We started this PhD research by thoroughly studying the obfuscation and diversification techniques which was published as a Systematic Literature Review (SLR) (Publication I) [33]. As the result of this SLR study, we iden- tified the research gaps which became directions for further research. One of the findings of this SLR was the execution environments that could benefit from the studied software security techniques, obfuscation and diversifica- tion and have not been covered in the literature. Therefore, we looked into the possibility of applying these techniques in IoT and cloud computing, as these two environments are very commonly used execution environments nowadays and there exist a vast number of security attacks on them.
Publication VI Publication III Publication I Publication V Publication II Publication IV Internet of Things Cloud Computing security trust Publication I: Using Diversification and Obfuscation Techniques for Software Security: A Systematic Literature Review Publication II: Obfuscation and Diversification for Securing Cloud Computing Publication III: Security in Containerbased Virtualization through vTPM Publication IV: Security in the Internet of Things through Obfuscation and Diversification Publication V: Interface Diversification in IoT Operating Systems Publication VI: Mitigating BranchShadowing Attacks on Intel SGX using Control Flow Randomization
Figure 3.2: Relationship of the publications with each other in this disser- tation.
Figure 3.2 shows the relation of the publications included in this dis- sertation. After Publication I, the research was continued in two different themes, cloud computing and Internet of Things. In the first theme we first
studied the enhancement of security in cloud through obfuscation and di- versification software security techniques (Publication II), and then studied the enhancement of trust in cloud through utilizing trusted computing tech- nology as a hardware-based approach (Publication III). Then we continued the same theme by combining these directions to provide security and trust in cloud computing through the use of obfuscation and diversification and TEE provided by Intel SGX.
The result of studies we gained in each of these publication helped us an- swer the research questions set in this dissertation (RQ1 - RQ4). Figure 3.3 illustrates the relationship of the publications and the research questions.
RQ1 RQ2 RQ3 RQ4
Publication I Publication II Publication III Publication IV Publication V Publication VI
Publication I: Using Diversification and Obfuscation Techniques for Software Security: A Systematic Literature Review Publication II: Obfuscation and Diversification for Securing Cloud Computing Publication III: Security in Container-based Virtualization through vTPM Publication IV: Security in the Internet of Things through Obfuscation and Diversification Publication V: Interface Diversification in IoT Operating Systems Publication VI: Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization RQ1: How can software diversification and code obfuscation improve the security of software? RQ2: How can we enhance the level of security and trust in cloud computing through obfuscation, diversification and trusted computing and TEE technologies? RQ3: How can we enhance the level of security in IoT through obfuscation and diversification technologies? RQ4: How can we combine the software security techniques, with hardware backed solutions to introduce a robust security measure?
Figure 3.3: Relationship of the research questions and the publications in- cluded in this dissertation.
We answered RQ1 through a comprehensive systematic literature review (Publication I). This review presented classifications of the various available obfuscation and diversification techniques, the target language and envi- ronment of obfuscation/diversification, the level of software development life-cycle in which the techniques were applied, and the types of security attacks that could be mitigated through the use of these techniques. The research gaps in this area and the potential uncovered research directions led us to our next publications.
For answering RQ2, we took two different directions: in the first one, we studied application of obfuscation and diversification in cloud computing as software-based security approaches, and in the second one, we studied the use of trusted computing and TEE technologies in cloud computing as hardware-based security approach. In the earlier direction, we surveyed how
obfuscation and diversification techniques have been previously used in cloud computing, and then we proposed and applied these techniques on them on the client-side web application (Publication II). In the latter direction, we studied the use of TPM as a trusted hardware technology and proposed the use of virtual TPM in container-based virtualization setting (Publication III). Combination of these two directions is reflected in (Publication VI) where we use both obfuscation as software-based security solution, backed with hardware-based security guarantees from Intel SGX. There, we applied control-flow obfuscation on the enclave programs of the Intel SGX architec- ture to mitigate the branch-shadowing side-channel attacks.
We answered RQ3 by studying the vulnerable points of IoT environments and proposed the application of obfuscation and diversification techniques for improving the security on IoT in two various layers: at application layer, by obfuscating/diversifying the operating systems and APIs of the IoT de- vices, and at network layer, by obfuscating/diversifying the communication protocols used among the devices (Publication IV, Publication V).
We answered RQ4 by combining the software-based and hardware-based security techniques that we had studied in the previous publications. We applied compile-time obfuscation and run-time randomization on the control flow of the Intel SGX enclave program (Publication VI).