Software Exploitation and Software Protection Measures Enhancing Software Protection via Inter-Process Control Flow Integrity
Authors
Oyinloye, Toyosi A.Advisors
Speakman, LeeEze, Thaddeus
John, Nigel
Publication Date
2023-08
Metadata
Show full item recordAbstract
Computer technologies hinge on the effective functionality of the software component. Unfortunately, software code may have flaws that cause them to be vulnerable and exploitable by attackers. Software exploitation could involve a hijack of the application and deviation of the flow of its execution. Whenever this occurs, the integrity of the software and the underlying system could be compromised. For this reason, there is a need to continually develop resilient software protection tools and techniques. This report details an in-depth study of software exploitation and software protection measures. Efforts in the research were geared towards finding new protection tools for vulnerable software. The main focus of the study is on the problem of Control Flow Hijacks (CFH) against vulnerable software, particularly for software that was built and executed on the RISC-V architecture. Threat models that were addressed are buffer overflow, stack overflow, return-to-libc, and Return Oriented Programming (ROP). Whilst the primary focus for developing the new protection was on RISC-V-based binaries, programs that were built on the more widespread x86 architecture were also explored comparatively in the course of this study. The concept of Control Flow Integrity (CFI) was explored in the study and a proof-of-concept for mitigating ROP attacks that result in Denial of Service is presented. The concept of CFI involves the enforcement of the intended flow of execution of a vulnerable program. The novel protection is based on the CFI concept combined with Inter-process signalling (named Inter-Process Control Flow Integrity (IP-CFI)). This technique is orthogonal to well-practised software maintenance such as patching/updates and is complementary to it providing integrity regardless of exploitation path/vector. In evaluating the tool, it was applied to vulnerable programs and found to promptly identify deviations in vulnerable programs when ROP attacks lead to DoS with an average runtime overhead of 0.95%. The system on which the software is embedded is also protected as a result of the watchdog in the IP-CFI where this kind of attack would have progressed unnoticed. Unlike previous CFI models, IP-CFI extends protection outside the vulnerable program by setting up a mutual collaboration between the protected program and a newly written monitoring program. Products derived in this study are software tools in the form of various Linux scripts that can be used to automate several functionalities, two RISC-V ROP gadget finders (RETGadgets & JALRGadget), and the software protection tool IP-CFI. In this report, software is also referred to as binary, executable, application, program or process.Citation
Oyinloye, Toyosi A. (2023). Software Exploitation and Software Protection Measures Enhancing Software Protection via Inter-Process Control Flow Integrity [Unpublished doctoral thesis]. University of Chester.Publisher
University of ChesterType
Thesis or dissertationLanguage
enCollections
The following license files are associated with this item:
- Creative Commons
Except where otherwise noted, this item's license is described as Attribution-NonCommercial-NoDerivatives 4.0 International
Related items
Showing items related by title, author, creator and subject.
-
Towards Effective Project Management and Knowledge Transfer Enhancement: A Novel System Capturing and Modelling Knowledge Acquired in a Software Development PracticeKerins, John; Rayner, Linda; John, Nigel; Fannoun, Sufian (University of Chester, 2021-03)The practice of software project management evolves alongside emerging new technologies such as advances in new tools and resources in Application Programming Interfaces (APIs) and machine learning applications. This thesis evaluates the ways in which a small software development unit, characteristics of other small enterprises, has embraced emerging trends in the development of digital technologies in order to establish and maintain successful practice. A qualitative research approach was adopted to elicit an understanding of the critical knowledge acquired as the unit developed and its members become effective practitioners. The research identifies and analyses the acquired knowledge that underpins successful practice, and uses the results of this analysis to propose a support system to enhance future practice. This is a challenge is that there is limited evidence of Small and Medium Enterprises (SMEs) engaging in knowledge management (KM) or in organisational learning (OL) initiatives. In developing projects, smaller software development