Towards Automatic Risk Analysis and Mitigation of Software Applications

Regano, Leonardo; Canavese, Daniele; Basile, Cataldo; Viticchié, Alessio; Lioy, Antonio

doi:10.1007/978-3-319-45931-8_8

Cited by 2 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With the current state of the art, such human expert involvement is still necessary. Past research aimed to automate the attack discovery with abductive logic and Prolog [65]. That suffers from computational issues, since generating attack paths as sequences of attack steps causes a combinatorial explosion and requires massive pruning.…”

Section: 21mentioning

confidence: 99%

See 1 more Smart Citation

Man-at-the-End Software Protection as a Risk Analysis Process

Canavese¹,

Regano²,

Basile³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, and security-through-obscurity is omnipresent in this field. In this paper, we present a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the risk management activities, to instigate the necessary actions for adoption. We highlight the open issues that the research community has to address. We discuss the benefits that such an approach can bring to all stakeholders, from software developers to protections designers, and for the security of all the citizens. In addition, we present a Proof of Concept (PoC) of a decision support system that automates the risk analysis methodology towards the protection of software applications. Despite being in an embryonic stage, the PoC proved during validation with industry experts that several aspects of the risk management process can already be formalized and that it is an excellent starting point for building an industrial-grade decision support system. CCS Concepts: • Security and privacy → Software security engineering; • Information systems → Decision support systems; • Software and its engineering → Risk management; Software reverse engineering; • General and reference → Computing standards, RFCs and guidelines.

show abstract

Section: 21mentioning

confidence: 99%

“…The attack paths are built via backward chaining, as proposed in earlier work [7,65], and implemented with SWI-Prolog. An attack step can be executed if its premises are satisfied, and produces conclusions, the results of the successful execution of that step.…”

Section: Risk Assessmentmentioning

confidence: 99%

Man-at-the-End Software Protection as a Risk Analysis Process

Canavese¹,

Regano²,

Basile³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…We have developed a tool, written in Java, which infers various types of attack paths on application assets by using Prolog-based reasoning [30,31]. We have used the metamodel to instantiate a KB with various types of attack steps that include dynamic and static tampering attacks as well as network attacks, such as sniffing and spoofing the client-server communications.…”

Section: Deriving Attack Paths Against An Applicationmentioning

confidence: 99%

“…Then, for each AttackTarget instance, the tool tries to generate any possible AttackPath containing at least one AttackStep having a hasTarget relationship with the AttackTarget instance. Attack paths are generated by following a set of Prolog rules, contained in an external KB system, as described in [31]. Identified attacks may also be manually visualized and refined by the software developer with the Petri net tool described in Section 4.2.8.…”

Section: Software Protection Work Flowmentioning

confidence: 99%

A meta-model for software protections and reverse engineering attacks

Basile

Canavese

Regano

et al. 2019

Journal of Systems and Software

Self Cite

View full text Add to dashboard Cite

Software protection techniques are used to protect valuable software assets against man-at-the-end attacks. Those attacks include reverse engineering to steal confidential assets, and tampering to break the software's integrity in unauthorized ways. While their ultimate aims are the original assets, attackers also target the protections along their attack path. To allow both humans and tools to reason about the strength of available protections (and combinations thereof) against potential attacks on concrete applications and their assets, i.e., to assess the true strength of layered protections, all relevant and available knowledge on the relations between the relevant aspects of protections, attacks, applications, and assets need to be collected, structured, and formalized. This paper presents a software protection meta-model that can be instantiated to construct a formal knowledge base that holds precisely that information. The presented meta-model is validated against existing models and taxonomies in the domain of software protection, and by means of prototype tools that we developed to help non-modelling-expert software defenders with populating a knowledge base and with extracting and inferring practically useful information from it. All discussed tools are available as open source, and we evaluate their use as part of a software protection work flow on an open source application and industrial use cases.

show abstract

Towards Automatic Risk Analysis and Mitigation of Software Applications

Cited by 2 publications

References 17 publications

Man-at-the-End Software Protection as a Risk Analysis Process

Man-at-the-End Software Protection as a Risk Analysis Process

A meta-model for software protections and reverse engineering attacks

Contact Info

Product

Resources

About