Automatically protecting software against "diff" attacks

Award Information
Agency: Department of Defense
Branch: Air Force
Contract: FA8650-04-C-8001
Agency Tracking Number: O2-0243
Amount: $749,494.00
Phase: Phase II
Program: SBIR
Awards Year: 2004
Solicitation Year: 2003
Solicitation Topic Code: OSD03-001
Solicitation Number: 2003.2
Small Business Information
3000 Kent Avenue, Suite D2-100 Purdue Technology C, West Lafayette, IN, 47906
DUNS: 149171303
HUBZone Owned: N
Woman Owned: N
Socially and Economically Disadvantaged: N
Principal Investigator
 John Rice
 Scientist
 (765) 775-1004
 jrice@arxan.com
Business Contact
 Eric Davis
Title: VP, Services
Phone: (765) 775-1004
Email: edavis@arxan.com
Research Institution
N/A
Abstract
Given two closely related pieces of software X and Y, where Y differs from X through a number of small but important (from a security point of view) modifications that were done to Y, the "diff" attack consists of comparing X and Y so as to pinpoint the fragments of code in which they differ. The differences between X and Y could include, among other things, the fact that Y contains credentials-checking mechanisms that were lacking in X, such as password protection, biometrically-based access controls, challenge-response protocol with a remote server, etc. Pinpointing those differences makes it easier for an attacker to defeat the security-related features of Y that the attacker dislikes (not only credentials-checking, but also integrity-checking and other kinds of policy-enforcement that the attacker wishes to circumvent). Re-writing Y from scratch (rather than modifying X) as a means of increasing the apparent differences between X and Y, especially if done using a different programming language, can be an effective way of thwarting this attack, but it is obviously uneconomical. It is therefore important to develop automated tools that process Y so that even the most sophisticated comparisons between X and Y reveal a large "diff set" between them, i.e., X and Y appear to be largely different even though in functionality they are essentially the same. The development of such automated tools and techniques was the main thrust of the Phase I proposal. In Phase II the team will design and develop a suite of software applications and tools, as a platform enabling resistance to "diff" attacks. This suite will include: · An advanced version of the transformation engine developed in Phase I of the project. · A GUI-based "score" application recommender system to assist users in building better protections. · Differential analysis attack tools to evaluate the stealthiness and resilience of the transformations. · A smart patch management system resistant to diff attacks. · Watermarking/Fingerprinting techniques to help trace software applications.

* Information listed above is at the time of submission. *

Agency Micro-sites

SBA logo
Department of Agriculture logo
Department of Commerce logo
Department of Defense logo
Department of Education logo
Department of Energy logo
Department of Health and Human Services logo
Department of Homeland Security logo
Department of Transportation logo
Environmental Protection Agency logo
National Aeronautics and Space Administration logo
National Science Foundation logo
US Flag An Official Website of the United States Government