Secure Software, Mobile Code Protection, and Software Tamper Resistance

Most instances of software exploitation are really software failure. Even though we cannot eliminate vulnerability from modern information systems, we can reduce exploitable code long term with sound, robust development practices. We argue that many "secure coding" concepts represent commonly taught coding techniques that ensure robustness, rather than ensuring any commonly understood concept of security. Weaving the practice of rigorous coding techniques into curriculum is essential — coding for security is useless apart from fault-tolerant foundations. However, security-specific coding techniques need to be integrated pedagogically alongside robustness so that students can differentiate the two. The amount of rigor a professional development organization puts into its software process is tied to the nature of the computer programs they develop. We consider three notional levels of rigor, which can be logically tied to a likely level of capability and process level maturity (CMM level) possessed by an organization.

Mobile Code protection is an important topic in secure software. One approach to protect distributed systems implemented with mobile code is through program obfuscation. Disguising program intent is a form of information hiding that facilitates tamper resistance. By hiding program intent, we reduce adversaries to non-semantic attacks such as blind disruption or operating system level attacks (e.g. buffer overflows).

We provide a framework for establishing and evaluating program intent protection mechanisms to impede software tampering. Our model reflects more modest goals than the Virtual Black Box model. Rather than considering a comprehensive view of obfuscation, we detail broad classes of threats and we propose mechanisms to counter those threats. We then illustrate our model with a proof of the protection we offer and outline extensions to our results.

Electronic voting applications demand secure software practices. There is widespread agreement that computers are and will continue to be an intimate part of the voting process. SAIT Laboratory believes that voting is a mission critical system and voters deserve to be confident that any software involved in the voting process is secure. Privacy demands and other limitations also demand that the election count must be right the first time. We focus on establishing technology to ensure accuracy on the first count through redundancy, checks and balances, and other scientific process. Our foundational premise is that any electronic voting component must be secure.

Malicious software (malware) is a major and increasing threat to reliable and trustworthy Internet communications. Many malware-based attacks rely on the shrink-wrap factor, i.e. a large number of users that operate identical applications on their personal and business computers. It is not the function, or application semantics that provides the target of opportunity. Rather, with a large installed code base, clever intruders leverage the internal program structure and well-known system architecture to create zombies, change security settings, trigger massive email and network flooding attacks, and generally cause havoc. The shrink-wrap factor is very important to malware attacks, because if everyone wrote their own applications, intruders would not be able to target a specific code structure. Even if many different vendors produced similar (yet distinct) application implementations (e.g. operating system, word processor, spreadsheet, etc.), it would complicate non-semantic attacks by increasing target identification complexity and reducing target suitability populations. We seek automated mechanisms that allow shrink-wrap vendors to package their software products in a way that inherently prevents structure-based malware attacks. The foundation of our technology is that we “Differentiate Executables.”



SAIT Logo FSU Logo