SoftwareApplication

Security

Martin R Stytz, Ph.D.Jeff HughesAFRL/SNAS

2241 Avionics CircleWPAFB, OH 45433-7320

6/30/200322

SPI - Mission

Software Protection Initiative (SPI)To prevent the unauthorized distribution and exploitation of national security applications by our adversaries

6/30/200333

SPI - Motivation

High performance computing (HPC) hardware availability (i.e., Linux clusters)Decades of investment in high performance software and the research results they embodyCritical to every aspect of military activity, from training to operationsProtected software is the foundation for high confidence computing

6/30/200344

SPI - Vision

Establish the Software Protection Initiative as an integral layer of the defense in depth concept for information assurance

Complement existing information assurance efforts in network security and operating system access controls with an application-centric approach to protecting critical DoD intellectual property

6/30/200355

SPI - Strategy

Develop technologies that provide quantifiable protection of sensitive softwareDetermine resilience of technologies to attack or subversionSub-components

Continual assessment of technologiesDevelopment of techniques and technologiesDevelopment of metrics and benchmarks

6/30/200366

Application Security Definition

Anti-PiracyProtected distributionProtected execution

Code integrityTrusted execution

Vulnerability reductionReduction of security flawsSecure development environment

What is meant by “Application Security”

6/30/200377

SPI - Scope

What SPI is: Securing high value application software running on COTS computers.

Presently consists of 3 thrusts:Identify and protect existing critical applicationsDevise secure development environment for future applicationsEducate the DoD community

What SPI is not:Network securityOperating system access control

7

6/30/200388

SPI - Goals

Institutionalize software protection as part of the application software life-cycle

Educate and train the community

Develop a wide array of user-friendly protection techniques

Ensure that protection technology and policy are appropriately applied to protect and extend our technological advantage

6/30/200399

SPI Activities

TrainingProtection Technology VV&AMetrics DevelopmentOutreach & EducationResearch & Development

6/30/20031010

SPI ActivityTraining

GoalTrain program managers, engineers, scientists, and software developers on how to protect code pedigrees and how to write protectable code

Key ActivitiesDeveloping modular short course

Formal training courses will be held at SPC and other locations approximately six times per year

6/30/20031111

SPI ActivityProtection Technology VV&A

GoalRespond to user/developer feedback and validate usability, scalability, and maintainability of SPI technologies

Key ActivitiesAssembled broad based VV&A support structure

Technology Review PanelInternal Red Team, VV&A External Red TeamInsertion TeamUser Community

6/30/20031212

SPI Activity Metrics

Metric Categories0 Denial of use0 Denial of exploitation0 Validate “ilities”: usability, scalability, maintainability, availability

Values considered for criteriaCost to “us” vs. Cost to “them”$$ to implement $$ to defeat Run-time impacts Time to defeatSkills needed to implement Skills needed to defeatExtra memory usage Size of team neededNumerical accuracySchedule impactReliability

6/30/20031313

SPI Activity Outreach & Education

GoalCultivate awareness of the threat and the need for application code security Promote software protection as integral to defense in depth for Information Assurance.

Key ActivitiesAcademic centers of excellence program

SPI is participating in conferences, providing input for publications, and establishing contacts to increase awareness ofthe need for software protection

6/30/20031414

SPI ActivityResearch & Development

GoalAdvance software protection technologies on desktops through super computers

Focusprotect developed softwareDevelop protectable software

Key ActivitiesProtect developed codeDevelop protectable codePromote usability, scalability, and maintainabilityUniversal Protection Architecture

6/30/20031515

R&D Activity

UPAApplication Code 2

Rack Mount Server

Future Device Internal Card Desktop Hub Network Hub

Future Interface USB Ethernet

. . . .

USB

PCI Bus

Unified Protection Architecture (UPA)•Minimizes performance impacts•Uniform approach for reliability•Provides scalability

Application Code N

Application Code 1

Software Engine

6/30/20031616

R&D Strategy Vision*

ProtectionApplication security without development or performance penaltyProtection techniques tailored to the criticality of the code, the operational and threat environments, and computational powerScalable and customizable protection

DetectionSelf monitoring of protected software for

Malicious activityCode integrity

ReactionArray of autonomous self defense measures for protected codes

Modification of code/dataSelf destructionReporting

*Secrets and Lies: Digital Security in a Networked World, Bruce Schneier, John Wiley and Sons, Inc., 2000

6/30/20031717

Research Areas

Algorithms

Environments

Benchmarks

& Metrics

Surveys &Integration

6/30/20031818

Research and DevelopmentDimension of the Challenge

Framework for Analysis

Technology for achieving SPI goals

Quantification of code complexity

Performance metrics

6/30/20031919

Framework for Analysis

Goals of attacksReverse engineering all or parts of a codeAllowing limited or unrestricted executionTampering with the code

Type of effortHuman effort (from expert to ordinary skills)Generic tool availability (COTS, open source)Specialized tools (what is possible by skilled adversaries?)Number of allowed executionsTime and availability of code required for attack Level of mathematical or logical symbolic analysis

6/30/20032020

Research Issues

Performance

Scalability

Assessment Re-use

6/30/20032121

R&D TechnologyHardware Approaches

Freestanding, obfuscated code only

Obfuscated code with an “authentication” host on the network

Kind of networkKind of host processing

Obfuscated code with on-board hardware module/hardware

ProprietaryTCPA, Palladium, COTS

Other approaches and combinations of the above

6/30/20032222

R&D Technology Software Approaches

Obfuscation of codeAt source code level

source restructuring

At executable level Obfuscating compiler Post-compilation obfuscation

Three address code representation

Opaqueness of code and/or proceduresObfuscate proceduresComplexity of parameters passed, nestingUse of special hardware for function evaluations

6/30/20032323

Quantification of Code Complexity

At source, intermediate and/or executable levels

Basic block count and size

Structure of program control flow graphAt basic block levelStatic analysisDynamic analysis for a “typical” executionLoop structure and depth

Data structure complexity

Procedure call depth, count, parameter passing (indirection, etc.)

6/30/20032424

R&D Metrics

Performance metricsPossible levels of protection as a function of code complexity and attack effortPerformance loss as a function of protectionPreprocessing effort required for protectionCost of protection – hardware, management, etcCost of versioning, updating, etc.

6/30/20032525

Research Objectives

Protect developed code

Develop protectable code

6/30/20032626

Protecting Developed Code

Continually assess the state-of-the-artDevelop capabilities to maintain security edge in face of technological advances

Areas of concern/research interestDecompilersWatermarkingCompilersMultiprocessors

DisassemblersObfuscationDebuggersHigh Performance Computing

6/30/20032727

Developing Protectable Code

Continually assess state-of-the-art

Areas of concern/research interestSecure development environmentsAutomatic pedigree generation and validationAutomatic developer logging and profilingSoftware development methodology modificationVirtual machine wrappersMultiprocessors

6/30/20032828

R&DCurrent Efforts

Development of topicsObfuscation and WatermarkingTampering & Reverse EngineeringArchitectural DegradationTamper Detection & ResponseBinary Code TransformationAT Protection Thru Obfuscation

6/30/20032929

R&DProtection Research Avenues

Benchmarks, metrics, and test suitesAutonomous red teamOntology and lexicon

Secure development environment Architecture through maintenance phases

Black box application of protection technologiesCross authentication of componentsImproved watermarking and obfuscation

6/30/20033030

R&D Strategy Protection Research Avenues (cont)

Autonomous, secure assembly and verification of security capabilities

Composable protection techniquesData

Container-based protection of dataInherently secure programming languagesMultiprocessor software protectionOperation on untrusted hardware

6/30/20033131

R&D Strategy Detection Research Avenues

Autonomous attack detection and defenseOntology and lexiconComprehensive threat description and threat modelsVoting schemes to “detect” subverted software or nodesContinuous or pushbutton verification that the software is not changedSecurity gauges

6/30/20033232

R&D Strategy Reaction Research Avenues

Adaptive defenseVariable precision and accuracyBenchmarks and test suitesAutonomous recovery and repairIsolation of subverted nodesSecure migration of subverted processesPedigree to track back to developer

6/30/20033333

Strategic Issues

EducationTechnical ThrustsGovernment-wide CoordinationRisk Management

6/30/20033434

Strategic Issues Education

IssueEducation is critical to cultivate awareness of the threat and the requirement for application code security across the DoD

DiscussionEducation is required at all levelsSLAG and IPT must have reps from key DoD and government agencies and assist in education process SPI will encourage commercial entities to issue statements supporting the initiative Web will be a key education tool

Way AheadInvolvement is essential…..

6/30/20033535

Strategic Issues Technical Thrusts

IssueSPI must identify and protect existing critical codes and develop secure software development tools/environments for future applications

DiscussionCurrently rely on the inherent obfuscation provided by current higher order language compilers

ObservationEnsure R&D investments address these core issues and backstop the technology riskDeveloping comprehensive and integrated R&D strategy to meet short and long term objectives

6/30/20033636

Strategic Issues Government-Wide Coordination

IssueCritical applications are shared among government organizationsSoftware protection policy, techniques, and procedures must be consistent

DiscussionAll actions must be coordinated at senior levels

National Cyberspace PolicyDoE, NASA, and others

» Sharing of applications and procedures» Common requirements definition

Way AheadInclude key government organizations in activities

6/30/20033737

Strategic Issues Risk Management

IssueSPI program success requires balancing multiple, competing factors

DiscussionEstablished DoD acquisition vs. Typical academic-basedprocess software development processCompartmentalization of facts vs. EducationStrong protection measures vs. Ease of useDirected compliance vs. Voluntary implementation

DoD only vs. Government-wide implementation

ObservationR&D to enable usability, scalability, and maintainabilityDefinitive policy to institutionalize SPIEducation and coordination to encourage compliance

6/30/20033838

Conclusion

Application software represents a significant portion of the DoD’s intellectual property

Significant investment in both time and moneyEnables development of next generation weapon systems

Protecting critical application software allows U.S. Forces to:

Maintain a technological advantage over our adversaries Extend the operational life of critical systems

6/30/20033939

Conclusion, cont.

Software protection is an integral layer of the defense in depth concept for information assurance

Compliments network security and access controlsProvides application centric technology to reinforce applicationsecurity policy