Cataldo Basile,Bjorn De Sutter,Daniele Canavese,Leonardo Regano,Bart Coppens

DOI: https://doi.org/10.48550/arXiv.2303.15033

2023-03-27

Abstract:The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings.

Software Engineering,Cryptography and Security

Bjorn De Sutter,Sebastian Schrittwieser,Bart Coppens,Patrick Kochberger

2024-05-01

Abstract:Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 571 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks and formulate a number of concrete recommendations for improving the evaluations reported in future research papers.

Cryptography and Security

Diego Bendersky,Ariel Futoransky,Luciano Notarfrancesco,Carlos Sarraute,Ariel Waissbein

DOI: https://doi.org/10.48550/arXiv.1006.2356

2010-06-12

Abstract:Software digital rights management is a pressing need for the software development industry which remains, as no practical solutions have been acclamaimed succesful by the industry. We introduce a novel software-protection method, fully implemented with today's technologies, that provides traitor tracing and license enforcement and requires no additional hardware nor inter-connectivity. Our work benefits from the use of secure triggers, a cryptographic primitive that is secure assuming the existence of an ind-cpa secure block cipher. Using our framework, developers may insert license checks and fingerprints, and obfuscate the code using secure triggers. As a result, this rises the cost that software analysis tools have detect and modify protection mechanisms. Thus rising the complexity of cracking this system.

Cryptography and Security

Nikolaos Alexopoulos,Sheikh Mahbub Habib,Steffen Schulz,Max Mühlhäuser

DOI: https://doi.org/10.48550/arXiv.1801.05764

2018-01-17

Cryptography and Security

Abstract:Despite years of intensive research in the field of software vulnerabilities discovery, exploits are becoming ever more common. Consequently, it is more necessary than ever to choose software configurations that minimize systems' exposure surface to these threats. In order to support users in assessing the security risks induced by their software configurations and in making informed decisions, we introduce M-STAR, a Modular Software Trustworthiness ARchitecture and framework for probabilistically assessing the trustworthiness of software systems, based on evidence, such as their vulnerability history and source code properties. Integral to M-STAR is a software trustworthiness model, consistent with the concept of computational trust. Computational trust models are rooted in Bayesian probability and Dempster-Shafer Belief theory, offering mathematical soundness and expressiveness to our framework. To evaluate our framework, we instantiate M-STAR for Debian Linux packages, and investigate real-world deployment scenarios. In our experiments with real-world data, M-STAR could assess the relative trustworthiness of complete software configurations with an error of less than 10%. Due to its modular design, our proposed framework is agile, as it can incorporate future advances in the field of code analysis and vulnerability prediction. Our results point out that M-STAR can be a valuable tool for system administrators, regular users and developers, helping them assess and manage risks associated with their software configurations.

Annarita Drago,Stefano Marrone,Nicola Mazzocca,Roberto Nardone,Annarita Tedesco,Valeria Vittorini

DOI: https://doi.org/10.1007/s10270-016-0572-7

2016-12-26

Abstract:Modern physical protection systems integrate a number of security systems (including procedures, equipments, and personnel) into a single interface to ensure an adequate level of protection of people and critical assets against malevolent human actions. Due to the critical functions of a protection system, the quantitative evaluation of its effectiveness is an important issue that still raises several challenges. In this paper we propose a model-driven approach to support the design and the evaluation of physical protection systems based on (a) UML models representing threats, protection facilities, assets, and relationships among them, and (b) the automatic construction of a Bayesian Network model to estimate the vulnerability of different system configurations. Hence, the proposed approach is useful both in the context of vulnerability assessment and in designing new security systems as it enables what-if and cost–benefit analyses. A real-world case study is further illustrated in order to validate and demonstrate the potentiality of the approach. Specifically, two attack scenarios are considered against the depot of a mass transit transportation system in Milan, Italy.

computer science, software engineering

Gustavo Gonzalez-Granadillo,Sofia Anna Menesidou,Dimitrios Papamartzivanos,Ramon Romeu,Diana Navarro-Llobet,Caxton Okoh,Sokratis Nifakos,Christos Xenakis,Emmanouil Panaousis

DOI: https://doi.org/10.3390/s21165493

IF: 3.9

2021-08-15

Sensors

Abstract:Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Alojz Gomola,Ingrid Bouwer Utne

DOI: https://doi.org/10.1016/j.heliyon.2024.e31483

IF: 3.776

2024-05-21

Heliyon

Abstract:With higher autonomy in maritime systems, tasks and responsibilities are moved from the human operator to software, increasing the complexity and the importance of safe and reliable functionality. Software failures, however, may be introduced from the early life cycle phases intentionally or unintentionally, and these must therefore be mitigated by safe and secure design approaches. A challenge is that existing methods are not particularly well-suited for analyzing software risks. Thus, the objective of this paper is to propose a systematic and efficient software failure identification approach by extending the Systems-Theoretic Process Analysis (STPA) with a software failure taxonomy and the System Modeling Language (SysML). This enables the control structure in STPA to cover both the dynamic and static aspects of the software functions. Combined with an implementation platform independent questionnaire, this gives a more systematic and guided search for potential software failures than existing approaches. To demonstrate the proposed approach, a case study on a ferry's navigation system that operates in manual control or semi-autonomous mode is performed. In the case study, the focus is on creating an avoidance map data structure, including both moving and static obstacles to be avoided by the ferry, and the subsequent process of collision risk warning calculation. Software failures are identified and evaluated in collision scenarios where the ferry operates under foggy conditions. The paper shows that the proposed systematic approach provides an improved process for identifying and analyzing critical software failures. This facilitates enhanced risk mitigation in the design and testing phases contributing to autonomous systems' safety and security.

Jens Van den Broeck,Bart Coppens,Bjorn De Sutter

DOI: https://doi.org/10.48550/arXiv.1907.01445

2019-07-03

Abstract:To counter man-at-the-end attacks such as reverse engineering and tampering, software is often protected with techniques that require support modules to be linked into the application. It is well-known, however, that attackers can exploit the modular nature of applications and their protections to speed up the identification and comprehension process of the relevant code, the assets, and the applied protections. To counter that exploitation of modularity at different levels of granularity, the boundaries between the modules in the program need to be obfuscated. We propose to do so by combining three cross-boundary protection techniques that thwart the disassembly process and in particular the reconstruction of functions: code layout randomization, interprocedurally coupled opaque predicates, and code factoring with intraprocedural control flow idioms. By means of an elaborate experimental evaluation and an extensive sensitivity analysis on realistic use cases and state-of-the-art tools, we demonstrate our technique's potency and resilience to advanced attacks. All relevant code is publicly available online.

Cryptography and Security

Odell Hegna

DOI: https://doi.org/10.48550/arXiv.1501.00820

2019-03-11

Abstract:Computers may control safety-critical operations in machines having embedded software. This memoir proposes a regimen to verify such algorithms at prescribed levels of statistical confidence. The United States Department of Defense standard for system safety engineering (MIL-STD-882E) defines development procedures for safety-critical systems. However, a problem exists: the Standard fails to distinguish quantitative product assurance technique from categorical process assurance method for software development. Resulting is conflict in the technical definition of the term risk. The primary goal here is to show that a quantitative risk-based product assurance method exists and is consistent with hardware practice. Discussion appears in two major parts: theory, which shows the relationship between automata and software; and application, which covers demonstration and indemnification. Demonstration is a technique for generating random tests; indemnification converts pass/fail test results to compound Poisson parameters (severity and intensity). Together, demonstration and indemnification yield statistical confidence that safety-critical code meets design intent. Statistical confidence is the keystone of quantitative product assurance. A secondary goal is resolving the conflict over the term risk. The first meaning is an accident model known in mathematics as the compound Poisson stochastic process, and so is called statistical risk. Various of its versions underlie the theories of safety and reliability. The second is called developmental risk. It considers software autonomy, which considers time until manual recovery of control. Once these meanings are separated, MIL-STD-882 can properly support either formal quantitative safety assurance or empirical process robustness, which differ in impact.

Logic in Computer Science

Athanasios Dimitriadis,Jose Luis Flores,Boonserm Kulvatunyou,Nenad Ivezic,Ioannis Mavridis

DOI: https://doi.org/10.3390/s20164617

2020-08-17

Abstract:Industry 4.0 adoption demands integrability, interoperability, composability, and security. Currently, integrability, interoperability and composability are addressed by next-generation approaches for enterprise systems integration such as model-based standards, ontology, business process model life cycle management and the context of business processes. Security is addressed by conducting risk management as a first step. Nevertheless, security risks are very much influenced by the assets that the business processes are supported. To this end, this paper proposes an approach for automated risk estimation in smart sensor environments, called ARES, which integrates with the business process model life cycle management. To do so, ARES utilizes standards for platform, vulnerability, weakness, and attack pattern enumeration in conjunction with a well-known vulnerability scoring system. The applicability of ARES is demonstrated with an application example that concerns a typical case of a microSCADA controller and a prototype tool called Business Process Cataloging and Classification System. Moreover, a computer-aided procedure for mapping attack patterns-to-platforms is proposed, and evaluation results are discussed revealing few limitations.

Mehran Alidoost Nia

DOI: https://doi.org/10.48550/arXiv.2312.17358

2023-12-29

Abstract:This paper presents the adaptive software security model, an innovative approach integrating the MAPE-K loop and the Software Development Life Cycle (SDLC). It proactively embeds security policies throughout development, reducing vulnerabilities from different levels of software engineering. Three primary contributions-MAPE-K integration, SDLC embedding, and analytical insights-converge to create a comprehensive approach for strengthening software systems against security threats. This research represents a paradigm shift, adapting security measures with agile software development and ensuring continuous improvement in the face of evolving threats. The model emerges as a robust solution, addressing the crucial need for adaptive software security strategies in modern software development. We analytically discuss the advantages of the proposed model.

Software Engineering,Cryptography and Security

Majid Mollaeefar,Silvio Ranise

DOI: https://doi.org/10.1016/j.cose.2023.103206

2022-07-15

Abstract:Cybersecurity risk management consists of several steps including the selection of appropriate controls to minimize risks. This is a difficult task that requires to search through all possible subsets of a set of available controls and identify those that minimize the risks of all stakeholders. Since stakeholders may have different perceptions of the risks (especially when considering the impact of threats), conflicting goals may arise that require to find the best possible trade-offs among the various needs. In this work, we propose a quantitative and (semi)automated approach to solve this problem based on the well-known notion of Pareto optimality. For validation, we show how a prototype tool based on our approach can assist in the Data Protection Impact Assessment mandated by the General Data Protection Regulation on a simplified but realistic use case scenario. We also evaluate the scalability of the approach by conducting an experimental evaluation with the prototype with encouraging results.

Cryptography and Security

Ryan Liu,Ladan Tahvildari

2023-08-09

Abstract:The threats posed by evolving cyberattacks have led to increased research related to software systems that can self-protect. One topic in this domain is Moving Target Defense (MTD), which changes software characteristics in the protected system to make it harder for attackers to exploit vulnerabilities. However, MTD implementation and deployment are often impacted by run-time uncertainties, and existing MTD decision-making solutions have neglected uncertainty in model parameters and lack self-adaptation. This paper aims to address this gap by proposing an approach for an uncertainty-aware and self-adaptive MTD decision engine based on Partially Observable Markov Decision Process and Bayesian Learning techniques. The proposed approach considers uncertainty in both state and model parameters; thus, it has the potential to better capture environmental variability and improve defense strategies. A preliminary study is presented to highlight the potential effectiveness and challenges of the proposed approach.

Software Engineering,Systems and Control

Archana Kumari,Stefan Schiffner,Sandra Schmitz

DOI: https://doi.org/10.48550/arXiv.2201.00546

2022-01-03

Computers and Society

Abstract:An ever shorter technology lifecycle engendered the need for assessing new technologies w.r.t. their market readiness. Knowing the Technology readiness level (TRL) of a given target technology proved to be useful to mitigate risks such as cost overrun, product roll out delays, or early launch failures. Originally developed for space programmes by NASA, TRL became a de facto standard among technology and manufacturing companies and even among research funding agencies. However, while TRL assessments provide a systematic evaluation process resulting in meaningful metric, they are one dimensional: they only answer the question if a technology can go into production. Hence they leave an inherent gap, i.e., if a technology fulfils requirements with a certain quality. This gap becomes intolerable when this metric is applied software such as technological cybersecurity measures. With legislation such as the General Data Protection Regulation4 (GDPR) and the Network and Information Systems Directive5 (NIS-D) making reference to state of the art when requiring appropriate protection measures, software designers are faced with the question how to measure if a technology is suitable to use. We argue that there is a potential mismatch of legal aim and technological reality which not only leads to a risk of non-compliance, but also might lead to weaker protected systems than possible. In that regard, we aim to address the gaps identified with existing Technology Readiness Assessment (TRA)s and aim to overcome these by developing standardised method which is suitable for assessing software w.r.t. its market readiness and quality (in sum maturity).

Nicholas Lasky,Benjamin Hallis,Mounika Vanamala,Rushit Dave,Jim Seliya

DOI: https://doi.org/10.48550/arXiv.2302.05530

2023-02-10

Software Engineering

Abstract:Engineering more secure software has become a critical challenge in the cyber world. It is very important to develop methodologies, techniques, and tools for developing secure software. To develop secure software, software developers need to think like an attacker through mining software repositories. These aim to analyze and understand the data repositories related to software development. The main goal is to use these software repositories to support the decision-making process of software development. There are different vulnerability databases like Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures database (CVE), and CAPEC. We utilized a database called MITRE. MITRE ATT&CK tactics and techniques have been used in various ways and methods, but tools for utilizing these tactics and techniques in the early stages of the software development life cycle (SDLC) are lacking. In this paper, we use machine learning algorithms to map requirements to the MITRE ATT&CK database and determine the accuracy of each mapping depending on the data split.

