USA flag logo/image

An Official Website of the United States Government

Automatically protecting software against "diff" attacks

Award Information

Agency:
Department of Defense
Branch:
Office of the Secretary of Defense
Award ID:
71881
Program Year/Program:
2004 / SBIR
Agency Tracking Number:
O2-0243
Solicitation Year:
N/A
Solicitation Topic Code:
N/A
Solicitation Number:
N/A
Small Business Information
ARXAN RESEARCH, INC.
3000 Kent Avenue Purdue Technology Center West Lafayette, IN 47906
View profile »
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No
 
Phase 1
Fiscal Year: 2004
Title: Automatically protecting software against "diff" attacks
Agency / Branch: DOD / OSD
Contract: FA8650-04-C-8001
Award Amount: $0.00
 

Abstract:

Given two closely related pieces of software X and Y, where Y differs from X through a number of small but important (from a security point of view) modifications that were done to Y, the "diff" attack consists of comparing X and Y so as to pinpoint the fragments of code in which they differ. The differences between X and Y could include, among other things, the fact that Y contains credentials-checking mechanisms that were lacking in X, such as password protection, biometrically-based access controls, challenge-response protocol with a remote server, etc. Pinpointing those differences makes it easier for an attacker to defeat the security-related features of Y that the attacker dislikes (not only credentials-checking, but also integrity-checking and other kinds of policy-enforcement that the attacker wishes to circumvent). Re-writing Y from scratch (rather than modifying X) as a means of increasing the apparent differences between X and Y, especially if done using a different programming language, can be an effective way of thwarting this attack, but it is obviously uneconomical. It is therefore important to develop automated tools that process Y so that even the most sophisticated comparisons between X and Y reveal a large "diff set" between them, i.e., X and Y appear to be largely different even though in functionality they are essentially the same. The development of such automated tools and techniques was the main thrust of the Phase I proposal. In Phase II the team will design and develop a suite of software applications and tools, as a platform enabling resistance to "diff" attacks. This suite will include: ¿ An advanced version of the transformation engine developed in Phase I of the project. ¿ A GUI-based "score" application recommender system to assist users in building better protections. ¿ Differential analysis attack tools to evaluate the stealthiness and resilience of the transformations. ¿ A smart patch management system resistant to diff attacks. ¿ Watermarking/Fingerprinting techniques to help trace software applications.

Principal Investigator:

John Rice
Scientist
7657751004
jrice@arxan.com

Business Contact:

Eric Davis
VP, Services
7657751004
edavis@arxan.com
Small Business Information at Submission:

ARXAN TECHNOLOGIES, INC.
3000 Kent Avenue, Suite D2-100 Purdue Technology C West Lafayette, IN 47906

EIN/Tax ID: 371491384
DUNS: N/A
Number of Employees:
Woman-Owned: No
Minority-Owned: No
HUBZone-Owned: No