Four Phase Methodology for Developing Secure Software
Authors: Carlos Gonzalez-Flores, Ernesto Liñan-García
Abstract:
A simple and robust approach for developing secure software. A Four Phase methodology consists in developing the non-secure software in phase one, and for the next three phases, one phase for each of the secure developing types (i.e. self-protected software, secure code transformation, and the secure shield). Our methodology requires first the determination and understanding of the type of security level needed for the software. The methodology proposes the use of several teams to accomplish this task. One Software Engineering Developing Team, a Compiler Team, a Specification and Requirements Testing Team, and for each of the secure software developing types: three teams of Secure Software Developing, three teams of Code Breakers, and three teams of Intrusion Analysis. These teams will interact among each other and make decisions to provide a secure software code protected against a required level of intruder.
Keywords: Secure Software, Four Phase Methodology, Software Engineering, Code Breakers, Intrusion Analysis.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1112280
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1776References:
[1] Carlos Gonzalez, Ernesto Liñan, “A Software Engineering Methodology for Developing Secure Obfuscated Software”, IET Software, Submitted, Sep-2015.
[2] David Chaboya, (20 Jun 2007) State of the Practice of Software Anti-Tamper. Air Force Research Labs Anti-Tamper and Software Protection Initiative (AT-SPI) Technology Office.
[3] Keller, John. “Anti-tamper technologies seek to keep critical military systems data in the right hands – Military & Aerospace Electronics”. Militaryaerospace.com. April-26-2010.
[4] Carlos Gonzalez, “User Detection in Secure Self-Protected Software”, Unpublished Research, Sep 2015.
[5] Denning, Dorothy E., “An Intrusion Detection Model,” Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131.
[6] Scarfone, Karen; Mell, Peter (February 2007). “Guide to Intrusion Detection and Prevention Systems (IDPS)”. Computer Security Resource Center (National Institute of Standards and Technology) (800–94).
[7] Shields, Tyler (2008-12-02). "Anti-Debugging Series - Part I". Veracode. Retrieved 2009-03-17.
[8] Barak B., O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, K. Yang, “On the (Im)possibility of Obfuscating Programs”, pp. 1–18, Advances in Cryptology– Crypto 2001, Springer LNCS 2139 (2001).
[9] Collberg C., C. Thomborson, D. Low, “A Taxonomy of Obfuscating Transformations”, Technical Report 148, Dept. Computer Science, University of Auckland (July 1997).
[10] Collberg C., C. Thomborson, D. Low, “Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs”, Proc. Symp. Principles of Programming Languages (POPL’98), Jan. 1998
[11] Collberg Christian, “Surreptitious Software Exercise, Attacks, Breaking on System Functions”, Department of Computer Science, University of Arizona, February 26, 2014.
[12] dreamincode.net, “A Simple Introduction to Obfuscated Code”, http://www.dreamincode.net/forums/topic/38102-obfuscated-code-a-simple-introduction/, November 25, 2007.
[13] Cullen Linn, Saumya Debray, “Obfuscation of Executable Code to Improve Resistance to Static Disassembly” http://www.cs.arizona.edu/ ~debray/Publications/disasm-resist.pdf, Retrieved 2015-06-17.
[14] Feiman Joseph, “Runtime Self Protection: A Must Have, Emerging Security Technology”, Gartner Group, 24 April 2012.
[15] Gary McGraw, “Software Security: Building Security In”, Addison-Wesley Professional, 2006.
[16] Kenneth R. Van Wyk, Diana L. Burley, Mark G. Graff, Dan S. Peters, “Enterprise Software Security: Design Activities”, Addison-Wesley Professional, Dec 31, 2014.
[17] William Stallings, Lawrie Brown, “Computer Security: Principles and Practice”, 3rd Edition, Pearson, Jul 8, 2014.
[18] Patterson David, Armando Fox, “Engineering Software as a Service: An Agile Approach Using Cloud Computing”, Strawberry Canyon LLC, 2013.
[19] Pressman Roger S., Bruce R Maxim, “Software Engineering: A Practitioner’s Approach”, 8th edition, McGraw Hill, 2014.
[20] Somerville Ian, “Software Engineering”, 9th edition, Addison-Wesley, 2011.
[21] McConnell Steve, “Code Complete: A Practical Handbook of Software Construction”, 2nd Edition, Microsoft, 2004.
[22] Fowler Martin, Kent Beck, John Brant, William Opdyke, Don Roberts, “Refactoring: Improving the Design of Existing Code”, Boch Jacobson Rumbaugh, 1999.
[23] Aucsmith D., “Tamper Resistant Software: An Implementation”, Proc. 1st International Information Hiding Workshop (IHW), Cambridge, U.K. 1996, Springer LNCS 1174, pp. 317-333 (1997).
[24] Kenter Arjan, “Obfuscation” http://www.kenter.demon.nl/ obfuscate.html, Retrieved February 22, 2014
[25] Mateas Michael; Nick Montfort. “A Box, Darkly: Obfuscation, Weird Languages, and Code Aesthetics”. Proceedings of the 6th Digital Arts and Culture Conference, IT University of Copenhagen, 1–3 December 2005. Pp. 144–153.
[26] Toshio Ogiso, Sakabe Yusuke, Soshi Masakazu, Miyaji Atsuko, “Software Obfuscation on a Theoretical Basis and its Implementation”, IEEE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, January 2003, 176-186.
[27] Amit Sahai, et al., “Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits”, http://eprint.iacr.org/2013/451.pdf, 2013
[28] Amit Sahai and Brent Waters “How to Use Indistinguishability Obfuscation: Deniable Encryption, and More”, http://eprint.iacr.org/2013/454.pdf, 2013