Upload
truongdieu
View
216
Download
3
Embed Size (px)
Citation preview
SoftwareApplication
Security
Martin R Stytz, Ph.D.Jeff HughesAFRL/SNAS
2241 Avionics CircleWPAFB, OH 45433-7320
6/30/200322
SPI - Mission
Software Protection Initiative (SPI)To prevent the unauthorized distribution and exploitation of national security applications by our adversaries
6/30/200333
SPI - Motivation
High performance computing (HPC) hardware availability (i.e., Linux clusters)Decades of investment in high performance software and the research results they embodyCritical to every aspect of military activity, from training to operationsProtected software is the foundation for high confidence computing
6/30/200344
SPI - Vision
Establish the Software Protection Initiative as an integral layer of the defense in depth concept for information assurance
Complement existing information assurance efforts in network security and operating system access controls with an application-centric approach to protecting critical DoD intellectual property
6/30/200355
SPI - Strategy
Develop technologies that provide quantifiable protection of sensitive softwareDetermine resilience of technologies to attack or subversionSub-components
Continual assessment of technologiesDevelopment of techniques and technologiesDevelopment of metrics and benchmarks
6/30/200366
Application Security Definition
Anti-PiracyProtected distributionProtected execution
Code integrityTrusted execution
Vulnerability reductionReduction of security flawsSecure development environment
What is meant by “Application Security”
6/30/200377
SPI - Scope
What SPI is: Securing high value application software running on COTS computers.
Presently consists of 3 thrusts:Identify and protect existing critical applicationsDevise secure development environment for future applicationsEducate the DoD community
What SPI is not:Network securityOperating system access control
7
6/30/200388
SPI - Goals
Institutionalize software protection as part of the application software life-cycle
Educate and train the community
Develop a wide array of user-friendly protection techniques
Ensure that protection technology and policy are appropriately applied to protect and extend our technological advantage
6/30/200399
SPI Activities
TrainingProtection Technology VV&AMetrics DevelopmentOutreach & EducationResearch & Development
6/30/20031010
SPI ActivityTraining
GoalTrain program managers, engineers, scientists, and software developers on how to protect code pedigrees and how to write protectable code
Key ActivitiesDeveloping modular short course
Formal training courses will be held at SPC and other locations approximately six times per year
6/30/20031111
SPI ActivityProtection Technology VV&A
GoalRespond to user/developer feedback and validate usability, scalability, and maintainability of SPI technologies
Key ActivitiesAssembled broad based VV&A support structure
Technology Review PanelInternal Red Team, VV&A External Red TeamInsertion TeamUser Community
6/30/20031212
SPI Activity Metrics
Metric Categories0 Denial of use0 Denial of exploitation0 Validate “ilities”: usability, scalability, maintainability, availability
Values considered for criteriaCost to “us” vs. Cost to “them”$$ to implement $$ to defeat Run-time impacts Time to defeatSkills needed to implement Skills needed to defeatExtra memory usage Size of team neededNumerical accuracySchedule impactReliability
6/30/20031313
SPI Activity Outreach & Education
GoalCultivate awareness of the threat and the need for application code security Promote software protection as integral to defense in depth for Information Assurance.
Key ActivitiesAcademic centers of excellence program
SPI is participating in conferences, providing input for publications, and establishing contacts to increase awareness ofthe need for software protection
6/30/20031414
SPI ActivityResearch & Development
GoalAdvance software protection technologies on desktops through super computers
Focusprotect developed softwareDevelop protectable software
Key ActivitiesProtect developed codeDevelop protectable codePromote usability, scalability, and maintainabilityUniversal Protection Architecture
6/30/20031515
R&D Activity
UPAApplication Code 2
Rack Mount Server
Future Device Internal Card Desktop Hub Network Hub
Future Interface USB Ethernet
. . . .
USB
PCI Bus
Unified Protection Architecture (UPA)•Minimizes performance impacts•Uniform approach for reliability•Provides scalability
Application Code N
Application Code 1
Software Engine
6/30/20031616
R&D Strategy Vision*
ProtectionApplication security without development or performance penaltyProtection techniques tailored to the criticality of the code, the operational and threat environments, and computational powerScalable and customizable protection
DetectionSelf monitoring of protected software for
Malicious activityCode integrity
ReactionArray of autonomous self defense measures for protected codes
Modification of code/dataSelf destructionReporting
*Secrets and Lies: Digital Security in a Networked World, Bruce Schneier, John Wiley and Sons, Inc., 2000
6/30/20031818
Research and DevelopmentDimension of the Challenge
Framework for Analysis
Technology for achieving SPI goals
Quantification of code complexity
Performance metrics
6/30/20031919
Framework for Analysis
Goals of attacksReverse engineering all or parts of a codeAllowing limited or unrestricted executionTampering with the code
Type of effortHuman effort (from expert to ordinary skills)Generic tool availability (COTS, open source)Specialized tools (what is possible by skilled adversaries?)Number of allowed executionsTime and availability of code required for attack Level of mathematical or logical symbolic analysis
6/30/20032121
R&D TechnologyHardware Approaches
Freestanding, obfuscated code only
Obfuscated code with an “authentication” host on the network
Kind of networkKind of host processing
Obfuscated code with on-board hardware module/hardware
ProprietaryTCPA, Palladium, COTS
Other approaches and combinations of the above
6/30/20032222
R&D Technology Software Approaches
Obfuscation of codeAt source code level
source restructuring
At executable level Obfuscating compiler Post-compilation obfuscation
Three address code representation
Opaqueness of code and/or proceduresObfuscate proceduresComplexity of parameters passed, nestingUse of special hardware for function evaluations
6/30/20032323
Quantification of Code Complexity
At source, intermediate and/or executable levels
Basic block count and size
Structure of program control flow graphAt basic block levelStatic analysisDynamic analysis for a “typical” executionLoop structure and depth
Data structure complexity
Procedure call depth, count, parameter passing (indirection, etc.)
