-
Automatic Selection of Protections to Mitigate Risks Against Software Applications
Authors:
Daniele Canavese,
Leonardo Regano,
Bjorn De Sutter,
Cataldo Basile
Abstract:
This paper introduces a novel approach for the automated selection of software protections to mitigate MATE risks against critical assets within software applications. We formalize the key elements involved in protection decision-making - including code artifacts, assets, security requirements, attacks, and software protections - and frame the protection process through a game-theoretic model. In…
▽ More
This paper introduces a novel approach for the automated selection of software protections to mitigate MATE risks against critical assets within software applications. We formalize the key elements involved in protection decision-making - including code artifacts, assets, security requirements, attacks, and software protections - and frame the protection process through a game-theoretic model. In this model, a defender strategically applies protections to various code artifacts of a target application, anticipating repeated attack attempts by adversaries against the confidentiality and integrity of the application's assets. The selection of the optimal defense maximizes resistance to attacks while ensuring the application remains usable by constraining the overhead introduced by protections. The game is solved through a heuristic based on a mini-max depth-first exploration strategy, augmented with dynamic programming optimizations for improved efficiency. Central to our formulation is the introduction of the Software Protection Index, an original contribution that extends existing notions of potency and resilience by evaluating protection effectiveness against attack paths using software metrics and expert assessments. We validate our approach through a proof-of-concept implementation and expert evaluations, demonstrating that automated software protection is a practical and effective solution for risk mitigation in software.
△ Less
Submitted 23 June, 2025;
originally announced June 2025.
-
Exploring the Robustness of AI-Driven Tools in Digital Forensics: A Preliminary Study
Authors:
Silvia Lucia Sanna,
Leonardo Regano,
Davide Maiorca,
Giorgio Giacinto
Abstract:
Nowadays, many tools are used to facilitate forensic tasks about data extraction and data analysis. In particular, some tools leverage Artificial Intelligence (AI) to automatically label examined data into specific categories (\ie, drugs, weapons, nudity). However, this raises a serious concern about the robustness of the employed AI algorithms against adversarial attacks. Indeed, some people may…
▽ More
Nowadays, many tools are used to facilitate forensic tasks about data extraction and data analysis. In particular, some tools leverage Artificial Intelligence (AI) to automatically label examined data into specific categories (\ie, drugs, weapons, nudity). However, this raises a serious concern about the robustness of the employed AI algorithms against adversarial attacks. Indeed, some people may need to hide specific data to AI-based digital forensics tools, thus manipulating the content so that the AI system does not recognize the offensive/prohibited content and marks it at as suspicious to the analyst. This could be seen as an anti-forensics attack scenario. For this reason, we analyzed two of the most important forensics tools employing AI for data classification: Magnet AI, used by Magnet Axiom, and Excire Photo AI, used by X-Ways Forensics. We made preliminary tests using about $200$ images, other $100$ sent in $3$ chats about pornography and teenage nudity, drugs and weapons to understand how the tools label them. Moreover, we loaded some deepfake images (images generated by AI forging real ones) of some actors to understand if they would be classified in the same category as the original images. From our preliminary study, we saw that the AI algorithm is not robust enough, as we expected since these topics are still open research problems. For example, some sexual images were not categorized as nudity, and some deepfakes were categorized as the same real person, while the human eye can see the clear nudity image or catch the difference between the deepfakes. Building on these results and other state-of-the-art works, we provide some suggestions for improving how digital forensics analysis tool leverage AI and their robustness against adversarial attacks or different scenarios than the trained one.
△ Less
Submitted 2 December, 2024;
originally announced December 2024.
-
Design, Implementation, and Automation of a Risk Management Approach for Man-at-the-End Software Protection
Authors:
Cataldo Basile,
Bjorn De Sutter,
Daniele Canavese,
Leonardo Regano,
Bart Coppens
Abstract:
The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NI…
▽ More
The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings.
△ Less
Submitted 27 March, 2023;
originally announced March 2023.
-
Man-at-the-End Software Protection as a Risk Analysis Process
Authors:
Daniele Canavese,
Leonardo Regano,
Cataldo Basile,
Bart Coppens,
Bjorn De Sutter
Abstract:
The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according…
▽ More
The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) of a decision support system that automates many activities in the risk analysis methodology towards the protection of software applications. Despite still being a prototype, the PoC validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox, and that it can actually assist decision making in industrially relevant settings
△ Less
Submitted 1 March, 2022; v1 submitted 14 November, 2020;
originally announced November 2020.
-
Assessment of Source Code Obfuscation Techniques
Authors:
Alessio Viticchié,
Leonardo Regano,
Marco Torchiano,
Cataldo Basile,
Mariano Ceccato,
Paolo Tonella,
Roberto Tiella
Abstract:
Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfusc…
▽ More
Obfuscation techniques are a general category of software protections widely adopted to prevent malicious tampering of the code by making applications more difficult to understand and thus harder to modify. Obfuscation techniques are divided in code and data obfuscation, depending on the protected asset. While preliminary empirical studies have been conducted to determine the impact of code obfuscation, our work aims at assessing the effectiveness and efficiency in preventing attacks of a specific data obfuscation technique - VarMerge. We conducted an experiment with student participants performing two attack tasks on clear and obfuscated versions of two applications written in C. The experiment showed a significant effect of data obfuscation on both the time required to complete and the successful attack efficiency. An application with VarMerge reduces by six times the number of successful attacks per unit of time. This outcome provides a practical clue that can be used when applying software protections based on data obfuscation.
△ Less
Submitted 7 April, 2017;
originally announced April 2017.
-
Ethical issues of ISPs in the modern web
Authors:
Leonardo Regano,
Ali Safari Khatouni,
Martino Trevisan,
Alessio Viticchie
Abstract:
In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements r…
▽ More
In recent years, ethical issues in the networking field are getting moreimportant. In particular, there is a consistent debate about how Internet Service Providers (ISPs) should collect and treat network measurements. This kind of information, such as flow records, carry interesting knowledge from multiple points of view: research, traffic engineering and e-commerce can benefit from measurements retrievable through inspection of network traffic. Nevertheless, in some cases they can carry personal information about the users exposed to monitoring, and so generates several ethical issues. Modern web is very different from the one we could experience few years ago; web services converged to few protocols (i.e., HyperText Transfer Protocol (HTTP) and HTTPS) and always bigger share of encrypted traffic. The aim of this work is to provide an insight about which information is still visible to ISPs in the modern web and to what extent it carries personal information. We show ethical issues deriving by this new situation and provide general guidelines and best-practices to cope with the collection of network traffic measurements.
△ Less
Submitted 22 March, 2017;
originally announced March 2017.