organisations rely on implicit knowledge and Agile to resolve complexity. Consequently, and specifically in a small business, the development of this bespoke system, represents a novel approach to Knowledge Management (KM) and Organisational Learning (OL). Projects were identified as key sources and locus of development, innovation knowledge, skills, know-how and learning within the unit. This outcome has reinforced the proposal for a links-based system around individual projects. As in Chapter Nine, the system is as a web-based repository of project templates. The templates capture key insights into critical decisions and significant advances in current practice that arise from work within individual projects. The proposed system captures the unit’s knowledge. In addition, it provides an accessible resource that not only supports critical reflection and decision making but also retains key aspects of organisational learning (OL) and know-how. Further, while complementing continuing implicit learning, it has the further benefit of maintaining organisational resilience where individuals’ skills may be lost or where the unit faces high staff turnover. Moreover, the system can serve to induct newcomers to the unit. Accordingly, for a small software development unit with no prior knowledge management initiative or system in place, the research’s immediate contribution is through modelling, capturing and representing the acquired knowledge. This thesis provides insights into the management of software project knowledge through web technology. The prototype was successfully designed, implemented, evaluated and made available to the research unit working group. Such a system provides an effective measure for application at organisational and project levels, the evaluation of practice and the reuse of project knowledge to improve performance and effective practice. A further contribution made by this research is in revealing the range of the acquired knowledge, the know-how and the soft skills that complement the technical skills of software development within the research unit. The set of know-how and soft skills could be valuable where measures for effective professional practice are required. The analysed data revealed the range of capabilities the members developed to enable the application of implicit knowledge. Such insights, perceptions, and understanding enabled them to engage with clients, as well as manage risks and changes, assist key business processes and, importantly, deliver projects successfully. These skills contribute to the members’ individual professional development and capabilities. These might be termed Confidence, Relationships, Communication and Self-Management, Cooperation and Teamwork. Similarly, the research revealed the range of Know-How the members have developed. This range would include Understanding of Business Processes, Experimentation and Problem Solving, Reusing of Project Knowledge, Establishing and Marinating Quality, Project Time Estimates, and Learning from Project Failure the thesis also highlights the additional range of critical knowledge encapsulated within projects. This knowledge specifically related to Business Processes, Business Domains, Client and Working Environment. Such contextual implicit knowledge is part of the critical knowledge the practitioners acquired. Consequently, a model of successful practice within the unit was then built upon facets of this salient knowledge. An evaluation provided feedback on the system and assessed its suitability for the research unit. The unit members were satisfied with how the prototype restricted the key elements related to their knowledge and practice without duplicating information and acknowledged that it was the knowledge management system that best suits their needs. A focus group meeting with another similar software development unit highlighted and validated commonalities and differences in experience and in the nature of the individual organisations. The findings suggest that the proposed approach to recognising and utilising knowledge for transfer, reuse and consolidating effective practice is, potentially, extendable to similar domains. Continued research would explore the wider generalisability of this approach. Further research would explore extensions or revisions of the prototype that might further clarify the benefits and limitations of such an approach as well as providing a model for knowledge management in similar small-scale environments. This research might also serve as a template or road map for the implementation of KM initiatives elsewhere, such as start-up companies where there is a lack of software development expertise. Furthermore, the proposed system could serve as a model for the development of comparable systems in organisations where projects form the core of their work.
