This research considers a scenario in which a piece of software needs to be protected against an attacker (the man-at-the-end, MATE) who has physical access to the software and so is able to inspect, modify, and execute it. The goal is to prevent the attacker from extracting sensitive information from the software, to prevent him from making changes to the behavior of the software, or, at least, to detect and report when such attacks are underway.
Man-at-the-end attacks can have serious consequences. For example, on an individual scale they can violate the privacy and integrity of medical records and other sensitive personal data; on a larger scale, such attacks can cripple national infrastructure (such as the power grid and the Internet itself).
This project explores innovative approaches to protect distributed systems from MATE attacks. To accomplish comprehensive defenses, the project develops MATE attack models and security metrics that formally characterize the process of device compromise, provides attack tools to allow easy testing of defense algorithms, and devises community standards for defense evaluation. Rigorously defined security metrics are necessary for research outcomes to be compared to existing and future approaches. A primary goal of this research is therefore to develop evaluation procedures for MATE defense mechanisms. This includes both universal obfuscation metrics and detailed red-team exercise protocols.
Computer systems are ubiquitous in today's world and play fundamental roles in many aspects of our lives. Ensuring their security is, therefore, of paramount importance. This project investigates a particular kind of attack on computer systems where the attacker has complete access to, and control over, the computer and its software and can manipulate them at will to extract any secrets, such as passwords, encryption keys, or other sensitive information that may be stored on the computer (think: stolen laptop or smartphone). Because the attacker has full control over the system, conventional defenses are not effective because they can be sidestepped by the attacker. This objective of this project was to understand how various kinds of defenses fare in this kind of attack scenario, and come up with innovative new defenses that are effective. In order to come up with good defenses for a computer system, it is necessary to also understand all of the ways in which a smart attacker might attack that system; this helps us understand fully the strengths and weaknesses of the system, which is the first step in developing effective defenses. We therefore studied both attacks and defenses against computer systems. On the attack side, we worked on two topics: (1) we developed general techniques to automatically strip out various kinds of obfuscations from sofware code, in order to extract the internal logic of the software in an easy-to-understand form; and (2) we investigated techniques for bypassing defenses that might be mounted by software to prevent others from analyzing it or tampering with the logic of its code. The results of these studies were then used to improve our understanding of how to improve the resiliency of software against analysis and tampering. We built software prototypes of our algorithms, which we used to experimentally evaluate our ideas and algorithms. These software tools have been made available to the research community to support further research. On the defense side, we investigated techniques to make programs difficult to analyze. Additionally, we built an open-source tool, called Tigress, that can be used to construct software protected using a wide variety of such defensive techniques. This tool can be used by researchers to experiment with different defense techniques and combinations of techniques, in order to better understand what techniques and combinations of techniques work well and under what circumstances, and how expensive these techniques may be in terms of code size and/or execution speed. The source code for this tool has been made freely available to the community.