270 likes | 399 Views
Thesis Proposal. Pluggable Architecture for Source Code Protection. Noor Yasin MS-CCS4. Supervisor: Dr. Abdul Ghafoor Committee Members: Dr. Sead Muftic Dr. Nazar Abbas Saqib Mr. Mohsan Jameel. Introduction. Introduction.
E N D
Thesis Proposal Pluggable Architecture for Source Code Protection NoorYasin MS-CCS4 Supervisor: Dr. Abdul Ghafoor Committee Members: Dr. SeadMuftic Dr. NazarAbbasSaqib Mr. MohsanJameel
Introduction • Source code security is the biggest concern in the IT industry these days. • Lack of source code security techniques might result into great finical or data loss. • Software development companies are concerned about there source code security, security of the binaries and its property rights. • Furthermore, they are interested to develop self verifiable code againt tempering.
Introduction: Scenario 1 A person opens IDE to develop some software. He has to go somewhere so he save the desire changes and closes the IDE. He lefts he PC unlocked because he things his going to be back in few mints or he trust’s his colleagues. One of his colleague just copies the files/folder from his PC. He can open this project with his IDE without any authentication. • Anyone launching IDE can view all previous projects • Shared Environment (e.g Universities, Offices, Software Houses etc )
Introduction: Scenario 2 An hacker launches a Botnet on your machine that just grabs the source code files and sends it to some remote machine. Because these files are in plain form so they can be opened without any extra effort.
Current Problems 1 • Source code available in plain form • Anyone running the IDE can view the code • Some malicious activity running at backend can steal the source code • Will result a great finical loss
Current Problems 2 • Binary files can be reversed engineered to generate source code. • When the source code is generated it can be used to make a similar product • Understanding of the algorithm(Steal idea) • Bypass license checks (Patching) • Might be used to added some unwanted features in the same product and then make it available to the public
RESEARCH ON A NORMAL FILE ENCRYPTION AND DECRYPTION Theme:- Guy-Armand Yandji, LuiLianHao, Amir-EddineYoussouf, Jules Ehoussou The International Conference on Computer and Management (CAMAN),Wuhan,China, 19-21 May 2011. • This paper tells the strategy used to apply the encryption methods of the AES and MD5. • The outcome of file that will as a result be hashed and strongly encrypted through the software. • The strategy used in encryption process is composed of 4 main elements • i.e. The flag, The keys hash, The status Encrypted, The Encrypted data • The decryption process is also composed of 4 main elements that are Verification of flag, Verification of password, Application of MD5, Application of AES Analysis:- • Using of the hybrid algorithm to apply encryption (i.e. MD5 and AES) • Kerchoff principle is followed • File encryption runtime was evaluated
AOP-BASED J2EE SOURCE CODE PROTECTION Theme:- • The authors discussed about the flexibility of java language in which protection • becomes difficult. • Anyone using a decompiled(Such as JAD) can easy extract source code from • binary files. • Two techniques that are suggested for protection are obfuscation and class file • encryption. • The author discuss about the problem that arises when we encrypt J2EE • applications. As we have encrypted the class files but JSP pages invoke some • of these classes. So it throws an exception. • They gave a solution of making skeleton class. The skeleton class preserves the • package and class name, the method’s signature and necessary fields of • original class, but omits the body of these methods. • Idea is to produce a skeleton class, then embed the encrypted class file data • into it. Finally, output this skeleton class and replace the original class by it. Analysis:- • Idea is only discussed with no particular implementation Xiufeng Zhang, Qiaoyan Wen International Conference on Computational Intelligence and Security Workshops, Harbin, Heilongjiang, China, 15-19 Dec. 2007.
POLYMORPHIC ALGORITHM OF JAVASCRIPT CODE PROTECTION Theme:- • The paper discussed about the difficulty in protecting JavaScript source code then • Java or C/C++ programs. • JavaScripts codes cant be compiled to byte or binary codes. • Javascript source codes have to be executed by the web browsers, such as Internet • Explorer and Firefox. • Javascript source codes have to be downloaded by the browser So, each browser has • the chance to see Javascript source codes. That’s the difficulty of protecting • Javascript codes. • The author’s presented a “Perhelion” encryption algorithm that is used to encrypt • JavaSripts. Analysis:- • The working and implementation of Perhelion” encryption algorithm was discussed in a very hard way. • No results were shown Jiancheng Qin, Zhongying Bai, Yuan Bai International Symposium on Computer Science and Computational Technology, Shanghai, China, 20-22 Dec. 2008.
A KEY HIDING BASED SOFTWARE ENCRYPTION PROTECTION SCHEME Theme:- Jain Jun Hu, QiaoyanWen, Wen Tang, Ai-Fen Sui IEEE 13th International Conference on Communication Technology (ICCT), Jinan Convention Center, Jinan, China, 719-722, 25 -28 Sep 2011. • The paper tells about the method to encrypt the software executables and provide an efficient solution from preventing the executables from decompiling and reverse engineering. • They suggest that before releasing any software the vendors should encrypt it using this encryption algorithm.
CRYPTEX MODEL FOR SOFTWARE SOURCE CODE Theme:- • The paper presentenced a CRYPTEX model to safely protect software source code. The CRYPTEX business model system components can be divided into the subject which is the developer, the object which is the CRYPTEX, and the verification facility. ByungRae Cha International Conference on Information Security and Assurance, Busan, Korea , 24-26 April 2008.
Research Statement To provide a pluggable architecture for the protection of source code and binaries during the development/building phase. The plug-in will be automatically integrated with the environment to provide source code integrity, encryption and key management in a collaborative environment.
Why Secure development environment? • Greatest need of the IT industry • Great financial loss to the software companies • Confidentiality of the source code • Protection of the binary files
Security Requirement ‘s • Authentication • Authorization • Key Management
1.Save a project When the user launches the IDE he has been authenticated. A) Self • Key management B) Team • Authorization • Key Management
2.Open a project A) Self • Key management B) Team • Authorization • Key Management C)New • Key management
3.Execute A) Self • Key Management
Existing Software's to Encrypt Files They are lot’s of software’s that are available on the internet to encrypt files. Some of them are listed below • MEO is file encryption software for Mac or Windows that will encrypt or decrypt files of any type • Encrypt Files is FREE program. With Encrypt Files you can protect your files and folders from unauthorized viewing. Make files hidden after encryption. • SensiGuard 3.1 • KetuFile 1.1.2 • SafeBit Disk Encryption
Existing Software's to Encrypt Binaries • EXE Special Encryption Tool 9.0 Encrypt exe with password protected, number of opening allowed, the time of opening and the expiry date. • Exe Guarder is designed from preventing exe-file from unauthorized launch • Akala EXE Lock can protect any executable file from non-authorized execution
Timeline Activity To be completed by • Literature review September 2012 • TH-1 form submission 24th September 2012 • Proposal defense Jan 2013 • System design and architecture Feb/March 2013 • Implementation March 2013 • Testing and evaluation May 2013 • Thesis writing June 2013 • Final Defense July 2013