6/30/20032424
R&D Metrics
Performance metricsPossible levels of protection as a function of code complexity and attack effortPerformance loss as a function of protectionPreprocessing effort required for protectionCost of protection – hardware, management, etcCost of versioning, updating, etc.
6/30/20032626
Protecting Developed Code
Continually assess the state-of-the-artDevelop capabilities to maintain security edge in face of technological advances
Areas of concern/research interestDecompilersWatermarkingCompilersMultiprocessors
DisassemblersObfuscationDebuggersHigh Performance Computing
6/30/20032727
Developing Protectable Code
Continually assess state-of-the-art
Areas of concern/research interestSecure development environmentsAutomatic pedigree generation and validationAutomatic developer logging and profilingSoftware development methodology modificationVirtual machine wrappersMultiprocessors
6/30/20032828
R&DCurrent Efforts
Development of topicsObfuscation and WatermarkingTampering & Reverse EngineeringArchitectural DegradationTamper Detection & ResponseBinary Code TransformationAT Protection Thru Obfuscation
6/30/20032929
R&DProtection Research Avenues
Benchmarks, metrics, and test suitesAutonomous red teamOntology and lexicon
Secure development environment Architecture through maintenance phases
Black box application of protection technologiesCross authentication of componentsImproved watermarking and obfuscation
6/30/20033030
R&D Strategy Protection Research Avenues (cont)
Autonomous, secure assembly and verification of security capabilities
Composable protection techniquesData
Container-based protection of dataInherently secure programming languagesMultiprocessor software protectionOperation on untrusted hardware
6/30/20033131
R&D Strategy Detection Research Avenues
Autonomous attack detection and defenseOntology and lexiconComprehensive threat description and threat modelsVoting schemes to “detect” subverted software or nodesContinuous or pushbutton verification that the software is not changedSecurity gauges
6/30/20033232
R&D Strategy Reaction Research Avenues
Adaptive defenseVariable precision and accuracyBenchmarks and test suitesAutonomous recovery and repairIsolation of subverted nodesSecure migration of subverted processesPedigree to track back to developer
6/30/20033333
Strategic Issues
EducationTechnical ThrustsGovernment-wide CoordinationRisk Management
6/30/20033434
Strategic Issues Education
IssueEducation is critical to cultivate awareness of the threat and the requirement for application code security across the DoD
DiscussionEducation is required at all levelsSLAG and IPT must have reps from key DoD and government agencies and assist in education process SPI will encourage commercial entities to issue statements supporting the initiative Web will be a key education tool
Way AheadInvolvement is essential…..
6/30/20033535
Strategic Issues Technical Thrusts
IssueSPI must identify and protect existing critical codes and develop secure software development tools/environments for future applications
DiscussionCurrently rely on the inherent obfuscation provided by current higher order language compilers
ObservationEnsure R&D investments address these core issues and backstop the technology riskDeveloping comprehensive and integrated R&D strategy to meet short and long term objectives
6/30/20033636
Strategic Issues Government-Wide Coordination
IssueCritical applications are shared among government organizationsSoftware protection policy, techniques, and procedures must be consistent
DiscussionAll actions must be coordinated at senior levels
National Cyberspace PolicyDoE, NASA, and others
» Sharing of applications and procedures» Common requirements definition
Way AheadInclude key government organizations in activities
6/30/20033737
Strategic Issues Risk Management
IssueSPI program success requires balancing multiple, competing factors
DiscussionEstablished DoD acquisition vs. Typical academic-basedprocess software development processCompartmentalization of facts vs. EducationStrong protection measures vs. Ease of useDirected compliance vs. Voluntary implementation
DoD only vs. Government-wide implementation
ObservationR&D to enable usability, scalability, and maintainabilityDefinitive policy to institutionalize SPIEducation and coordination to encourage compliance
6/30/20033838
Conclusion
Application software represents a significant portion of the DoD’s intellectual property
Significant investment in both time and moneyEnables development of next generation weapon systems
Protecting critical application software allows U.S. Forces to:
Maintain a technological advantage over our adversaries Extend the operational life of critical systems