ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Remote software protection by orthogonal client replacement
Full text PdfPdf (319 KB)
Source
Symposium on Applied Computing archive
Proceedings of the 2009 ACM symposium on Applied Computing table of contents
Honolulu, Hawaii
SESSION: Software engineering track table of contents
Pages 448-455  
Year of Publication: 2009
ISBN:978-1-60558-166-8
Authors
Mariano Ceccato  Fondazione Bruno, Trento, Italy
Paolo Tonella  Fondazione Bruno, Trento, Italy
Mila Dalla Preda  University of Verona, Verona, Italy
Anirban Majumdar  University of Trento, Trento, Italy
Sponsor
SIGAPP: ACM Special Interest Group on Applied Computing
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 52,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1529282.1529380
What is a DOI?

ABSTRACT

In a typical client-server scenario, a trusted server provides valuable services to a client, which runs remotely on an untrusted platform. Of the many security vulnerabilities that may arise (such as authentication and authorization), guaranteeing the integrity of the client code is one of the most difficult to address. This security vulnerability is an instance of the malicious host problem, where an adversary in control of the client's host environment tries to tamper with the client code.

We propose a novel client replacement strategy to counter the malicious host problem. The client code is periodically replaced by new orthogonal clients, such that their combination with the server is functionally-equivalent to the original client-server application. The reverse engineering efforts of the adversary are deterred by the complexity of analysis of frequently changing, orthogonal program code. We use the underlying concepts of program obfuscation as a basis for formally defining and providing orthogonality. We also give preliminary empirical validation of the proposed approach.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Brenda S. Baker, Finding Clones with Dup: Analysis of an Experiment, IEEE Transactions on Software Engineering, v.33 n.9, p.608-621, September 2007  [doi>10.1109/TSE.2007.70720]
 
2
Boaz Barak , Oded Goldreich , Russell Impagliazzo , Steven Rudich , Amit Sahai , Salil P. Vadhan , Ke Yang, On the (Im)possibility of Obfuscating Programs, Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, p.1-18, August 19-23, 2001
 
3
Ira D. Baxter , Andrew Yahin , Leonardo Moura , Marcelo Sant'Anna , Lorraine Bier, Clone Detection Using Abstract Syntax Trees, Proceedings of the International Conference on Software Maintenance, p.368, March 16-19, 1998
 
4
Mariano Ceccato , Mila Dalla Preda , Jasvir Nagra , Christian Collberg , Paolo Tonella, Barrier Slicing for Remote Software Trusting, Proceedings of the Seventh IEEE International Working Conference on Source Code Analysis and Manipulation, p.27-36, September 30-October 01, 2007  [doi>10.1109/SCAM.2007.6]
 
5
M. Ceccato, M. Dalla Preda, J. Nagra, C. Collberg, and P. Tonella. Trading-off security and performance in barrier slicing for remote software trusting. Technical report, Fondazione Bruno Kessler-IRST, http://se.fbk.eu, 2008.
 
6
C. Collberg, C. Thomborson, and D. Low. A taxonomy of obduscating transformations. Technical Report 148, Dept. of Computer Science, The Univ. of Auckland, 1997.
7
Christian Collberg , Clark Thomborson , Douglas Low, Manufacturing cheap, resilient, and stealthy opaque constructs, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.184-196, January 19-21, 1998, San Diego, California, United States  [doi>10.1145/268946.268962]
 
8
James R. Cordy, The TXL source transformation language, Science of Computer Programming, v.61 n.3, p.190-210, August 2006  [doi>10.1016/j.scico.2006.04.002]
 
9
K. Heffner and C. Collberg. The obfuscation executive. In Proceedings of the 7th International Conference on Information Security, ISC'04, volume 3255 of LNCS, pages 428--440, 2004.
 
10
Yoshiki Higo , Toshihiro Kamiya , Shinji Kusumoto , Katsuro Inoue, Method and implementation for investigating code clones in a software system, Information and Software Technology, v.49 n.9-10, p.985-998, September, 2007  [doi>10.1016/j.infsof.2006.10.005]
 
11
Toshihiro Kamiya , Shinji Kusumoto , Katsuro Inoue, CCFinder: a multilinguistic token-based code clone detection system for large scale source code, IEEE Transactions on Software Engineering, v.28 n.7, p.654-670, July 2002  [doi>10.1109/TSE.2002.1019480]
 
12
Rick Kennell , Leah H. Jamieson, Establishing the genuinity of remote computer systems, Proceedings of the 12th conference on USENIX Security Symposium, p.21-21, August 04-08, 2003, Washington, DC
 
13
Raghavan Komondoor , Susan Horwitz, Using Slicing to Identify Duplication in Source Code, Proceedings of the 8th International Symposium on Static Analysis, p.40-56, July 16-18, 2001
14
Ginger Myles , Christian Collberg, K-gram based software birthmarks, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico  [doi>10.1145/1066677.1066753]
15
Arvind Seshadri , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
 
16
A. Seshadri, A. Perrig, L. van Doorn, and P. K. Khosla. Swatt: Software-based attestation for embedded devices. In IEEE Symposium on Security and Privacy, pages 272--283, 2004.
 
17
M. C. Umesh Shankar and J. D. Tygar. Side effects are not sufficient to authenticate software. Technical Report UCB/CSD-04-1363, EECS Department, University of California, Berkeley, 2004.
 
18
Paul C. van Oorschot , Anil Somayaji , Glenn Wurster, Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.82-92, April 2005  [doi>10.1109/TDSC.2005.24]
 
19
Xiangyu Zhang , Rajiv Gupta, Hiding program slices for software security, Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization, March 23-26, 2003, San Francisco, California

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.0 General
          Subjects: Protection mechanisms


General Terms:
Security


Keywords:
clone detection, obfuscation, program transformation, remote trusting, software security

Collaborative Colleagues:
Mariano Ceccato: colleagues
Paolo Tonella: colleagues
Mila Dalla Preda: colleagues
Anirban Majumdar: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player