Better protection for mobile software thanks to researchers from Ghent University

Thanks to a state-of-the-art software security framework designed by engineers of the ELIS (Electronics and Information Systems) department of Ghent University, it is possible to establish trustworthy execution of software on mobile client devices. The strength of this framework lies in the combination of several new and improved protection techniques. In addition, ASPIRE also developed new metrics and a new methodology to evaluate software protection levels, with the ambition of making the methodology the future gold standard of software protection.

The project was very successful and received an excellent assessment by the European Commission.

New and improved techniques

The ASPIRE project (Advanced Software Protection: Integration, Research, and Exploitation), led by Professor Bjorn De Sutter, developed and improved protection techniques for mobile software. If these different techniques work together, hackers will have to invest much more time and effort to attack the software, which will result in the costs outweighing the expected benefits of an attack. Perhaps this would not stop the NSA or Russian intelligence, but it will stop a large proportion of economically driven criminals, such as Mafiosi and other cybercriminals.

The investment of a hacker (orange plane) is beneficial as soon as they can exploit their attack (blue plane). If the protection measures increase the time and/or money needed to successfully hack the software (Figures 2 & 3), the investment is no longer beneficial for the hacker.                                                

Exploitation

The research creates significant added value for researchers, developers, and companies, since most of the developed technologies are made available as open source. Other technologies are commercialized by industrial partners. Also 2ASPIRE (www.2aspire.eu), a spin-off in Italy, originated from this project. The spin-off invests in developing a prototype of a security solution for Android mobile developers, to help them in protecting their incomes from cyber criminals.

These initiatives prove that the significance of the research stretches beyond the technical level. It has a clear impact on the market and the future research of software protection techniques.

The strength of this application lies in the combination of several new and improved protection techniques.”

How safe is my software protection?

ASPIRE also developed a new methodology to evaluate software protection levels. Software protection is a complex matter, in which developers are forced to make a lot of choices. Therefore it's important to know if and when these options to choose from are effective. For example, they should choose which technologies provide the best protection for each component, taking into account that this might slow the software down. In addition, the developer must try to block all possible attack paths. Should the developer only cover one, attackers would soon find alternative ways to put an end to another attack.

This new gold standard of software protection metrics evaluates the additional effort that sophisticated attacks on a given application incur due to a combination of protection techniques.

A decision support system for software protections

ASPIRE brings software protection to the next level by letting the framework assist the developer to decide how to best protect his software assets. The programmer then annotates the assets he wants to protect with their security requirements, and a Decision Support System assists the developer in selecting the protections to apply.

This system then instructs the ASPIRE tool chain to implement the selected protections, discharging the programmers from manually selecting them. The Decision Support System contains expert knowledge to make such decisions. Protecting software will be a lot cheaper and faster, and programs will also be better protected.

 

Prototype decision system

The project has demonstrated, thanks to a first prototype of this decision support system, its enormous potential. In addition, the new methodology can be used to compare existing protection techniques and protection software packages. The ultimate outcome would be to define this method as the basis of future standards. These new standards are increasingly important if we look at today's vulnerability of many devices such as smart tvs, wifi light bulbs, connected cars, etc..

 

More information:

Bjorn De Sutter, ELIS dept: 0497 88 58 22, bjorn.desutter@ugent.be

Reports ASPIRE : www.aspire-fp7.eu

Videos: ASPIRE Software Protection Demonstration YouTube-videochannel