuscation is applied at the source code level, removal is not possible. When applied for malicious purposes, the ability to analyze the source code and compiled binary code is greatly reduced. To date, no research has presented a method that increases the readability of source code or the ability to analyze compiled binaries via optimization at the source level. In this paper, we select a very powerful obfuscation tool that provides options, including control-flow obfuscation, at the source level. The result of our research is a tool that outputs optimized source code and performs control-flow reconstruction as preprocessing, which increases readability even when control-flow obfuscation has been applied. The results also suggest an improvement in the ability to analyze binary code. As a result, more than 70% of the source code can be optimized at the source level, and the control-flow graph can be serialized. The optimized source code compiles more concise binary code even if no compiler optimizations are applied. Finally, the paper concludes by presenting the results of a module that prevents deobfuscation through code tampering (preventive obfuscation) at the source code level.

show abstract

“…anti-debugging, which makes more difficult to perform dynamic analysis by attaching a trusted debugger, preventing attackers from using their own [2]; -algorithm hiding, a set of obfuscation techniques against the reverse engineering, protecting a code's confidentiality and understandability [3]; -call stack checks, which verifies the execution correctness by checking that functions are called in the right order [4]; -barrier slicing, which enforces the integrity of data and code areas by moving them to a trusted server where they will be executed [5]; -code guards, which are checks added in an application to detect and react to integrity breaches [6]; -code mobility, which protects application parts from reverse engineering and analysis by removing them from the application to be installed at run time when they need to be executed [7]; -data hiding, which involves altering the data structures and the functions' data flow for ensuring data confidentiality [8]; -remote attestation, which protects application integrity by forcing the application to periodically send integrity proofs to a verification server [9].…”

Section: Approachmentioning

confidence: 99%

Towards Automatic Risk Analysis and Mitigation of Software Applications

Regano

Canavese

Basile

et al. 2016

Information Security Theory and Practice

Self Cite

View full text Add to dashboard Cite

This paper proposes a novel semi-automatic risk analysis approach that not only identifies the threats against the assets in a software application, but it is also able to quantify their risks and to suggests the software protections to mitigate them. Built on a formal model of the software, attacks, protections and their relationships, our implementation has shown promising performance on real world applications. This work represents a first step towards a user-friendly expert system for the protection of software applications.

show abstract

The ASPIRE Framework for Software Protection

Cited by 5 publications

References 0 publications

A meta-model for software protections and reverse engineering attacks

A meta-model for software protections and reverse engineering attacks

SCORE: Source Code Optimization & REconstruction

Towards Automatic Risk Analysis and Mitigation of Software Applications

Contact Info

Product

Resources

About