Results 1-15 of 15.
bertholon

Bookmark and Share    
Full Text
Peer Reviewed
See detailComparison of Multi-objective Optimization Algorithms for the JShadObf JavaScript Obfuscator
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in Proc. of the 17th Intl. Workshop on Nature Inspired Distributed Computing (NIDISC 2014), part of the 28th IEEE/ACM Intl. Parallel and Distributed Processing Symposium (IPDPS 2014) (2014, May)

With the advent of the Cloud Computing (CC) paradigm and the explosion of new Web Services proposed over the Internet (such as Google Office Apps, Dropbox or Doodle), the protection of the programs at the ... [more ▼]

With the advent of the Cloud Computing (CC) paradigm and the explosion of new Web Services proposed over the Internet (such as Google Office Apps, Dropbox or Doodle), the protection of the programs at the heart of these services becomes more and more crucial, especially for the companies making business on top of these services. The majority of these services are now using the JavaScript programming language to interact with the user as all modern web browsers – either on desktops, game consoles, tablets or smart phones – include JavaScript interpreters making it the most ubiquitous programming language in history. This context renew the interest of obfuscation techniques, i.e. to render a program "unintelligible" without altering its functionality. The objective is to prevent the reverse-engineering on the program for a certain period of time – an absolute protection by this way being unrealistic since stand-alone obfuscation for arbitrary programs has been proven impossible in 2001. In [11], we have presented JSHADOBF, an obfuscation framework based on evolutionary heuristics designed to optimize for a given input JavaScript program, the sequence of transformations that should be applied to the source code to improve its obfuscation capacity. Measuring this capacity is based on the combination of several metrics optimized simultaneously with Multi-Objective Evolutionary Algorithms (MOEAs). In this paper, we extend and complete the experiments made around JSHADOBF to ana- lyze the impact of the underlying Multi-Objective Evolutionary Algorithms (MOEAs) algorithm onto the obfuscation process. In particular, we compare the performances of NSGA-II and MOEAD (two reference algorithms in the optimization domain) on top of JSHADOBF to first obfuscate a pedagogical program inherited from linear algebra, then one of the most popular and widely used JavaScript library: JQuery. [less ▲]

Detailed reference viewed: 121 (4 UL)
Full Text
See detailCertiCloud and JShadObf. Towards Integrity and Software Protection in Cloud Computing Platforms
Bertholon, Benoit UL

Doctoral thesis (2013)

A simple concept that has emerged out of the notion of heterogeneous distributed computing is that of Cloud Computing (CC) where customers do not own any part of the infrastructure; they simply use the ... [more ▼]

A simple concept that has emerged out of the notion of heterogeneous distributed computing is that of Cloud Computing (CC) where customers do not own any part of the infrastructure; they simply use the available services and pay for what they use. This approach is often viewed as the next ICT revolution, similar to the birth of the Web or the e-commerce. Indeed, since its advent in the middle of the 2000's, the CC paradigm arouse enthusiasm and interest from the industry and the private sector, probably because it formalizes a concept that reduces computing cost at a time where computing power is key to reach competitiveness. Despite the initiative of several major vendors to propose CC services (Amazon, Google, Microsoft etc.), several security research questions remain open to transform the current euphoria into a wide acceptance. Moreover, these questions are not always tackled from the user's point of view. In this context, the purpose of this thesis is to investigate and design novel mechanisms to cover the following domains: - Integrity and confidentiality of Infrastructure-as-a-Service (IaaS) infrastructures, to provide guarantees on programs and data running in a virtualised environment, either before, during or after a deployment on the CC platform. - Software protection on Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) architectures, using code obfuscation techniques. This dissertation details thus two main contributions. The first one is the development and implementation of CertiCloud, a CC framework which relies on the concepts developed in the Trusted Computing Group (TCG) together with hardware elements, i.e., Trusted Platform Module (TPM) to offer a secured and reassuring environment within IaaS platforms. At the heart of CertiCloud reside two protocols: TCRR and VerifyMyVM. When the first one asserts the integrity of a remote resource and permits to exchange a private symmetric key, the second authorizes the user to detect trustfully and on demand any tampering attempt on its running VM. These protocols being key components in the proposed framework, their analysis against known cryptanalytic attacks has been deeply analysed and testified by their successful validation by AVISPA [1] and Scyther [66], two reference tools for the automatic verification of security protocols. The second major contribution proposed in this manuscript is an obfuscation framework named JShadObf, designed to improve the protection of Javascript-based software running typically on SaaS and PaaS platforms. This framework combines obfuscation transformations, code complexity measurements and Multi-Objective Evolutionary Algorithms (MOEAs) to protect Javascript code, the most ubiquitous programming language at the heart of most modern web services deployed over those CC infrastructures such as Google Office Apps, Dropbox or Doodle. [less ▲]

Detailed reference viewed: 118 (6 UL)
Full Text
Peer Reviewed
See detailShadObf: A C-source Obfuscator based on Multi-objective Optimization Algorithms
Bertholon, Benoit UL; Varrette, Sébastien UL; Martinez, S.

