Man-at-the-End Software Protection as a Risk Analysis Process

TL;DR

This paper advocates for adopting a standardized risk management approach, based on NIST guidelines, to improve the security of software against Man-at-the-End attacks, including a prototype decision support system.

Contribution

It introduces a formalized, automatable risk analysis process for MATE software protection, with a prototype decision support tool validated by industry experts.

Findings

The proposed process can be formalized and automated.

The prototype aids decision making in industrial settings.

Open issues for further research are identified.

Abstract

The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, with security-through-obscurity omnipresent in the field. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) of a decision support system that automates many activities in the risk analysis methodology towards the protection of software applications. Despite still being a prototype, the PoC validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox, and that it can actually assist decision making in industrially relevant settings