How Professional Hackers Understand Protected Code while Performing Attack Tasks

Ceccato, Mariano; Tonella, Paolo; Basile, Cataldo; Coppens, Bart; Sutter, Bjorn De; Falcarin, Paolo; Torchiano, Marco

doi:10.1109/icpc.2017.2

Cited by 29 publications

(27 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To measure intercoder reliability, we used Krippendorff's Alpha (α), as it accounts for chance agreements [67]. 2 After each round, the coders resolved any differences, updated the codebook as necessary, and re-coded previously coded interviews. The coders repeated this process four times until they achieved an α of 0.8, which is above the recommended level for exploratory studies [67,69].…”

Section: Discussionmentioning

confidence: 99%

An Observational Investigation of Reverse Engineers' Process and Mental Models

Votipka

Rabin

Micinski

et al. 2019

Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Reverse engineering is a complex process essential to software-security tasks such as vulnerability discovery and malware analysis. Significant research and engineering effort has gone into developing tools to support reverse engineers. However, little work has been done to understand the way reverse engineers think when analyzing programs, leaving tool developers to make interface design decisions based only on intuition.This paper takes a first step toward a better understanding of reverse engineers' processes, with the goal of producing insights for improving interaction design for reverse engineering tools. We present the results of a semi-structured, observational interview study of reverse engineers (N=16). Each observation investigated the questions reverse engineers ask as they probe a program, how they answer these questions, and the decisions they make throughout the reverse engineering process. From the interview responses, we distill a model of the reverse engineering process, divided into three phases: overview, sub-component scanning, and focused experimentation. Each analysis phase's results feed the next as reverse engineers' mental representations become more concrete. We find that reverse engineers typically use static methods in the first two phases, but dynamic methods in the final phase, with experience playing large, but varying, roles in each phase. Based on these results, we provide five interaction design guidelines for reverse engineering tools.

show abstract

Section: Discussionmentioning

confidence: 99%

An Observational Investigation of Reverse Engineers' Process and Mental Models

Votipka

Rabin

Micinski

et al. 2019

Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…Different metrics are used to measure various security requirements [22], and similarly code metrics have also been a common approach to measure obfuscation strength [23] or by calculating their potency [3]. Other approaches have been proposed to measure the attacker effort increased by obfuscation by means of controlled experiments with students [23], penetration testers [24] or public challenges [25], while other works tried to represent the attacker effort with modelling approaches based on Petri nets [26] [27], or an ontology of attacks and protections [28].…”

Section: Related Workmentioning

confidence: 99%

Analysis of Obfuscated Code with Program Slicing

Talukder

Islam

Falcarin

2019

2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

View full text Add to dashboard Cite

In Man-At-The-End (MATE) attacks, software apps run on a device under full control of the attackers: they can violate the intellectual property of the app by means of malicious reverse engineering, software piracy, and software tampering. Obfuscation is a technique that is widely adopted by developers to mitigate this problem. Obfuscation increases complexity of software code, by obscuring the structure of code and data in order to thwart the reverse engineering process. However, it is possible to reverse engineer obfuscated code with time, determination and the right tools. In general, there is no accepted methodology to determine the strength of obfuscated code; however resilience is often considered a good metric as it indicates the percentage of obfuscated code that cannot be removed by automated de-obfuscation tools. We introduce a novel approach to measure the resilience of obfuscated C code using program slicing. Given a variable of interest, that might be part of a code region used to manipulate a crypto key or a license number, program slicing can mimic the attacker behaviour by trying to remove the code unrelated to that variable, acting as a new type of de-obfuscator.

show abstract

“…Other properties of translated/obfuscated code, such us how harder it is to understand and to attack, are out of the scope of the present paper. To investigate these properties, human studies and controlled experiment are required, and we are planning and conducting them as part of our research activity [5], [24], [6] A. Case Studies…”

Section: Empirical Validationmentioning

confidence: 99%

[Research Paper] Obfuscating Java Programs by Translating Selected Portions of Bytecode to Native Libraries

Pizzolotto

Ceccato

2018

2018 IEEE 18th International Working Conference on Source Code Analysis and Manipulation (SCAM)

View full text Add to dashboard Cite

Code obfuscation is a popular approach to turn program comprehension and analysis harder, with the aim of mitigating threats related to malicious reverse engineering and code tampering. However, programming languages that compile to high level bytecode (e.g., Java) can be obfuscated only to a limited extent. In fact, high level bytecode still contains high level relevant information that an attacker might exploit.In order to enable more resilient obfuscations, part of these programs might be implemented with programming languages (e.g., C) that compile to low level machine-dependent code. In fact, machine code contains and leaks less high level information and it enables more resilient obfuscations.In this paper, we present an approach to automatically translate critical sections of high level Java bytecode to C code, so that more effective obfuscations can be resorted to. Moreover, a developer can still work with a single programming language, i.e., Java.

show abstract

How Professional Hackers Understand Protected Code while Performing Attack Tasks

Cited by 29 publications

References 22 publications

An Observational Investigation of Reverse Engineers' Process and Mental Models

An Observational Investigation of Reverse Engineers' Process and Mental Models

Analysis of Obfuscated Code with Program Slicing

[Research Paper] Obfuscating Java Programs by Translating Selected Portions of Bytecode to Native Libraries

Contact Info

Product

Resources

About