Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge
Tóm tắt
When critical assets or functionalities are included in a piece of software accessible to the end users, code protections are used to hinder or delay the extraction or manipulation of such critical assets. The process and strategy followed by hackers to understand and tamper with protected software might differ from program understanding for benign purposes. Knowledge of the actual hacker behaviours while performing real attack tasks can inform better ways to protect the software and can provide more realistic assumptions to the developers, evaluators, and users of software protections. Within Aspire, a software protection research project funded by the EU under framework programme FP7, we have conducted three industrial case studies with the involvement of professional penetration testers and a public challenge consisting of eight attack tasks with open participation. We have applied a systematic qualitative analysis methodology to the hackers’ reports relative to the industrial case studies and the public challenge. The qualitative analysis resulted in 459 and 265 annotations added respectively to the industrial and to the public challenge reports. Based on these annotations we built a taxonomy consisting of 169 concepts. They address the hacker activities related to (i) understanding code; (ii) defining the attack strategy; (iii) selecting and customizing the tools; and (iv) defeating the protections. While there are many commonalities between professional hackers and practitioners, we could spot many fundamental differences. For instance, while industrial professional hackers aim at elaborating automated and reproducible deterministic attacks, practitioners prefer to minimize the effort and try many different manual tasks. This analysis allowed us to distill a number of new research directions and potential improvements for protection techniques. In particular, considering the critical role of analysis tools, protection techniques should explicitly attack them, by exploiting analysis problems and complexity aspects that available automated techniques are bad at addressing.
Tài liệu tham khảo
Abrath B, Coppens B, Volckaert S, Wijnant J, De Sutter B (2016) Tightly-coupled self-debugging software protection. In: Proceedings of the 6th workshop on software security, protection, and reverse engineering (SSPREW), pp 7:1–7:10
Anckaert B, Madou M, De Sutter B, De Bus B, De Bosschere K, Preneel B (2007) Program obfuscation: a quantitative approach. In: Proceedings of ACM workshop on quality of protection, pp 15–20
Andrews AA, Ghosh S, Choi EM (2002) A model for understanding software components. In: 18th international conference on software maintenance (ICSM 2002), maintaining distributed heterogeneous systems, 3–6 October 2002, Montreal, Quebec, Canada, p 359
Armknecht F, Sadeghi AR, Schulz S, Wachsmann C (2013) A security framework for the analysis and design of software attestation. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, CCS ’13. ACM, New York, USA, pp 1–12.
https://doi.org/10.1145/2508859.2516650
citation_journal_title=Lect Notes Comput Sci; citation_title=On the (im) possibility of obfuscating programs; citation_author=B Barak, O Goldreich, R Impagliazzo, S Rudich, A Sahai, S Vadhan, K Yang; citation_volume=2139; citation_publication_date=2001; citation_pages=19-23; citation_doi=10.1007/3-540-44647-8_2; citation_id=CR5
citation_journal_title=Empir Softw Eng; citation_title=Object-oriented program comprehension: effect of expertise, task and phase; citation_author=J Burkhardt, F Détienne, S Wiedenbeck; citation_volume=7; citation_issue=2; citation_publication_date=2002; citation_pages=115-156; citation_doi=10.1023/A:1015297914742; citation_id=CR6
Cabutto A, Falcarin P, Abrath B, Coppens B, De Sutter B (2015) Software protection with code mobility. In: Proceedings of the second ACM workshop on moving target defense (MTD), pp 95–103
Capiluppi A, Falcarin P, Boldyreff C (2012) Code defactoring: evaluating the effectiveness of java obfuscations. In: 2012 19th working conference on reverse engineering (WCRE). IEEE, pp 71–80
citation_journal_title=Empir Softw Eng; citation_title=A large study on the effect of code obfuscation on the quality of java code; citation_author=M Ceccato, A Capiluppi, P Falcarin, C Boldyreff; citation_volume=20; citation_issue=6; citation_publication_date=2015; citation_pages=1486-1524; citation_doi=10.1007/s10664-014-9321-0; citation_id=CR9
citation_journal_title=Empir Softw Eng; citation_title=A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques; citation_author=M Ceccato, M Di Penta, P Falcarin, F Ricca, M Torchiano, P Tonella; citation_volume=19; citation_issue=4; citation_publication_date=2014; citation_pages=1040-1074; citation_id=CR10
Ceccato M, Di Penta M, Nagra J, Falcarin P, Ricca F, Torchiano M, Tonella P (2009) The effectiveness of source code obfuscation: an experimental assessment. In: IEEE 17th international conference on program comprehension (ICPC), pp 178–187.
https://doi.org/10.1109/ICPC.2009.5090041
Ceccato M, Dalla Preda M, Nagra J, Collberg C, Tonella P (2007) Barrier slicing for remote software trusting. In: Proceedings of the seventh IEEE international working conference on source code analysis and manipulation, SCAM ’07. IEEE Computer Society, Washington, pp 27–36.
https://doi.org/10.1109/SCAM.2007.6
https://doi.org/10.1109/SCAM.2007.6
Ceccato M, Tonella P, Basile C, Coppens B, De Sutter B, Falcarin P, Torchiano M (2017) How professional hackers understand protected code while performing attack tasks. In: Proceedings of the 25th international conference on program comprehension (ICPC), pp 154–164. ICPC best paper award and ACM Distinguished paper award
Collberg C, Thomborson C, Low D (1997) A taxonomy of obfuscating transformations. Technical Report 148, Dept. of Computer Science, The Univ. of Auckland
Collberg C, Nagra J (2009) Surreptitious software: obfuscation, watermarking, and tamperproofing for software protection. Addison-wesley, London
Demissie BF, Ceccato M, Tiella R (2015) Assessment of data obfuscation with residue number coding. In: Proceedings of the 1st international workshop on software protection, SPRO ’15. IEEE Press, Piscataway, pp 38–44.
http://dl.acm.org/citation.cfm?id=2821429.2821440
Edmundson A, Holtkamp B, Rivera E, Finifter M, Mettler A, Wagner D (2013) An empirical study on the effectiveness of security code review. In: International symposium on engineering secure software and systems. Springer, pp 197–212
citation_title=An introduction to qualitative research; citation_publication_date=2009; citation_id=CR18; citation_author=U Flick; citation_publisher=Sage
citation_title=The discovery of grounded theory; citation_publication_date=1967; citation_id=CR19; citation_author=BG Glaser; citation_author=AL Strauss; citation_publisher=Aldine
Katipally R, Yang L, Liu A (2011) Attacker behavior analysis in multi-stage attack detection system. In: Proceedings of the seventh annual workshop on cyber security and information intelligence research, CSIIRW ’11. ACM, New York, pp 63:1–63:1.
https://doi.org/10.1145/2179298.2179369
citation_journal_title=J Syst Softw; citation_title=Cognitive processes in program comprehension; citation_author=S Letovsky; citation_volume=7; citation_issue=4; citation_publication_date=1987; citation_pages=325-339; citation_doi=10.1016/0164-1212(87)90032-X; citation_id=CR21
Linn C, Debray S (2003) Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of ACM conference on computer and communications security, pp 290–299
citation_journal_title=J Syst Softw; citation_title=Mental models and software maintenance; citation_author=DC Littman, J Pinto, S Letovsky, E Soloway; citation_volume=7; citation_issue=4; citation_publication_date=1987; citation_pages=341-355; citation_doi=10.1016/0164-1212(87)90033-1; citation_id=CR23
Mallikarjunan KN, Prabavathy S, Sundarakantham K, Shalinie SM (2015) Model for cyber attacker behavioral analysis. In: 2015 IEEE workshop on computational intelligence: theories, applications and future directions (WCI), pp 1–4.
https://doi.org/10.1109/WCI.2015.7495520
citation_journal_title=IEEE Trans Dependable Secur Comput; citation_title=Hardware-assisted circumvention of self-hashing software tamper resistance; citation_author=PC Oorschot, A Somayaji, G Wurster; citation_volume=2; citation_issue=2; citation_publication_date=2005; citation_pages=82-92; citation_doi=10.1109/TDSC.2005.24; citation_id=CR25
citation_journal_title=Cogn Psychol; citation_title=Stimulus structures and mental representations in expert comprehension of computer programs; citation_author=N Pennington; citation_volume=19; citation_issue=3; citation_publication_date=1987; citation_pages=295-341; citation_doi=10.1016/0010-0285(87)90007-7; citation_id=CR26
Piorkowski DJ, Fleming SD, Kwan I, Burnett MM, Scaffidi C, Bellamy RK, Jordahl J (2013) The whats and hows of programmers’ foraging diets. In: Proceedings of the SIGCHI conference on human factors in computing systems. ACM, New York, pp 3063–3072
Prechelt L, Schmeisky H, Zieris F (2016) Quality experience: a grounded theory of successful agile projects without dedicated testers. In: Proceedings of the 38th international conference on software engineering, ICSE 2016, Austin, TX, USA, May 14–22, 2016, pp 1017–1027
Sillito J, Murphy GC, Volder KD (2006) Questions programmers ask during software evolution tasks. In: Proceedings of the 14th ACM SIGSOFT international symposium on foundations of software engineering, FSE, pp 23–34
Stol K, Ralph P, Fitzgerald B (2016) Grounded theory in software engineering research: a critical review and guidelines. In: Proceedings of the 38th international conference on software engineering, ICSE 2016, Austin, TX, USA, May 14–22, 2016, pp 120–131
citation_title=Basics of qualitative research: grounded theory procedures and techniques; citation_publication_date=1990; citation_id=CR31; citation_author=A Strauss; citation_author=J Corbin; citation_publisher=Sage
citation_journal_title=Comput Secur; citation_title=An empirical examination of the reverse engineering process for binary files; citation_author=I Sutherland, GE Kalb, A Blyth, G Mulley; citation_volume=25; citation_issue=3; citation_publication_date=2006; citation_pages=221-228; citation_doi=10.1016/j.cose.2005.11.002; citation_id=CR32
Udupa SK, Debray SK, Madou M (2005) Deobfuscation: reverse engineering obfuscated code. In: Proceedings of the 12th working conference on reverse engineering. IEEE Computer Society, Washington, pp 45–54.
https://doi.org/10.1109/WCRE.2005.13
.
http://dl.acm.org/citation.cfm?id=1107841.1108171
Vectra (2017) Attacker behavior industry report.
https://info.vectra.ai/attacker-behavior-industry-report-1q2017
https://info.vectra.ai/attacker-behavior-industry-report-1q2017
Viticchié A, Regano L, Torchiano M, Basile C, Ceccato M, Tonella P, Tiella R (2016) Assessment of source code obfuscation techniques. In: Proceedings of the 16th IEEE international working conference on source code analysis and manipulation, pp 11–20
von Mayrhauser A, Vans AM (1994) Comprehension processes during large scale maintenance. In: Proceedings of the 16th international conference on software engineering, Sorrento, Italy, May 16–21, pp 39–48
citation_journal_title=Softw Eng J; citation_title=Industrial experience with an integrated code comprehension model; citation_author=A von Mayrhauser, AM Vans; citation_volume=10; citation_issue=5; citation_publication_date=1995; citation_pages=171-182; citation_doi=10.1049/sej.1995.0023; citation_id=CR37
von Mayrhauser A, Vans AM (1996a) Identification of dynamic comprehension processes during large scale maintenance. IEEE Trans Softw Eng 22(6):424–437
von Mayrhauser A, Vans AM (1996b) On the role of hypotheses during opportunistic understanding while porting large scale code. In: 4th international workshop on program comprehension (WPC ’96), March 29–31, 1996, Berlin, Germany, pp 68–77
von Mayrhauser A, Vans AM (1997a) Hypothesis-driven understanding processes during corrective maintenance of large scale software. In: 1997 international conference on software maintenance (ICSM ’97), 1–3 October 1997, Bari, Italy, Proceedings, pp 12–20
von Mayrhauser A, Vans AM (1997b) Program understanding needs during corrective maintenance of large scale software. In: 21st intern. computer software and applications conference (COMPSAC’97), 1997, USA, pp 630–637
Wheeler DA (2001) More than a gigabuck: estimating gnu/Linux’s size.
https://www.dwheeler.com/sloc/redhat71-v1/redhat71sloc.html
Wyseur B (2009) White-box cryptography. Ph.D. thesis, Katholieke Universiteit Leuven.
https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf