StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad...
Transcript of StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad...
![Page 1: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/1.jpg)
1
StIns4CS: A State Inspection Tool for C#
Amjad Ibrahim
Sebastian Banescu
Affiliation
Prof. Dr. Alexander Pretschner
Technische Universität München
Fakultät für Informatik
Lehrstuhl XXII für Software Engineering
![Page 2: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/2.jpg)
INTRODUCTION
![Page 3: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/3.jpg)
Context: Running an application on a platform controlled by an adversary
Attacks: Unauthorized modification of software
Consequence: Retail value of pirated software is $63 billion in 2013 [13]
Software Tampering
![Page 4: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/4.jpg)
Obfuscation Tamper-Proofing
Watermarking Birthmarking
Software Protection
(Falcarin et al. [6])
How to protect a software
![Page 5: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/5.jpg)
Contributions
• The design and implementation of StateInspection4CSharp tool.
• Symbolic execution to generate the set of input-output pairs for a
certain set of functions.
• Evaluation of the performance and stealth of StIns4CS with various
response mechanisms.
• A method to increase the stealth of the response mechanism by
degrading results.
![Page 6: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/6.jpg)
StIns4CS
![Page 7: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/7.jpg)
• State Inspection [4]
• Integrity of pure functions • Random networks of guards
• A configurable response mechanism
The Concept
StIns4CSSource
Code C#
Tamper-proofed
Source Code
C#
{
{
![Page 8: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/8.jpg)
Guard
![Page 9: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/9.jpg)
Code Guard Network
F3
F2
F7
F1
[F1, F2, F3, F4, F5, F6, F7, F8]
Original Methods
[F3, F2, F7, F1, F6, F8, F4, F5]
Shuffled Methods
F6
F8
F4
F5
![Page 10: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/10.jpg)
Stack Inspection
Stack overflow
![Page 11: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/11.jpg)
Static Code Analysis
Checkers Networks
Generation
Method assertions Generation
Checkers Creation and
insertion
Responders Insertion
Transformation Workflow
• Responses in case of detecting a tampering
• Immediate crash
• Delayed crash
• Do nothing
• Remote logging
![Page 12: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/12.jpg)
• Sabotaging the return values
• Incorporating results of the check with return value
Benefits
1. Hides the comparison
2. Hides the response
3. Adds diversity to the protection code
Primitive combination
![Page 13: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/13.jpg)
Primitive combination- Example
return result.Substring(expected-output);
![Page 14: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/14.jpg)
EVALUATION
• Effectiveness against static and dynamic patching
• Stealth of checking code
• Cost of checking
![Page 15: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/15.jpg)
• Verify how the applications respond to patching
• Static code patching
• Dynamic memory patching
• Test variable:
• Component size
Effectiveness against code patching
![Page 16: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/16.jpg)
Discussion
n = 2
![Page 17: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/17.jpg)
Discussion
n = 4
Patching detected in at least n-1 places
![Page 18: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/18.jpg)
Disabling a check
n = 4
![Page 19: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/19.jpg)
• Pattern matching attacks
• Test variables
• Primitive combination
• Virtualization obfuscation
• Three regular expressions:
• Regex1: any if-statement
• Regex2: if-statement with stack inspection
• Regex3: response call statement
Stealth of checking code
![Page 20: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/20.jpg)
Regex1
Discussion
Regex2 Regex3
![Page 21: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/21.jpg)
Results
15 15
0 0
100 100
0 0
100
50
100
50
0
10
20
30
40
50
60
70
80
90
100
Test Case1 Test Case2 Test Case3 Test Case4
Accu
racy in
matc
hin
g c
he
cks
![Page 22: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/22.jpg)
• Function invocations added performance will be affected
•Execution time
•Memory allocation
•Code size
Cost of checking
![Page 23: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/23.jpg)
0
5
10
15
20
25
30
35
40
45
0 2 4 8 16
Ex
ec
uti
on
tim
e i
n m
se
c
Component size
Execution Time Impact
Function 1
Function 2
Function 3
Execution time and memory allocation
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
0
10
20
30
40
50
60
70
0 2 4 8 16Me
mo
ry a
llo
cati
on
in
meg
ab
yte
Component size
Memory Allocation Impact
Function 1
Function 2
Function 3
• Directly proportional to component size
• No guarantee on degradation.• Depends on the nature of the program
• Configuration
![Page 24: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/24.jpg)
CONCLUSION & FUTURE
WORK
![Page 25: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/25.jpg)
• Effectiveness of the approach
•StIns4CS
• Solving problems affect stealth
•Stack inspection
• Enhancing the stealth is possible
• Primitive combination
Conclusion
![Page 26: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/26.jpg)
• Stack inspection other options to break cycles• Information from the code call graph
• Primitive combination is conditioned• Generalizing this concept
• Software-diversity techniques within the checks• Versions of the same test
Future work
![Page 28: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/28.jpg)
[1] Chang, Hoi, and Mikhail J. Atallah. “Protecting Software Code by Guards.” In Security and Privacy in
Digital Rights Management, 160–175. Springer, 2002.