in Proc. of the 16th Intl. Workshop on Nature Inspired Distributed Computing (NIDISC 2013), part of the 27th IEEE/ACM Intl. Parallel and Distributed Processing Symposium (IPDPS 2013) (2013, May)

The Development of the new Cloud Computing paradigm as lead to a reorganisation in the order of the priorities of security issues. When running a private code on a Public Cloud or on any remote machine ... [more ▼]

The Development of the new Cloud Computing paradigm as lead to a reorganisation in the order of the priorities of security issues. When running a private code on a Public Cloud or on any remote machine, its owner have no guarantees that the code cannot be reverse engineered, understood and modified. One of the solution for the code owner in order to protect his intellectual property is to obfuscate his algorithms. The Obfuscation of source code is a mechanism to modify a source code to make unintelligible by humans even with the help of computing resources. More precisely, the objective is to conceal the purpose of a program or its logic without altering its functionality, thus preventing the tampering or the reverse engineering of the program Obfuscation is usually performed by applying transformations to the initial source code, but it reveals many open questions: what transformation should be chosen? In which order should the obfuscator apply them? How can we quantify the obfuscation capacity of a given program? In order to answer these questions, we propose here SHADOBF, an obfuscation framework based on evolutionary heuristics designed to optimize for a given input C program, the sequence of transformations that should be applied to the source code to improve its obfuscation capacity. This last measure involves the combination of well known metrics, coming from the Software Engineering area, which are optimized simultaneously thanks to Multi Objective Evo- lutionary Algorithms (MOEAs). We have validated our approach over a classical matrix multiplication program – experiments on other applications is still in progress. Some experiments, presented here, has been performed on some basic but representative examples to valid the feasibility of the method. [less ▲]

Detailed reference viewed: 69 (2 UL)
Full Text
Peer Reviewed
See detailShadObf: A C-Source Obfuscator Based on Multi-objective Optimisation Algorithms
Bertholon, Benoit UL; Varrette, Sebastien UL; Martinez, Sebastien

in Proceedings of the 2013 IEEE 27th International Symposium on Parallel and Distributed Processing Workshops and PhD Forum (2013)

Detailed reference viewed: 41 (4 UL)
Full Text
Peer Reviewed
See detailJShadObf: A JavaScript Obfuscator Based on Multi-Objective Optimization Algorithms
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in Lopez, Javier; Huang, Xinyi; Sandhu, Ravi (Eds.) Network and System Security (2013)

Detailed reference viewed: 91 (5 UL)
Full Text
Peer Reviewed
See detailCERTICLOUD, une plate-forme Cloud IaaS sécurisée
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in Technique et Science Informatiques (2012), 31(8-9-10), 1121-1152

The security issues raised by the Cloud paradigm are not always tackled from the user point of view. For instance, considering an Infrastructure-as-a-Service (IaaS) Cloud, it is currently impossible for a ... [more ▼]

The security issues raised by the Cloud paradigm are not always tackled from the user point of view. For instance, considering an Infrastructure-as-a-Service (IaaS) Cloud, it is currently impossible for a user to certify in a reliable and secure way that the environment he deployed (typically a Virtual Machine (VM)) has not been corrupted, whether by malicious acts or not. Yet having this functionality would enhance the confidence on the IaaS provider and therefore attract new customers. This paper fills this need by proposing CERTICLOUD, a novel approach for the protection of IaaS platforms that relies on the concepts developed in the Trusted Computing Group (TCG) together with hardware elements, i.e., Trusted Platform Module (TPM) to offer a secured and reassuring environment. Those aspects are guaranteed by two protocols : TCRR and VerifyMyVM. When the first one asserts the integrity of a remote resource and permits to exchange a private symmetric key, the second authorizes the user to detect trustfully and on demand any tampering attempt on his running VM. These protocols being key components in the proposed framework, we take very seriously their analysis against known cryptanalytic attacks. This is testified by their successful validation by AVISPA and Scyther, two reference tools for the automatic verification of security protocols. The CERTICLOUD proposal is then detailed : relying on the above protocols, this platform provides the secure storage of users environments and their safe deployment onto a virtualization framework. While the physical resources are checked by TCRR, the user can execute on demand the VerifyMyVM protocol to verify the integrity of his deployed environment. Experimental results operated on a first prototype of CERTICLOUD over Nimbus demonstrate the feasibility and the low overhead of the approach, together with its easy implementation on recent commodity machines. [less ▲]

Detailed reference viewed: 44 (4 UL)
Full Text
Peer Reviewed
See detailCertiCloud: a Novel TPM-based Approach to Ensure Cloud IaaS Security
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in 4th IEEE Intl. Conf. on Cloud Computing (CLOUD 2011) (2011, July)

The security issues raised by the Cloud paradigm are not always tackled from the user point of view. For instance, considering an Infrastructure-as-a-Service (IaaS) Cloud, it is currently impossible for a ... [more ▼]

