SBIR-STTR Award

Software protection has matured significantly in recent years. In the commercial world, robust Digital Rights Management (DRM) architectures have evolved. In the government space, concern over binary protection has resulted in powerful techniques to secure executable code. With the momentum towards the next generation secure computing base increasing, the novel binary protection being considered by the military will be incorporated in key OS code modules. Currently, the growth in these technologies has out paced our ability to implement them effectively. Absent is a methodology that will allow the developers of binary protection a means of assessing attacks on binary code. A technology that incorporates information gathered during red teaming and extended through analysis to make predictions of survivability. This document describes research into those key areas required to build a extendable framework able to support binary protection modeling and attack simulation. The primary nodes in this framework will eventually be represented by attack patterns, attack profiles, a dictionary of appropriate terminology and a set of parameters relative to the domain of binary attack. Once in place, this framework will allow the security engineer to selectively build attack trees that effectively model both binary protection and the associated attacks against it.

Keywords:
ATTACK MODELING; ATTACK PATTERNS; ATTACK PROFILES; BINARY CODE; SOFTWARE PROTECTION

Software protection continues to evolve rapidly while in the government space, state sponsored reverse engineering teams conduct attacks on binary code. As a result, concern over binary protection has become a matter of national security. This has resulted in a new generation of powerful techniques to secure executable code. Currently, the growth in these defensive technologies has weakened the very tools we rely on to evaluate protection. With first generation reverse engineering tools ineffective, how does one insure that new vulnerabilities have not been introduced alongside the new protections? What do potential second generation attack tools look like? With new binary defenses deployed, our adversaries will eventually develop offensive tools to mitigate the protection. By developing these tools first, we extend the survivability of protected binary beyond what is currently thought to be adequate. This document proposes an approach to building one such second generation technology. This document describes the technology required to build a robust and extendable framework able to support binary protection evaluation. The primary nodes in this framework will be represented by specific second generation attack tools and technologies. The core foundation of this proposed architecture currently exists as the Instruction Interception (I^2) prototype.

Keywords:
Binary Code, Software Protection, Dynamic Analysis, Debugger