There is an increasing need for Software Security and Protection due to the growing sensitivity of user data coupled with the ubiquitous nature of computing systems ranging from tiny embedded devices to powerful data centers.
The International Summer School on Information Security and Protection (ISSISP) highlights this need by bringing internationally renowned speakers from diverse fields in Computer Science such as Software Engineering, Formal Methods, Computer Architecture, Operating Systems and Compiler design into Software Security and Protection.
ISSISP is historically centered on MATE (Man-At-The-End) attack scenarios, with a strong focus on obfuscation and reverse. The 2017 edition will additionally cover control-flow hijacking issues as well as software protections against hardware attacks.
Topics to be covered range from code obfuscation, software watermarking, tamper-proofing to software protection, formal methods, malware analysis and hardware-based attacks. ISSISP's courses will include both lectures and hands-on sessions.
Scientific advisory board
Christian Collberg, University of Arizona
Jack Davidson, University of Virginia
Bjorn De Sutter, Ghent University
Roberto Giacobazzi, Universitá di Verona
Yuan Xiang Gu, Irdeto
Arun Lakhotia, University of Lousiana
Sébastien Bardin, CEA LIST
Richard Bonichon, CEA LIST
Marie-Laure Potet, Verimag
Analysis of malware introduces new challenges that are not present when analyzing programs in the normal context. Besides the fact that the programs are in a binary form, they are explicitly created to defeat analysis by hiding behind undecidability. Nonetheless, I will show that program analysis methods can indeed be used to answer a variety of questions related to malware. For instance, by relaxing the requirements of safety one can use program analysis to provide semantics based “features” to a machine learner. Similarity analysis is a key tool for understanding and querying big-data of code, in particular in the context of malware analysis and mitigation. We will provide an end-to-end experience in analyzing malware binaries, extracting semantics features, and using those in a machine learner to find similar malware in a repository. We will use these hands-on exercises to also highlight opportunities and challenges for further research, and introduce you to the state-of-the-art technologies to get started.
I am a full time Professor in the department of Computer Science, University at Louisiana, Lafayette, USA. I earned my Ph.D. degree in C omputer Science from the Case Western Reserve University in 199 0. My research interests are malware analysis and autonomous vehicles.
Lecture 1: Anti-deobfuscation techniques
In the first part of this lecture, we will study the most powerful deobfuscating attacks, including both methods deployed today by industrial penetration testers and state-of-the-art academic methods such as debugging, pointer chaining, tracing, pattern matching, symbolic execution, and generic de-obfuscation techniques. In the second part of the lecture, we will discuss some advanced defenses against these attacks, such as more advanced obfuscations, but also anti-taint techniques, anti-debugging techniques, anti-tracing techniques, anti-tampering techniques, and code mobility and renewability.
Lecture 2: Protection Evaluation
In the first part of this lecture, we will address important aspects of software protection strength, such as potency, resilience, and stealth. What are they, when to they matter, why do they matter, how can we measure them? We will also discuss techniques to model the relation between attacks and protections. In the second part of the lecture, we will discuss do’s and don’ts of penetration testing experiments, i.e., experiments in which attackers are asked to attack protected code to learn about the level of protection that is achieved. There are quite some pitfalls to avoid in order to end up with meaningful results
Bjorn De Sutter is associate professor in the Computer Systems Lab at the Faculty of Engineering and Architecture of Ghent University. He got both his MSc and his PhD from Ghent University in 1997 resp. 2002. Amongst others, he teaches courses on Compilers, and on Software Hacking and Protection, which are also his major research interests. The focus of his compiler technology research is on increasing the productivity of programmers by automating necessary tasks for non-functional requirements, incl. the protection of software against all kinds of attacks. His more than 80 peer-reviewed publications cover protections against fault injection attacks, against tampering attacks, against reverse engineering attacks, against memory exploit attacks, against patch-based attacks, and against timing side channel attacks. He coordinated the EU FP7 STREP ASPIRE (Advanced Software Protection: Integration, Research, and Exploitation), which was evaluated by the EC as excellent in Feb. 2017, and participated in numerous other national and international projects. He received the Annual FWO Barco Award in 1998 for his Master thesis, and is the recipient of a 2013 HiPEAC Technology Transfer Award.
We will look at traditional ways of obfuscating code, i.e. ways to make software harder to understand and analyze. There will be a significant hands-on practical component to this part of the course, where we will obfuscate code using automatic tools.
Christian Collberg is a Professor at the Department of Computer Science at the University of Arizona. He got his PhD from Lund University, Sweden and taught at University of Auckland, New Zealand, before joining Arizona. His current research interests lie in the protection of software from reverse engineering and tampering, as well as in the reproducibility of computer science research (see FindResearch.org). He is the author of "Surreptitious Software, Obfuscation, Watermarking, and Tamperproofing for Software Protection".
In this course we will focus on side channel attacks. We will first show how and why these attacks are powerful and effective, especially against embedded devices. We will present the main principles of countermeasures currently used in secured systems, and discuss the metrics for measuring the effectiveness of such countermeasures. As time permits, we will discuss at the end of the course solutions to automate the applications of such countermeasures at the software level.
Damien Couroussé is a research engineer at CEA (Commissariat à l’Énergie Atomique et aux Énergies Renouvelables) since 2011. He received his PhD degree in 2008 a PhD from INPG (Institut National Polytechnique de Grenoble) in Engineering of Cognition Creation and Learning, working on embedded computing architectures for virtual reality and mutisensory systems, and spent two years in the industry at Logica CMG as an expert in Linux and embedded systems. His research works focus on compilation and runtime code generation for performance and cybersecurity. He has contributed to several European collaborative projects, and is coordinator of the COGITO project (ANR INS 2013).
I am Professor of Computer Science at the University of Virginia. I received my Ph.D. from the University of Arizona in 1981 and joined the University of Virginia in 1982. Over the years, I have worked in many areas including compilers, embedded systems, high-performance computing, and computer security. My current research foci is on software protection and computer security. In the area of software security, my group has developed dynamic methods to prevent adversaries from compromising intellectual property. In the area of computer security, we have developed methods for "hardening" binaries to make them impervious to cyber attack. In 2014–2016, I lead a team at the University of Virginia that competed in the DARPA Cyber Grand Challenge (CGC)—a contest to build an autonomous supercomputer to automatically analyze vulnerable binaries and patch them—all without human intervention. Our entry, produced in collaboration with Grammatech, Inc., finished second winning a $1M prize. I am also leading a DARPA project, "Double Helix: High Assurance N-variant Systems." Double Helix is a binary analysis and transformation system that processes binary applications and produces variants with diverse binary structures that are intended to be deployed within a multi-variant system. A unique aspect of Double Helix is that it employs structured diversity to guarantee that variants behave differently yielding high-assurance systems. Both CGC and Double Helix rely on high-precision binary analysis and rewriting to reverse engineer and transform binaries.
Josselin Feist is a Senior Security Engineer at Trail of Bits where he works on the design and implementation of program analysis techniques. He holds a Ph.D. in static analysis and symbolic execution. At Trail of Bits, he brings his experience on adapting theoretical methods to practical problems. Josselin has spoken at both academic and industrial conferences.
In this course I will introduce the basics of code obfuscation starting from its formal definition towards the impossibility result on universal Virtual-Black Box obfuscation of a generic Turing Machine. We then see how to weaken this result in order to have possibility results for restricted models of attack to SW systems as specified as automatic program analysis tools and algorithms. We will see through some examples how obfuscation can become possible against an attacker specified as an interpreter and how virtualisation provides the best strategy to protect your code against automated program analysis.
Roberto Giacobazzi was born in 1964 in Modena, Italy. He received the Laurea degree in Computer Science in 1988 from the University of Pisa, and in 1993 he received the Ph.D. in Computer Science from the same university. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot. From 1995 to 1998 he was (tenured) Assistant Professor in Computer Science at the University of Pisa. From 1998 to 2000 he was Associate Professor at the University of Verona. From May 2000 until now he is Full Professor in Computer Science at the University of Verona. The research interests of Roberto Giacobazzi include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory.
What happens if your program is not executed as it should, if some instructions are not executed? Here comes the world of fault injection attacks, where all your assumptions on the adversary's capabilities tumble down. Fault attacks have mainly been used to break cryptographic algorithms in the past, but we will see how they can also be used in relation with software attacks against embedded systems (Phones, IoT, set-top boxes...). Of course, what we can do to protect ourselves will be discussed as well as the impact of modern technologies (complex SoC, TrustZone, ...). Finally, we will try to analyze some pieces of software to spot vulnerabilities wrt fault attacks and discuss what can be automated by tools and what would be hard to achieve automatically.
Ronan Lashermes is a postdoctoral researcher at INRIA Rennes, in the LHS lab. Engineer from Grenoble-INP Phelma, after finishing a Ph.D. with the CEA and the UVSQ in 2014, he worked in a startup to develop physical attack benches for devices evaluation. He later joined INRIA and the LHS lab for a postdoc on fault attacks. He is interested in the security of embedded systems and hardware components and how the abstraction barriers (mathematics/software, hardware/software) can be exploited to compromise a device.
Dr. Sébastien Bardin is a Researcher in the Department of Computer Science at CEA Paris-Saclay, where he leads the binary-level security group at CEA LIST, with a focus on program analysis, formal methods and automated reasoning. For a few years now, Sébastien has been interested in automating software-level security analysis by lifting formal methods developed for the safety-critical industry. In particular, he focuses on binary-level formal methods, vulnerability detection & assessment, and malware deobfuscation -- he is the main designer of the open-source BINSEC platform for binary-level code analysis. Sébastien regularly publishes articles in top-tier international conferences in Formal Methods, Software Engineering, and Security. He has served as a PI for several research projects on binary-level security analysis and he is regularly invited to international events and to security-related summer schools. Sébastien received his Ph.D. in Computer Science from École Normale Supérieure de Cachan in 2005.
Mr. Gu was the co-founder of Cloakware Corporation that. In 2007, Cloakware was acquired by Irdeto. Since then, as a chief architect and a senior research director of Irdeto, Mr. Gu is also leading the development of next generation Cloakware technology, and research collaboration with research communities worldwide. Mr. Gu has been invited and visited over 40 universities and research institutes in North American, Europe and Asia, and organizing international security forums (workshops, summer schools, and association) and becomes an active speaker at many international conferences and workshops to promote software security and protection. Mr. Gu was invited being a guest professor of Northwest University in China. As a native Chinese, Mr. Gu often represents Irdeto to involve many business development and research collaboration activities in China. Prior to joining Cloakware, Mr. Gu has worked as a senior scientist and architect at Nortel Networks. Previously, Mr. Gu was a visiting professor at the Computer Science School of McGill University at Montreal of Canada between 1988-1990. Before relocated to Canada, Mr. Gu was a professor in the Computer Science Department at Northwest University in China. Mr. Gu received the First Outstanding Young Scientists Foundation Award from the Chinese Academy of Sciences in 1985, and has about four decades of software research and development knowledge and expertise, and has published more than two dozens of patents and patent applications.
The venue is accessible from Paris by public transport using the RER B line. From the Gif-sur-Yvette station, it is a 15 minutes walk.
From Roissy-Charles de Gaulle airport: Take RER B direction Saint-Rémy-lès-Chevreuse, stop at Gif-sur-Yvette.
From Orly airport: Take Orlyval to Antony, then RER B direction Saint-Rémy-lès-Chevreuse, stop at Gif-sur-Yvette.