SUPERVISOR: DR. ABDUL GHAFOOR COMMITTEE MEMBERS: DR. SEAD MUFTIC DR. NAZAR ABBAS SAQIB MR. MOHSAN JAMEEL Pluggable Architecture for Source Code Protection.

SUPERVISOR: DR. ABDUL GHAFOOR

COMMITTEE MEMBERS: DR. SEAD MUFTIC

DR. NAZAR ABBAS SAQIB MR. MOHSAN JAMEEL

Pluggable Architecture for Source Code Protection

Noor YasinMS-CCS4

Thesis Proposal

Introduction

Introduction

Source code security is the biggest concern in the IT industry these days.

Lack of source code security techniques might result into great finical or data loss.

Software development companies are concerned about there source code security, security of the binaries and its property rights.

Furthermore, they are interested to develop self verifiable code againt tempering.

Introduction: Scenario 1

A person opens IDE to develop some software. He has to go somewhere so he save the desire changes and closes the IDE. He lefts he PC unlocked because he things his going to be back in few mints or he trust’s his colleagues. One of his colleague just copies the files/folder from his PC. He can open this project with his IDE without any authentication.

Anyone launching IDE can view all previous projects

Shared Environment (e.g Universities, Offices, Software Houses etc )

Introduction: Scenario 2

An hacker launches a Botnet on your machine that just grabs the source code files and sends it to some remote machine. Because these files are in plain form so they can be opened without any extra effort.

Current Problems 1

Source code available in plain form Anyone running the IDE can view the code Some malicious activity running at backend

can steal the source code

Will result a great finical loss

Current Problems 2

Binary files can be reversed engineered to generate source code.

When the source code is generated it can be used to make a similar product

Understanding of the algorithm(Steal idea) Bypass license checks (Patching) Might be used to added some unwanted

features in the same product and then make it available to the public

Literature Review

RESEARCH ON A NORMAL FILE ENCRYPTION AND DECRYPTION

Guy-Armand Yandji, Lui Lian Hao, Amir-Eddine Youssouf, Jules Ehoussou

The International Conference on Computer and Management (CAMAN),Wuhan,China,19-21 May 2011.

This paper tells the strategy used to apply the encryption methods of the AES and MD5.

The outcome of file that will as a result be hashed and strongly encrypted through the software.

The strategy used in encryption process is composed of 4 main elementsi.e. The flag, The keys hash, The status Encrypted, The Encrypted data

The decryption process is also composed of 4 main elements that are Verification of flag, Verification of password, Application of MD5, Application of AES

Theme:-

Using of the hybrid algorithm to apply encryption (i.e. MD5 and AES) Kerchoff principle is followed File encryption runtime was evaluated

Analysis:-

AOP-BASED J2EE SOURCE CODE PROTECTION

The authors discussed about the flexibility of java language in which protection becomes difficult. Anyone using a decompiled(Such as JAD) can easy extract source code from binary files. Two techniques that are suggested for protection are obfuscation and class file encryption. The author discuss about the problem that arises when we encrypt J2EE applications. As we have encrypted the class files but JSP pages invoke some of these classes. So it throws an exception. They gave a solution of making skeleton class. The skeleton class preserves the package and class name, the method’s signature and necessary fields of original class, but omits the body of these methods. Idea is to produce a skeleton class, then embed the encrypted class file data into it. Finally, output this skeleton class and replace the original class by it.

Theme:-

Xiufeng Zhang, Qiaoyan Wen

International Conference on Computational Intelligence and Security Workshops,

Harbin, Heilongjiang, China, 15-19 Dec. 2007.

Analysis:- Idea is only discussed with no particular implementation

POLYMORPHIC ALGORITHM OF JAVASCRIPT CODE PROTECTION

The paper discussed about the difficulty in protecting JavaScript source code then Java or C/C++ programs. JavaScripts codes cant be compiled to byte or binary codes. Javascript source codes have to be executed by the web browsers, such as Internet Explorer and Firefox. Javascript source codes have to be downloaded by the browser So, each browser has the chance to see Javascript source codes. That’s the difficulty of protecting Javascript codes. The author’s presented a “Perhelion” encryption algorithm that is used to encrypt JavaSripts.

Theme:-

Jiancheng Qin, Zhongying Bai, Yuan Bai

International Symposium on Computer Science and Computational Technology,

Shanghai, China, 20-22 Dec. 2008.

Analysis:- The working and implementation of Perhelion” encryption algorithm was discussed in a very hard way. No results were shown

A KEY HIDING BASED SOFTWARE ENCRYPTION PROTECTION SCHEME

Jain Jun Hu, Qiaoyan Wen, Wen Tang, Ai-Fen SuiIEEE 13th International Conference on Communication Technology (ICCT), Jinan ConventionCenter, Jinan, China, 719-722, 25 -28 Sep 2011.

The paper tells about the method to encrypt the software executables and provide an efficient solution from preventing the executables from decompiling and reverse engineering.

They suggest that before releasing any software the vendors should encrypt it using this encryption algorithm.

Theme:-

CRYPTEX MODEL FOR SOFTWARE SOURCE CODE

The paper presentenced a CRYPTEX model to safely protect software source code. The CRYPTEX business model system components can be divided into the subject which is the developer, the object which is the CRYPTEX, and the verification facility.

Theme:-

ByungRae Cha

International Conference on Information Security and Assurance, Busan, Korea , 24-26 April 2008.

Thesis Research

Research Statement

To provide a pluggable architecture for the protection of source code and binaries during the development/building phase. The plug-in will be automatically integrated with the environment to provide source code integrity, encryption and key management in a collaborative environment.

Why Secure development environment?

Greatest need of the IT industry Great financial loss to the software companies Confidentiality of the source code Protection of the binary files

Security Requirement ‘s

Authentication AuthorizationKey Management

1.Save a project

When the user launches the IDE he has been authenticated.

A) Self Key management

B) Team Authorization Key Management

2.Open a project

A) Self Key management B) Team Authorization Key Management C)New Key management

3.Execute

A) Self Key Management

Existing Technology

Existing Software's to Encrypt Files

They are lot’s of software’s that are available on the internet to encrypt files. Some of them are listed below

MEO is file encryption software for Mac or Windows that will encrypt or decrypt files of any type

Encrypt Files is FREE program. With Encrypt Files you can protect your files and folders from unauthorized viewing. Make files hidden after encryption.

SensiGuard 3.1KetuFile 1.1.2SafeBit Disk Encryption

Existing Software's to Encrypt Binaries

EXE Special Encryption Tool 9.0 Encrypt exe with password protected, number of opening allowed, the time of opening and the expiry date.

Exe Guarder is designed from preventing exe-file from unauthorized launch

Akala EXE Lock can protect any executable file from non-authorized execution

TimeLine

Timeline

Activity To be completed by

Literature review September 2012 TH-1 form submission 24th September 2012

Proposal defense Jan 2013 System design and

architecture Feb/March 2013Implementation March 2013 Testing and evaluation May 2013 Thesis writing June 2013 Final Defense July 2013

Question’s & Suggestions