Automatic Selection of Protections to Mitigate Risks Against Software Applications

TL;DR

This paper presents a game-theoretic approach for automatically selecting software protections to mitigate risks, optimizing defense strategies against attacks while maintaining application usability.

Contribution

It introduces a formal model for protection decision-making, including the novel Software Protection Index, and demonstrates its effectiveness through implementation and expert validation.

Findings

The approach effectively balances security and usability.

The Software Protection Index improves protection assessment.

Automated protection selection is practical and efficient.

Abstract

This paper introduces a novel approach for the automated selection of software protections to mitigate MATE risks against critical assets within software applications. We formalize the key elements involved in protection decision-making - including code artifacts, assets, security requirements, attacks, and software protections - and frame the protection process through a game-theoretic model. In this model, a defender strategically applies protections to various code artifacts of a target application, anticipating repeated attack attempts by adversaries against the confidentiality and integrity of the application's assets. The selection of the optimal defense maximizes resistance to attacks while ensuring the application remains usable by constraining the overhead introduced by protections. The game is solved through a heuristic based on a mini-max depth-first exploration strategy, augmented with dynamic programming optimizations for improved efficiency. Central to our formulation is the introduction of the Software Protection Index, an original contribution that extends existing notions of potency and resilience by evaluating protection effectiveness against attack paths using software metrics and expert assessments. We validate our approach through a proof-of-concept implementation and expert evaluations, demonstrating that automated software protection is a practical and effective solution for risk mitigation in software.