Anirban Majumdar,Clark D. Thomborson

2006-01-01

Abstract:Code obfuscation is a relatively new technique of software protection and it works by deterring reverse engineering attempts by malicious users of software. The objective of obfuscation is to make the logic embedded in code incomprehensible to automated program analysis tools used by adversaries. Opaque predicates act as tool for obfuscating control flow logic embedded within code. In this position paper, we address the problem of control-flow code obfuscation of processes executing in distributed computing environments by proposing a novel method of combining the open problems of distributed global state detection with a well-known hard combinatorial problem to manufacture opaque predicates. We name this class of new opaque predicates as distributed opaque predicates. We demonstrate our approach with an illustration and provide an extensive security analysis of code obfuscated with distributed opaque predicates. We show that our class of opaque predicates is capable of withstanding most known forms of automated static analysis attacks and a restricted class of dynamic analysis attack that could be mounted by adversaries.

Bohan Cui,Xiang Yin,Shaoyuan Li,Alessandro Giua

DOI: https://doi.org/10.1016/j.ifacol.2022.10.335

2022-01-01

Abstract:In this paper, we investigate a class of information-flow security properties called opacity in partial-observed discrete-event systems. Roughly speaking, a system is said to be opaque if the intruder, which is modeled by a passive observer, can never determine the “secret” of the system for sure. Most of the existing notions of opacity consider secrets related to the actual behaviors of the system. In this paper, we consider a new type of secret related to the knowledge of the system user. Specifically, we assume that the system user also only has partial observation of the system and has to reason the actual behavior of the system. We say a system is high-order opaque if the intruder can never determine that the system user knows some information of importance based on its own incomparable information. We provide the formal definition of high-order opacity. Two algorithms are provided for the verification of this new notion: one with doubly-exponential complexity for the worst case and the other with single-exponential complexity. Illustrative examples are provided for the new notion of high-order opacity.

Wei Duan,Ruotian Liu,Maria Pia Fanti,Christoforos N. Hadjicostis,Zhiwu Li

2024-10-11

Abstract:As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the <a class="link-external link-http" href="http://system.To" rel="external noopener nofollow">this http URL</a> characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.

Formal Languages and Automata Theory,Systems and Control

Christian S. Collberg,Clark D. Thomborson,Douglas Low

DOI: https://doi.org/10.1145/268946.268962

1998-01-01

Abstract:It has become common to distribute software in forms that are isomorphic to the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks.In this paper we describe the design of a Java code obfuscator, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.We describe a number of transformations which obfuscate control-flow. Transformations are evaluated with respect to potency (To what degree is a human reader confused?), resilience (How well are automatic deobfuscation attacks resisted?), cost (How much time/space overhead is added?), and stealth (How well does obfuscated code blend in with the original code?).The resilience of many control-altering transformations rely on the resilience of opaque predicates. These are boolean valued expressions whose values are known to the obfuscator but difficult to determine for an automatic deobfuscator. We show how to construct resilient, cheap, and stealthy opaque predicates based on the intractability of certain static analysis problems such as alias analysis.

Junyao Hou,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1016/j.automatica.2022.110238

IF: 6.4

2022-01-01

Automatica

Abstract:Opacity is an important information-flow security property that characterizes the plausible deniability of a dynamic system for its “secret” against eavesdropping attacks. As an information-flow property, the underlying observation model is the key in the modeling and analysis of opacity. In this paper, we investigate the verification of current-state opacity for discrete-event systems under Orwellian-type observations, i.e., the system is allowed to re-interpret the observation of an event based on its future suffix. First, we propose a new Orwellian-type observation model called the dynamic information release mechanism (DIRM). In the DIRM, when to release previous “hold on” events is state-dependent. Then we propose a new definition of opacity based on the notion of history-equivalence rather than the standard projection-equivalence. This definition is more suitable for observations that are not prefix-closed. Finally, we show that by constructing a new structure called the DIRM-observer, current-state opacity can be effectively verified under the DIRM. Computational complexity analysis as well as illustrative examples for the proposed approach is also provided. Compared with the existing Orwellian-type observation model, the proposed framework is more general in the sense that the information-release-mechanism is state-dependent, information is partially released and the corresponding definition of opacity is more suitable for non-prefix-closed observations.

Xiang Yin,Zhaojian Li,Weilin Wang,Shaoyuan Li

DOI: https://doi.org/10.1016/j.automatica.2018.10.049

IF: 6.4

2018-01-01

Automatica

Abstract:Opacity is an important information-flow property that arises in security and privacy analysis of cyber-physical systems. It captures the plausible deniability of the system's “secret” in the presence of a malicious intruder modeled as a passive observer. As a specific type of opacity, infinite-step opacity requires that the intruder can never determine unambiguously that the system was at a secret system for any specific instant in the past. Existing works on the analysis of infinite-step opacity only provide a binary characterization, i.e., a system is either opaque or non-opaque. However, a non-infinite-step-opaque system may only have a small probability of violation; this may be still tolerable in many applications. To analyze infinite-step opacity more quantitatively, in this paper, we investigate the verification of infinite-step opacity in the context of stochastic discrete-event systems. A new notion of opacity, called almost infinite-step opacity, is proposed to capture whether or not the probability of violating infinite-step opacity is smaller than a given threshold. This notion is weaker than its purely logical counter-part as it takes the transition probability of the system into account. We also provide an effective algorithm for the verification of almost infinite-step opacity.

Chongyang Shi,Yuheng Bu,Jie Fu

2024-05-01

Abstract:The paper studies information-theoretic opacity, an information-flow privacy property, in a setting involving two agents: A planning agent who controls a stochastic system and an observer who partially observes the system states. The goal of the observer is to infer some secret, represented by a random variable, from its partial observations, while the goal of the planning agent is to make the secret maximally opaque to the observer while achieving a satisfactory total return. Modeling the stochastic system using a Markov decision process, two classes of opacity properties are considered -- Last-state opacity is to ensure that the observer is uncertain if the last state is in a specific set and initial-state opacity is to ensure that the observer is unsure of the realization of the initial state. As the measure of opacity, we employ the Shannon conditional entropy capturing the information about the secret revealed by the observable. Then, we develop primal-dual policy gradient methods for opacity-enforcement planning subject to constraints on total returns. We propose novel algorithms to compute the policy gradient of entropy for each observation, leveraging message passing within the hidden Markov models. This gradient computation enables us to have stable and fast convergence. We demonstrate our solution of opacity-enforcement control through a grid world example.

Systems and Control

Hui Xu,Yangfan Zhou,Yu Kang,Fengzhi Tu,Michael R. Lyu

DOI: https://doi.org/10.1109/DSN.2018.00073

2018-01-01

Abstract:Control-flow obfuscation increases program complexity by semantic-preserving transformation. Opaque predicates are essential gadgets to achieve such transformation. However, we observe that real-world opaque predicates are generally very simple and engage little security consideration. Recently, such insecure opaque predicates have been severely attacked by symbolic execution-based adversaries and jeopardize the security of control-flow obfuscation. This paper, therefore, proposes symbolic opaque predicates which can be resilient to symbolic execution-based adversaries. We design a general framework to compose such opaque predicates, which requires introducing challenging symbolic analysis problems (e.g., symbolic memory) in each opaque predicate. In this way, we may mislead symbolic execution engines into reaching false conclusions. We observe a novel bi-opaque property about symbolic opaque predicates, which can incur not only false negative issues but also false positive issues to attackers. To evaluate the efficacy of our idea, we have implemented a prototype obfuscation tool based on Obfuscator-LLVM and conduct experiments with real-world programs. Our evaluation results show that symbolic opaque predicates demonstrate excellent resilience to prevalent symbolic execution engines, such as BAP, Triton, and Angr. Moreover, although the costs of symbolic opaque predicates may vary for different problem settings, some predicates can be very efficient. Therefore, our framework is both secure and usable. Users can follow the framework to introduce symbolic opaque predicates into their obfuscation tools and made them more powerful.

Xiang Yin,Majid Zamani,Siyuan Liu

DOI: https://doi.org/10.1109/tac.2020.2998733

IF: 6.549

2021-04-01

IEEE Transactions on Automatic Control

Abstract:Opacity is an important information-flow security property in the analysis of cyber-physical systems. It captures the plausible deniability of the system's secret behavior in the presence of an intruder that may access the information flow. Existing works on opacity only consider nonmetric systems by assuming that the intruder can always distinguish between two different outputs precisely. In this article, we extend the concept of opacity to systems whose output sets are equipped with metrics. Such systems are widely used in the modeling of many real-world systems whose measurements are physical signals. A new concept called approximate opacity is proposed in order to quantitatively evaluate the security guarantee level with respect to the measurement precision of the intruder. Then, we propose a new simulation-type relation, called approximate opacity-preserving simulation relation, which characterizes how close two systems are in terms of the satisfaction of approximate opacity. This allows us to verify approximate opacity for large-scale, or even infinite, systems using their abstractions. We also discuss how to construct approximate opacity-preserving symbolic models for a class of discrete-time control systems. Our results extend the definitions and analysis techniques for opacity from nonmetric systems to metric systems.

automation & control systems,engineering, electrical & electronic

Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1109/cdc.2018.8619851

2019-01-01

Abstract:We investigate security and privacy issues in networked discrete-event systems, where supervisory controllers are connected with actuators and sensors via communication networks. In this paper, we consider the case where the control channel between the supervisor and the actuators may not be secure in the sense that the control decisions sent by the supervisor can be “listened” by an intruder. We adopt the concept of an information-flow property called opacity to capture whether or not the networked supervisory control system is secure. Specifically, we say that the supervisory control system is opaque with insecure control channel if the intruder can never determine for sure that the system is in a secret state based on the control decisions sent by the supervisor. Based on different control decision transmission mechanisms, two notions of opacity are defined. Effective algorithms are also provided to verify different notions of opacity for networked supervisory control systems.

