research-article

Remote software protection by orthogonal client replacement

Authors:

Mariano Ceccato,

Mila Dalla Preda,

Anirban MajumdarAuthors Info & Claims

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Pages 448 - 455

https://doi.org/10.1145/1529282.1529380

Published: 08 March 2009 Publication History

Abstract

In a typical client-server scenario, a trusted server provides valuable services to a client, which runs remotely on an untrusted platform. Of the many security vulnerabilities that may arise (such as authentication and authorization), guaranteeing the integrity of the client code is one of the most difficult to address. This security vulnerability is an instance of the malicious host problem, where an adversary in control of the client's host environment tries to tamper with the client code.

We propose a novel client replacement strategy to counter the malicious host problem. The client code is periodically replaced by new orthogonal clients, such that their combination with the server is functionally-equivalent to the original client-server application. The reverse engineering efforts of the adversary are deterred by the complexity of analysis of frequently changing, orthogonal program code. We use the underlying concepts of program obfuscation as a basis for formally defining and providing orthogonality. We also give preliminary empirical validation of the proposed approach.

References

[1]

B. S. Baker. Finding clones with dup: Analysis of an experiment. IEEE Transactions on Software Engineering, 33(9): 608--621, 2007.

Digital Library

[2]

B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (im) possibility of obfuscating programs. Lecture Notes in Computer Science, 2139: 19--23, 2001.

Digital Library

[3]

I. D. Baxter, A. Yahin, L. Moura, M. Sant'Anna, and L. Bier. Clone detection using abstract syntax trees. In ICSM '98: Proceedings of the International Conference on Software Maintenance, pages 368--377, Washington, DC, USA, 1998. IEEE Computer Society.

Digital Library

[4]

M. Ceccato, M. Dalla Preda, J. Nagra, C. Collberg, and P. Tonella. Barrier slicing for remote software trusting. In Seventh IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2007), pages 1--10, Paris, France, 2007. IEEE Computer Society.

Digital Library

[5]

M. Ceccato, M. Dalla Preda, J. Nagra, C. Collberg, and P. Tonella. Trading-off security and performance in barrier slicing for remote software trusting. Technical report, Fondazione Bruno Kessler-IRST, http://se.fbk.eu, 2008.

[6]

C. Collberg, C. Thomborson, and D. Low. A taxonomy of obduscating transformations. Technical Report 148, Dept. of Computer Science, The Univ. of Auckland, 1997.

[7]

C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of programming languages (POPL '98), pages 184--196. ACM Press, 1998.

Digital Library

[8]

J. Cordy. The TXL source transformation language. Science of Computer Programming, 61(3): 190--210, August 2006.

Digital Library

[9]

K. Heffner and C. Collberg. The obfuscation executive. In Proceedings of the 7th International Conference on Information Security, ISC'04, volume 3255 of LNCS, pages 428--440, 2004.

[10]

Y. Higo, T. Kamiya, S. Kusumoto, and K. Inoue. Method and implementation for investigating code clones in a software system. Inf. Softw. Technol., 49(9--10): 985--998, 2007.

Digital Library

[11]

T. Kamiya, S. Kusumoto, and K. Inoue. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7): 654--670, 2002.

Digital Library

[12]

R. Kennell and L. H. Jamieson. Establishing the genuinity of remote computer systems. In Proceedings of 12th USENIX Security Symposium, 2003.

Digital Library

[13]

R. Komondoor and susan Horwitz. Using slicing to identify duplication in source code. In Proceedings of the Static Analysis Symposiu, SAS'01, volume 2126 of LNCS, pages 40--56, 2001.

Digital Library

[14]

G. Myles and C. Collberg. K-gram based software birthmarks. In Proceedings of the 2005 ACM symposium on Applied computing, SAC'05, pages 314--318, New York, NY, USA, 2005. ACM.

Digital Library

[15]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. K. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), Brighton, UK, October 23-2-6, pages 1--16, 2005.

Digital Library

[16]

A. Seshadri, A. Perrig, L. van Doorn, and P. K. Khosla. Swatt: Software-based attestation for embedded devices. In IEEE Symposium on Security and Privacy, pages 272--283, 2004.

[17]

M. C. Umesh Shankar and J. D. Tygar. Side effects are not sufficient to authenticate software. Technical Report UCB/CSD-04-1363, EECS Department, University of California, Berkeley, 2004.

[18]

P. van Oorschot, A. Somayaji, and G. Wurster. Hardware-assisted circumvention of self-hashing software tamper resistance. IEEE Transactions on Dependable and Secure Computing, 2(2): 82--92, April-June 2005.