The security issues raised by the Cloud paradigm are not always tackled from the user point of view. For instance, considering an Infrastructure-as-a-Service (IaaS) Cloud, it is currently impossible for a user to certify in a reliable and secure way that the environment he deployed (typically a Virtual Machine(VM)) has not been corrupted, whether by malicious acts or not. Yet having this functionality would enhance the confidence on the IaaS provider and therefore attract new customers. This paper fills this need by proposing CERTICLOUD, a novel approach for the protection of IaaS platforms that relies on the concepts developed in the Trusted Computing Group (TCG) together with hardware elements, i.e., Trusted Platform Module (TPM) to offer a secured and reassuring environment. Those aspects are guaranteed by two protocols: TCRR and Verify MyVM. When the first one asserts the integrity of a remote resource and permits to exchange a private symmetric key, the second authorizes the user to detect trustfully and on demand any tampering attempt on its running VM. These protocols being key components in the proposed framework, we take very seriously their analysis against known cryptanalytic attacks. This is testified by their successful validation by AVISPA and Scyther, two reference tools for the automatic verification of security protocols. The CERTICLOUD proposal is then detailed: relying on the above protocols, this platform provides the secure storage of users environments and their safe deployment onto a virtualization framework. While the physical resources are checked by TCRR, the user can execute on demand the Verify MyVM protocol to certify the integrity of its deployed environment. Experimental results operated on a first prototype of CERTICLOUD demonstrate the feasibility and the low overhead of the approach, together with its easy implementation on recent commodity machines. [less ▲]

Detailed reference viewed: 41 (4 UL)
Full Text
Peer Reviewed
See detailA Signature Scheme for Distributed Executions based on Control flow Analysis..
Varrette, Sébastien UL; Bertholon, Benoit UL; Bouvry, Pascal UL

in 19th Intl. conference on Security and Intelligent Information Systems (SIIS 2011) (2011, June)

Detailed reference viewed: 26 (0 UL)
Full Text
Peer Reviewed
See detailA Signature Scheme for Distributed Executions based on Control flow Analysis.
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in Proc. of the 19th Intl. conference on Security and Intelligent Information Systems (SIIS 2011) (2011)

Detailed reference viewed: 50 (2 UL)
Peer Reviewed
See detailchap. "Practical Security in Distributed Systems"
Bertholon, Benoit UL; Cérin, C.; Coti, C. et al

in Distributed Systems (volume 1); Design and Algorithms (2011)

Detailed reference viewed: 31 (2 UL)
Peer Reviewed
See detailPractical Security in Distributed Systems
Bertholon, Benoit UL; Cérin, Christophe; Coti, Camille et al

in Haddad, S.; Kordon, F.; Pautet, L. (Eds.) et al Distributed Systems; Design and Algorithms, 1 (2011)

Detailed reference viewed: 27 (0 UL)
Full Text
Peer Reviewed
See detailCertiCloud: une plate-forme Cloud IaaS sécurisée
Bertholon, Benoit UL; Varrette, Sébastien UL; Bouvry, Pascal UL

in RenPar'20 2011 (2011)

La sécurité des Clouds est un aspect essentiel qui n'est pas forcément abordé selon le point de vue de l'utilisateur. En particulier, sur une plate-forme de type IaaS, il est actuellement impossible pour ... [more ▼]

La sécurité des Clouds est un aspect essentiel qui n'est pas forcément abordé selon le point de vue de l'utilisateur. En particulier, sur une plate-forme de type IaaS, il est actuellement impossible pour un utilisateur de certifier de manière fiable et sécurisée que l'environnement qu'il a déployé (typiquement sous forme d'une machine virtuelle) est toujours dans un état qu'il juge intègre et opérationnel. Cet article s'attelle à cette tâche en proposant CertiCloud, une plate-forme Cloud de type IaaS qui exploite les concepts développés dans le cadre du TCG mais aussi les éléments matériels que sont les TPM pour offrir à l'utilisateur un environnement sécurisé et sécurisant. Ces deux aspects sont garantis par les deux protocoles TCRR et VerifMyVM qui sont à la base de CertiCloud. Quand le premier permet de certifier l'intégrité d'une machine distante et d'échanger une clef de chiffrement symétrique, le second permet à l'utilisateur de s'assurer dynamiquement et à la demande de l'intégrité de sa machine virtuelle exécutée sur les ressources de \CertiC. Ces deux protocoles étant les briques de base de notre plate-forme, une attention toute particulière a été apportée à leurs élaborations. A cet effet, ils ont été validés avec succès par AVISPA et Scyther, deux outils de référence dans le domaine de la vérification automatique des protocoles de sécurité (cette analyse est présentée dans cet article). Ensuite, la plate-forme CertiCloud est détaillée: outre les protocoles TCRR et VerifMyVM, elle propose le stockage sécurisé des environnements utilisateurs et leurs exécutions à travers un framework de virtualisation reprenant l'hyperviseur Xen. Quand les ressources physiques sont certifiées par TCRR, l'utilisateur peut utiliser à la demande le protocole VerifMyVM pour s'assurer de l'intégrité de son environnement déployé. Un prototype de CertiCloud a été réalisé et nous présentons les premiers résultats expérimentaux qui démontrent de la faisabilité et du faible surcoût de notre approche sur des scénarios classiquement rencontrés sur les infrastructures Cloud de type IaaS. [less ▲]

Detailed reference viewed: 33 (4 UL)