-
Factors for successful Agile collaboration between UX designers and software developers in a complex organisationAvis, Nick; Kerins, John; Jones, Alexander J (University of Chester, 2019-07-23)User Centred Design (UCD) and Agile Software Development (ASD) processes have been two extremely successful methods for software development in recent years. However, both have been repeatedly described as frequently putting contradictory demands on people working with the respective processes. The current research addresses this point by focussing on the crucial relationship between a User Experience (UX) designer and a software developer. In-depth interviews, an online survey, a contextual inquiry and a diary study are described from a sample of over 100 designers, developers and their stakeholders (managers) in a large media organisation exploring factors for success in Agile development cycles. The findings from the survey show that organisational separation is challenge for agile collaboration between the two roles and while designers and developers have similar levels of (moderately positive) satisfaction with Agile processes, there are differences between the two roles. While developers are happier with the wider teamwork but want more access to and close collaboration with designers, particularly in an environment set up for Agile practices, the designers’ concern was the quality of the wider teamwork. The respondent’s comments also identified that the two roles saw a close – and ideally co-located – cooperation as essential for improving communication, reducing inefficiencies, and avoiding bad products being released. These results reflected the findings from the in-depth interviews with stakeholders. In particular, it was perceived that co-located pairing helped understanding different role-dependent demands and skills, increased efficiency of prototyping and implementing changes, and enabling localised decision-making. However, organisational processes, the setup of work-environment, and managerial traditions meant that this close collaboration and localised decision-making was often not possible to maintain over extended periods. Despite this, the studies conducted between pairs of designers and developers, found that successful collaboration between designers and developers can be found in a complex organisational setting. From the analysis of the empirical studies, six contributing factors emerged that support this. These factors are 1) Close proximity, 2) Early and frequent communication, 3) Shared ideation and problem solving, 4) Crossover of knowledge and skills, 5) Co-creation and prototyping and 6) Making joint decisions. These factors are crucially determined and empowered by the support from the organisational setting and 3 teams where practitioners work. Specifically, by overcoming key challenges to enable integration between UCD and ASD and thus encouraging close collaboration between UX designers and software developers, these challenges are: 1) Organisational structure and team culture, 2) Location and environmental setup and 3) Decision-making. These challenges along with the six factors that enable successful Agile collaboration between designers and developers provide the main contributions of this research. These contributions can be applied within large complex organisations by adopting the suggested ‘Paired Collaboration Manifesto’ to improve the integration between UCD and ASD. Beyond this, more empirical studies can take place, further extending improvements to the collaborative practices between the design and development roles and their surrounding teams.
-
Towards Organisational Learning Enhancement: Assessing Software Engineering PracticeFannoun, Sufian; Kerins, John; University of Chester (Emerald, 2018-12-17)Purpose – Issues surrounding knowledge management, knowledge transfer and learning within organisations challenge continuity and resilience in the face of changing environments. While initiatives are principally applied within large organisations, there is scope to assess how the processes are handled within small and medium enterprises (SMEs) and to consider how they might be enhanced. This paper presents an evaluation of practice within an evolving software development unit to determine what has been learned and how the knowledge acquired has been utilised to further organisational development. These results provide the basis for the design and implementation of a proposed support tool to enhance professional practice. Design/methodology/approach – A small software development unit, which has successfully delivered bespoke systems since its establishment a number of years ago, was selected for analysis. The unit operates as a team whose actions and behaviours were identified and validated by the following means: in-depth interviews were carried out with each member of the team to elicit an understanding of individual and collective development. Interview data were recorded and transcribed and subjected to qualitative analysis to identify key themes underpinning knowledge acquisition and utilisation. Samples of project documentation were scrutinised to corroborate interview data. After analysing the data, a focus-group meeting was held to validate the results and to generate further insights into learning within the team. Findings - Qualitative analysis of the data revealed key changes in thinking and practice within the team as well as insight into the development of individual and collective contextual knowledge, tacit understanding and learning. This analysis informed the proposal of a bespoke, lightweight, web-based system to support knowledge capture and organisational learning (OL). This approach has the potential to promote resilience and to enhance practice in similar small or start-up enterprises. Research limitations/implications – Purposeful sampling was used in selecting a small software development team. This enabled in-depth interviewing of all members of the team. This offered a rich environment from which to derive awareness and understanding of individual and collective knowledge acquisition and learning. Focusing on a single small enterprise limits the extent to which the findings can be generalised. However, the research provides evidence of effective practice and learning and has identified themes for the development of a support tool. This approach can be extended to similar domains to advance research into learning and development. Practical implications – Results of the work undertaken so far have generated promising foundations for the proposed support tool. This offers software developers a system within which they can reflect upon, and record, key learning events affecting technical, managerial and professional practice. Originality/value – Small enterprises have limited resources to support OL. The qualitative research undertaken so far has yielded valuable insight into the successful development of a single software development team. The construction of a support tool to enhance knowledge acquisition and learning has the capacity to consolidate valuable, and potentially scarce, expertise. It also has the potential to facilitate further research to determine how the prototype might be extended or revised to improve its contribution to the team’s development.