In this paper, we present a new method to protect software against illegal acts of hacking. The key idea is to add a mechanism of self-modifying codes to the original program, so that the original program becomes hard to be analyzed. In the binary program obtained by the proposed method, the original code fragments we want to protect are camouflaged by dummy instructions. Then, the binary program autonomously restores the original code fragments within a certain period of execution, by replacing the dummy instructions with the original ones. Since the dummy instructions are completely different from the original ones, code hacking fails if the dummy instructions are read as they are. Moreover, the dummy instructions are scattered over the program, therefore, they are hard to be identified. As a result, the proposed method helps to construct highly invulnerable software without special hardware.
This paper presents a method to estimate the cost of mental (hand) simulation of programs. In mental simulation, human short-term memory is extensively used to recall and memorize values of variables. When the simulation reaches a variable reference, the simulation can be performed easily if the value is still remembered. However, if not, we have to backtrack the simulation until the value is obtained, which is time-consuming.Taking the above observation into consideration, we first present a model, called virtual mental simulation model (VMSM), which exploits a queue representing short-term memory. The VMSM takes one of the abstract processes recall or backtrack, depending on whether the variable is currently stored in the queue or not. Then, applying cost functions to the VMSM, we derive four dynamic metrics reflecting the cost of mental simulation.In our empirical study, the proposed VMSM metrics reveal that the backtrack process for non-constant variables gives a significant impact on the cost of mental simulation. Since the proposed method can be fully automated, it can provide a practical means to estimate the cost of mental simulation, which can be also used as a program comprehension measure.
SUMMARYThis paper presents a method in which program analysis by a malicious user (attacker) is made difficult by camouflaging (hiding) a large number of instructions contained in the program. In the proposed method, an arbitrary instruction (target) in the program is camouflaged by a different instruction. Using the self-modification mechanism in the program, the original instruction is restored only in a certain period during execution. Even if the attacker attempts an analysis of the range containing the camouflaged instruction, it is impossible for him to correctly understand the original behavior of the program unless he notices the existence of the routine that rewrites the target (restoring routine). In order to make the analysis a success, the range containing the restoring routine must be analyzed, and the attacker is forced to analyze a wider range of the program. The proposed method can easily be automated, and the number of targets can be specified arbitrarily according to the required degree of protection and the acceptable degradation of execution efficiency.
This paper presents a method to evaluate the risk of information leakage in software processes for security-sensitive applications. A software process is modeled as a series of subprocesses, each of which produces new work products from input products. Since a process is conducted usually by multiple developers, knowledge of work products is shared among the developers. Through the collaboration, a developer may share with others the knowledge of products that are not related to the process. We capture the transfer of such irrelevant product knowledge as information leakage in a software process. In this paper, we first formulate the problem of information leakage by introducing a formal software process model. Then, we propose a method to derive the probability that each developer d knows each work product p at a given process of software development. The probability reflects the possibility that someone leaked the knowledge of p to d. We also conduct three case studies to show the applicability of leakage to practical settings. In the case studies, we evaluate how the risk of information leakage is influenced by the collaboration among developers, the optimal developer assignment and the structure of the software process. As a result, we show that the proposed method provides a simple yet powerful means to perform quantitative analysis on information leakage in a security-sensitive software process.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.