Chunyan Mu,David Clark

DOI: https://doi.org/10.48550/arXiv.2206.14317

2022-06-29

Abstract:We delineate a methodology for the specification and verification of flow security properties expressible in the opacity framework. We propose a logic, OpacTL , for straightforwardly expressing such properties in systems that can be modelled as partially observable labelled transition <a class="link-external link-http" href="http://systems.We" rel="external noopener nofollow">this http URL</a> develop verification techniques for analysing property opacity with respect to observation notions. Adding a probabilistic operator to the specification language enables quantitative analysis and verification. This analysis is implemented as an extension to the PRISM model checker and illustrated via a number of examples. Finally, an alternative approach to quantifying the opacity property based on entropy is sketched.

Cryptography and Security

Stephen Drape,Clark Thomborson,Anirban Majumdar

DOI: https://doi.org/10.1007/978-3-540-75496-1_20

2007-01-01

Abstract:An obfuscation aims to transform a program, without affecting the functionality, so that some secret information within the program can be hidden for as long as possible from an adversary. Proving that an obfuscating transform is correct (i.e. it preserves functionality) is considered to be a challenging task.In this paper we show how data refinement can be used to specify imperative data obfuscations. An advantage of this approach is that we can establish a framework in which we can prove the correctness of our obfuscations. We demonstrate our framework by considering some examples from obfuscation literature. We show how to specify these obfuscations, prove that they are correct and produce generalisations.

Anirban Majumdar,Clark Thomborson

DOI: https://doi.org/10.1007/11427995_90

2005-01-01

Abstract:Mobile agent technology is an evolving paradigm that combines the inherent characteristics of intelligent agents, namely, adaptability, reactivity and autonomy with mobility. These characteristics of mobile agents provide an excellent means of meeting the distributed and heterogeneous requirements of many military applications that involve low bandwidth and intermittently connected networks. In typical military applications, mobile agents can be used to perform information push, information pull, and sentinel monitoring [1].

Akito Monden,Antoine Monsifrot,Clark D. Thomborson

2004-01-01

Abstract:Software protection via obscurity is now considered fundamental for securing software systems. This paper proposes a framework for obfuscating the program interpretation instead of obfuscating the program itself. The obfuscated interpretation enables us to hide functionality of a given program P unless the interpretation being taken is revealed. The proposed framework employs a finite state machine (FSM) based interpreter to give the context-dependent semantics to each instruction in P; thus, attempts to statically analyze the relation between instructions and their semantics will not succeed. Considering that the instruction stream (execution sequence) of P varies according to the input to P , we give a systematic method to construct P whose instruction stream is always interpreted correctly regardless of its input. Our framework is easily applied to conventional computer systems by adding a FSM unit to virtual machines such as Java Virtual Machine (JVM) and Common Language Runtime (CLR).

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2021.3121249

IF: 6.549

2021-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property that holds if certain secret behavior of a system, typically represented by a predicate, cannot be revealed under any system evolution. Among other proposed methodologies, when opacity is violated, it can be enforced using insertion mechanisms, i.e., by inserting symbols before an actual system output (in real time as the system evolves) in order to replace observation sequences that lead to opacity violations with observation sequences that can be generated by system behavior that does not violate opacity. This article focuses on opacity enforcement in discrete-event systems modeled with finite-state automata and proposes an extended insertion mechanism that can enforce opacity in a practical manner to a wide class of systems by inserting symbols before and after an actual system output. This article also introduces event insertion constraints that require only certain specific symbols to be inserted before and after an actual system output. For each case, we obtain a necessary and sufficient condition (based on the construction of an appropriate verifier) for opacity enforceability using the proposed extended insertion mechanism and devise a pertinent extended insertion strategy.

automation & control systems,engineering, electrical & electronic

Sara Mann,Barnaby Crook,Lena Kästner,Astrid Schomäcker,Timo Speith

2023-07-26

Abstract:Modern computer systems are ubiquitous in contemporary life yet many of them remain opaque. This poses significant challenges in domains where desiderata such as fairness or accountability are crucial. We suggest that the best strategy for achieving system transparency varies depending on the specific source of opacity prevalent in a given context. Synthesizing and extending existing discussions, we propose a taxonomy consisting of eight sources of opacity that fall into three main categories: architectural, analytical, and socio-technical. For each source, we provide initial suggestions as to how to address the resulting opacity in practice. The taxonomy provides a starting point for requirements engineers and other practitioners to understand contextually prevalent sources of opacity, and to select or develop appropriate strategies for overcoming them.

