Researchers at the Massachusetts Institute of Technology (MIT) have published a new framework called Metior designed to evaluate the effectiveness of various cybersecurity obfuscation schemes.
According to a blog post published Wednesday, the framework quantifies the information an attacker might learn from a victim program protected by an obfuscation scheme.
Traditional security approaches aimed at blocking side-channel attacks, such as observing program behavior to obtain secret information, can be computationally expensive and impractical for real-world systems. there is.
Instead, engineers often use obfuscation schemes to limit an attacker’s ability to obtain sensitive information without completely eliminating it.
Metior allows engineers and scientists to determine the extent of an information breach by examining various factors such as the victim’s program, the attacker’s strategy, and the composition of the obfuscation scheme.
According to Peter Deutsch, a graduate student and lead author of the open-access paper on Metior, the framework evaluates multiple security schemes and identifies promising architectures early in the microprocessor chip design process. helps.
By mapping the flow of information through an obfuscation scheme to a mathematical representation, Metior applies information theory techniques to analyze how an attacker learns information from a victim.
The researchers applied Metior to three case studies, providing new insight into the effectiveness of various attack strategies and uncovering behaviors that were not fully understood.
For more information on attack strategies, see Defending Against the Growing as-a-Service Threat Landscape.
According to KnowBe4 data-driven defense evangelist Roger Grimes, Metior is a great way to take theory and move it into a practical risk assessment.
“The only thing that would soften the risk analysis of this framework is the fact that side-channel attacks of this kind are extremely rare, and attacks are carried out by real-world attackers against real-world victims. Until you get caught, there’s no risk,” Grimes added.
For this reason, security experts say that those who use Metior should remember that what Metior predicts as a particular risk or probability of a particular attack does not yet equate to real-world risk. I warned you.
“The ability to do something alone does not equate to real risk. Nevertheless, I commend Metior for what they have done to more accurately estimate potential side-channel success rates. Good job. .”
Metior’s publication comes weeks after Google’s security researchers. announced a new framework Develop secure generative AI tools.