[2]. Horne, Bill, Lesley Matheson, Casey Sheehan, and Robert E. Tarjan. “Dynamic Self-checking
Techniques for Improved Tamper Resistance.” In Security and Privacy, 141–159. Springer, 2002.
[3]. Giffin, Jonathon T., Mihai Christodorescu, and Louis Kruger. “Strengthening Software Self-
checksumming via Self-modifying Code.” In Computer Security Applications Conference, 21st Annual, 10–
pp, 2005.
[4]. Mavrogiannopoulos, Nikos, Nessim Kisserli, and Bart Preneel. “A Taxonomy of Self-modifying Code
for obfuscation.” Computers & Security 30, 2011.
[5]. David Aucsmith , “Tamper resistant software: an implementation”, in information hiding, 199
[6] P. Falcarin, C. Collberg, M. Atallah, and M. Jakubowski. Guest editors’ introduction:
Software protection. Software, IEEE, 28(2):24–27, 2011.
[7]. L. Martignoni, R. Paleari, and D. Bruschi. Conqueror: tamper-proof code execution on legacy systems.
In Proceedings of the 7th Conference on Detection of Intrusions and Malware and Vulnerability
Assessment (DIMVA), Lecture Notes in Computer Science. Springer, July 2010.
References
![Page 29: StIns4CS: A State Inspection Tool for C#€¦ · 1 StIns4CS: A State Inspection Tool for C# Amjad Ibrahim Sebastian Banescu Affiliation Prof. Dr. Alexander Pretschner Technische Universität](https://reader030.fdocuments.net/reader030/viewer/2022041116/5f2a6a0db2ddac72ba505567/html5/thumbnails/29.jpg)
[8]. J. Qiu, B. Yadegari, B. Johannesmeyer, S. Debray, X. Su, “Identifying and Understanding Self-Checksumming
Defenses in Software”, 2015.
[9]. A. Seshadri , M. Luk , E. Shi , A. Perrig , L. van Doorn , P. Khosla, “Pioneer: verifying code integrity and enforcing untampered code
execution on legacy systems”, Proceedings of the twentieth ACM symposium on Operating systems principles, 2005.
[10]. G. Tan, Y. Chen, M.H. Jakubowski, ”Delayed and controlled failures in tamper-resistant systems”, 8th Information Hiding, Lecture
Notes in Computer Science, LNCS, vol. 4437 (2006).
[11]. G. Wurster , P. C. van Oorschot , A. Somayaji, “A Generic Attack on Checksumming-Based Software Tamper Resistance”, 2005
IEEE Symposium on Security and Privacy.
[12] Collberg, Christian,“Surreptitious software obfuscation, watermarking, and tamperproofing for software protection, 2010.
[13] S. Smith and S. Weingart. Building a high performache programmable secure coprocessor.Computer Networks,1999.
[14] Steve R. White and Liam Comerford. ABYSS: An architecture for software protection. IEEE Transactions on Software
Engineering,1990.
[15] Bennett Yee and J. D. Tygar. Secure coprocessors in electronic commerce applications. 1995.
[16]. http://globalstudy.bsa.org/2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf
[17]. http://research.microsoft.com/en-us/projects/pex/
[18]. http://roslyn.codeplex.com
[19]. https://dzone.com/articles/smart-continuous-delivery
References