Katja Tuma,Christian Sandberg,Urban Thorsson,Mathias Widman,Riccardo Scandariato

DOI: https://doi.org/10.48550/arXiv.1910.03422

2019-10-08

Abstract:Recent trends in the software engineering (i.e., Agile, DevOps) have shortened the development life-cycle limiting resources spent on security analysis of software designs. In this context, architecture models are (often manually) analyzed for potential security threats. Risk-last threat analysis suggests identifying all security threats before prioritizing them. In contrast, risk-first threat analysis suggests identifying the risks before the threats, by-passing threat prioritization. This seems promising for organizations where developing speed is of great importance. Yet, little empirical evidence exists about the effect of sacrificing systematicity for high-priority threats on the performance and execution of threat analysis. To this aim, we conduct a case study with industrial experts from the automotive domain, where we empirically compare a risk-first technique to a risk-last technique. In this study, we consciously trade the amount of participants for a more realistic simulation of threat analysis sessions in practice. This allows us to closely observe industrial experts and gain deep insights into the industrial practice. This work contributes with: (i) a quantitative comparison of performance, (ii) a quantitative and qualitative comparison of execution, and (iii) a comparative discussion of the two techniques. We find no differences in the productivity and timeliness of discovering high-priority security threats. Yet, we find differences in analysis execution. In particular, participants using the risk-first technique found twice as many high-priority threats, developed detailed attack scenarios, and discussed threat feasibility in detail. On the other hand, participants using the risk-last technique found more medium and low-priority threats and finished early.

Software Engineering

Jianping Li,Minglu Li,Dengsheng Wu,Hao Song

DOI: https://doi.org/10.1016/j.ins.2011.09.040

IF: 8.1

2012-01-01

Information Sciences

Abstract:The growing demand for higher trustworthiness of software poses an unprecedented challenge to the software industry. Risk management is the important part for high quality software development processes. However, under the constraints of project cost and duration, it is very difficult to establish the budget for risk management. To integrate efficient risk management and pure software process is the goal of this paper. We propose a software process model with risk management and cost control modules to help improve software process risk management. Furthermore, based on this process model, a measurement model that includes process risk and software trustworthiness metrics is presented. Through risk management effectiveness calculation methods and risk transfer assumptions, a software process risk optimization model is proposed. This model can be used to derive an optimized risk management scheme for the process of trustworthy software development, with constraints of process cost and duration. Simulation cases are then analyzed by this model framework. The results show that risk management is critical to enhance trustworthiness but risk management is an effective complement, rather than the most fundamental process, to enhance the trustworthiness of software. Software developers should adopt appropriate and optimal strategies about risk management inputs, especially in lower CMMI level companies.

Sailik Sengupta,Satya Gautam Vadlamudi,Subbarao Kambhampati,Marthony Taguinod,Adam Doupé,Ziming Zhao,Gail-Joon Ahn

DOI: https://doi.org/10.48550/arXiv.1602.07024

2016-02-23

Cryptography and Security

Abstract:The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose modeling of a real-world MTD web application as a repeated Bayesian game. We then formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To incorporate this model into a developed MTD system, we develop an automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input attacker information.

Marco Angelini,Silvia Bonomi,Alessandro Palma

DOI: https://doi.org/10.48550/arXiv.2207.03269

2022-07-07

Abstract:Cyber risk assessment is a fundamental activity for enhancing the protection of an organization, identifying and evaluating the exposure to cyber threats. Currently, this activity is carried out mainly manually and the identification and correct quantification of risks deeply depend on the experience and confidence of the human assessor. As a consequence, the process is not completely objective and two parallel assessments of the same situation may lead to different results. This paper takes a step in the direction of reducing the degree of subjectivity by proposing a methodology to support risk assessors with an automatic review of the produced assessment. Our methodology starts from a controls-based assessment performed using well-known cybersecurity frameworks (e.g., ISO 27001, NIST) and maps security controls over infrastructural aspects that can be assessed automatically (e.g., ICT devices, organization policies). Exploiting this mapping, the methodology suggests how to identify controls needing revision. The approach has been validated through a case study from the healthcare domain and a set of statistical analyses.

Cryptography and Security

Simon Miller,Susan Appleby,Jonathan M. Garibaldi,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2823280

2013-01-01

International Journal of Secure Software Engineering

Abstract:The task of designing secure software systems is fraught with uncertainty, as data on uncommon attacks is limited, costs are difficult to estimate, and technology and tools are continually changing. Consequently, experts may interpret the security risks posed to a system in different ways, leading to variation in assessment. This paper presents research into measuring the variability in decision making between security professionals, with the ultimate goal of improving the quality of security advice given to software system designers. A set of thirty nine cyber-security experts took part in an exercise in which they independently assessed a realistic system scenario. This study quantifies agreement in the opinions of experts, examines methods of aggregating opinions, and produces an assessment of attacks from ratings of their components. We show that when aggregated, a coherent consensus view of security emerges which can be used to inform decisions made during systems design.