Software Engineering,Artificial Intelligence

Mahshad Shariatnasab,Farhad Shirani,S. Sitharma Iyengar

2023-05-12

Abstract:Dataset obfuscation refers to techniques in which random noise is added to the entries of a given dataset, prior to its public release, to protect against leakage of private information. In this work, dataset obfuscation under two objectives is considered: i) rank-preservation: to preserve the row ordering in the obfuscated dataset induced by a given rank function, and ii) anonymity: to protect user anonymity under fingerprinting attacks. The first objective, rank-preservation, is of interest in applications such as the design of search engines and recommendation systems, feature matching, and social network analysis. Fingerprinting attacks, considered in evaluating the anonymity objective, are privacy attacks where an attacker constructs a fingerprint of a victim based on its observed activities, such as online web activities, and compares this fingerprint with information extracted from a publicly released obfuscated dataset to identify the victim. By evaluating the performance limits of a class of obfuscation mechanisms over asymptotically large datasets, a fundamental trade-off is quantified between rank-preservation and user anonymity. Single-letter obfuscation mechanisms are considered, where each entry in the dataset is perturbed by independent noise, and their fundamental performance limits are characterized by leveraging large deviation techniques. The optimal obfuscating test-channel, optimizing the privacy-utility tradeoff, is characterized in the form of a convex optimization problem which can be solved efficiently. Numerical simulations of various scenarios are provided to verify the theoretical derivations.

Information Theory,Cryptography and Security,Databases

Xiao Han,Yuncong Yang,Junjie Wu,Hui Xiong

DOI: https://doi.org/10.1109/tkde.2023.3331568

IF: 9.235

2023-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Minimizing privacy leakage while ensuring data utility is a critical problem in a privacy-preserving data publishing task, from which data holders can boost platform engagements or enlarge data values. Most prior research concerned only with either privacy-insensitive or exact private data and resorts to a single obscuring method to achieve a privacy-utility tradeoff, which is inadequate for real-life hybrid data especially when facing machine learning-based inference attacks. This work takes a pilot study on privacy-preserving data publishing when both widely adopted generalization and obfuscation operations are employed for privacy-heterogeneous data protection. Specifically, we first propose novel measures for privacy and utility values quantification and formulate the hybrid privacy-preserving data obscuring problem to account for the joint effect of generalization and obfuscation. We then design a novel protection mechanism called HyObscure, which decomposes the original problem into three sub-problems to cross-iteratively optimize the hybrid operations for maximum privacy protection under a certain data utility guarantee. The convergence of the iterative process and the privacy leakage bound of HyObscure are also provided in theory. Extensive experiments demonstrate that HyObscure significantly outperforms a variety of state-of-the-art baseline methods when facing various inference attacks in different scenarios.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Behrooz Razeghi,Flavio. P. Calmon,Deniz Gunduz,Slava Voloshynovskiy

DOI: https://doi.org/10.48550/arXiv.2009.04157

2020-09-09

Abstract:We consider the problem of privacy-preserving data release for a specific utility task under perfect obfuscation constraint. We establish the necessary and sufficient condition to extract features of the original data that carry as much information about a utility attribute as possible, while not revealing any information about the sensitive attribute. This problem formulation generalizes both the information bottleneck and privacy funnel problems. We adopt a local information geometry analysis that provides useful insight into information coupling and trajectory construction of spherical perturbation of probability mass functions. This analysis allows us to construct the modal decomposition of the joint distributions, divergence transfer matrices, and mutual information. By decomposing the mutual information into orthogonal modes, we obtain the locally sufficient statistics for inferences about the utility attribute, while satisfying perfect obfuscation constraint. Furthermore, we develop the notion of perfect obfuscation based on $\chi^2$-divergence and Kullback-Leibler divergence in the Euclidean information geometry.

Information Theory,Cryptography and Security,Probability

Anirban Majumdar,Clark Thomborson

DOI: https://doi.org/10.1007/11553939_149

2005-01-01

Abstract:Mobile agent technology is an evolving paradigm that combines the inherent characteristics of intelligent agents, namely, adaptability, reactivity and autonomy with mobility. These characteristics of mobile agents provide an excellent means of meeting the distributed and heterogeneous requirements for many electronic commerce applications involving low bandwidth and intermittently connected networks. However, the lack of security in the form of code confidentiality renders this paradigm unsuitable for commercial software. In this paper, we address the problem of mobile agent security by proposing a novel method of mobile agent obfuscation using the concept of opaque predicates to prevent adversaries from observing the control flow of agent code. We discuss about the efficiency of our proposed methodology by demonstrating that to an adversary, the problem of determining the outcome of such opaque predicates is often intractable.