Empirical assessment of the effort needed to attack programs protected with client/server code splitting

Empirical assessment of the effort needed to attack programs protected with client/server code splitting

Context Code hardening is meant to fight malicious tampering with sensitive code executed on client hosts. Code splitting is a hardening technique that moves selected chunks of code from client to server. Although widely adopted, the effective benefits of code splitting are not fully understood and...

Full description

Saved in:
Bibliographic Details
Published in:Empirical software engineering : an international journal Vol. 25; no. 1; pp. 1 - 48
Main Authors: Viticchié, Alessio, Regano, Leonardo, Basile, Cataldo, Torchiano, Marco, Ceccato, Mariano, Tonella, Paolo
Format: Journal Article
Language:English
Published: New York Springer US 01-01-2020
Springer Nature B.V
Subjects:
Client server systems
Compilers
Computer Science
Hardening
Interpreters
Level (quantity)
Order parameters
Programming Languages
Software Engineering/Programming and Operating Systems
Source code
Splitting
Students
Success
Code tampering
Empirical study
Code hardening
User study
Controlled experiment
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Context Code hardening is meant to fight malicious tampering with sensitive code executed on client hosts. Code splitting is a hardening technique that moves selected chunks of code from client to server. Although widely adopted, the effective benefits of code splitting are not fully understood and thoroughly assessed. Objective The objective of this work is to compare non protected code vs. code splitting protected code, considering two levels of the chunk size parameter, in order to assess the effectiveness of the protection - in terms of both attack time and success rate - and to understand the attack strategy and process used to overcome the protection. Method We conducted an experiment with master students performing attack tasks on a small application hardened with different levels of protection. Students carried out their task working at the source code level. Results We observed a statistically significant effect of code splitting on the attack success rate that, on the average, was reduced from 89% with unprotected clear code to 52% with the most effective protection. The protection variant that moved some small-sized code chunks turned out to be more effective than the alternative moving fewer but larger chunks. Different strategies were identified yielding different success rates. Moreover we discovered that successful attacks exhibited different process w.r.t. failed ones. Conclusions We found empirical evidence of the effect of code splitting, assessed the relative magnitude, and evaluated the influence of the chunk size parameter. Moreover we extracted the process used to overcome such obfuscation technique.
ISSN:1382-3256
1573-7616
DOI:10.1007/s10664-019-09738-1