Digital Library

[19]

X. Zhang and R. Gupta. Hiding program slices for software security. In CGO '03: Proceedings of the international symposium on Code generation and optimization, pages 325--336, Washington, DC, USA, 2003. IEEE Computer Society.

Digital Library

Cited By

Pizzolotto DBerlato SCeccato M(2024)Mitigating Debugger-based Attacks to Java Applications with Self-debuggingACM Transactions on Software Engineering and Methodology10.1145/363197133:4(1-38)Online publication date: 18-Apr-2024
https://dl.acm.org/doi/10.1145/3631971
Vasileiadis LCeccato MCorradini DMcDonald JBardin SStakhanova N(2019)Revealing malicious remote engineering attempts on Android apps with magic numbersProceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering10.1145/3371307.3371312(1-12)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3371307.3371312
Kim SLee DPark J(2018)Efficient scheme of verifying integrity of application binaries in embedded operating systemsThe Journal of Supercomputing10.1007/s11227-010-0465-459:2(676-692)Online publication date: 31-Dec-2018
https://dl.acm.org/doi/10.1007/s11227-010-0465-4
Show More Cited By

Index Terms

Remote software protection by orthogonal client replacement
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

A Novel Software Protection Approach for Code Obfuscation to Enhance Software Security

Over the past few decades ago, software developers analyzed robustly several forms of software protection against illegal copying or piracy. With the expansion in digital technology, the risk of illegal copying of software also amplifies. The increasing ...
N-version Obfuscation
CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

Although existing for decades, software tampering attack is still a main threat to systems, such as Android, and cyber physical systems. Many approaches have been proposed to thwart specific procedures of tampering, e.g., obfuscation and self-...
Distributed application tamper detection via continuous software updates
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

We present a new general technique for protecting clients in distributed systems against Remote Man-at-the-end (R-MATE) attacks. Such attacks occur in settings where an adversary has physical access to an untrusted client device and can obtain an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

March 2009

2347 pages

ISBN:9781605581668

DOI:10.1145/1529282

Conference Chairs:
Sung Y. Shin
South Dakota State University, United States
,
Sascha Ossowski
University Rey Juan Carlos, Spain

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Sixth Framework Programme

Conference

SAC09

Sponsor:

SIGAPP

SAC09: The 2009 ACM Symposium on Applied Computing

March 8, 2009 - March 12, 2008

Hawaii, Honolulu

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
169
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pizzolotto DBerlato SCeccato M(2024)Mitigating Debugger-based Attacks to Java Applications with Self-debuggingACM Transactions on Software Engineering and Methodology10.1145/363197133:4(1-38)Online publication date: 18-Apr-2024
https://dl.acm.org/doi/10.1145/3631971
Vasileiadis LCeccato MCorradini DMcDonald JBardin SStakhanova N(2019)Revealing malicious remote engineering attempts on Android apps with magic numbersProceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering10.1145/3371307.3371312(1-12)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3371307.3371312
Kim SLee DPark J(2018)Efficient scheme of verifying integrity of application binaries in embedded operating systemsThe Journal of Supercomputing10.1007/s11227-010-0465-459:2(676-692)Online publication date: 31-Dec-2018
https://dl.acm.org/doi/10.1007/s11227-010-0465-4
Leszczyna R(2013)Agents in Simulation of Cyberattacks to Evaluate Security of Critical InfrastructuresMultiagent Systems and Applications10.1007/978-3-642-33323-1_6(129-146)Online publication date: 2013
https://doi.org/10.1007/978-3-642-33323-1_6
Ceccato MTonella P(2011)CodeBenderIEEE Software10.1109/MS.2010.15828:2(28-34)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1109/MS.2010.158
Desnitsky VKotenko I(2010)Security and scalability of remote entrusting protectionProceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security10.5555/1885194.1885223(298-306)Online publication date: 8-Sep-2010
https://dl.acm.org/doi/10.5555/1885194.1885223
Wyseur B(2010)RE-TRUST: Trustworthy Execution of SW on Remote Untrusted PlatformsISSE 2009 Securing Electronic Business Processes10.1007/978-3-8348-9363-5_33(328-338)Online publication date: 2010
https://doi.org/10.1007/978-3-8348-9363-5_33
Desnitsky VKotenko I(2010)Security and Scalability of Remote Entrusting ProtectionComputer Network Security10.1007/978-3-642-14706-7_23(298-306)Online publication date: 2010
https://doi.org/10.1007/978-3-642-14706-7_23

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten