Researchers from the Massachusetts Institute of Technology (MIT) have published a new Framework called Metior, designed to evaluate the effectiveness of different cybersecurity obfuscation schemes.

According to a blog post published on Wednesday, the framework quantitatively assesses the information an attacker could learn from a victim program protected by an obfuscation scheme.

Traditional security approaches that aim to block side-channel attacks, which involve observing a program’s behavior to obtain secret information, can be computationally expensive and impractical for real-world systems.

Instead, engineers often employ obfuscation schemes to limit an attacker’s ability to gain sensitive information without completely eliminating it.

Metior allows engineers and scientists to study various factors such as victim programs, attacker strategies and obfuscation scheme configurations to determine the extent of information leakage. 

According to Peter Deutsch, a graduate student and lead author of an open-access paper on Metior, the framework is instrumental in evaluating multiple security schemes and identifying promising architectures early in the chip design process for microprocessors.

By mapping the flow of information through an obfuscation scheme into mathematical representations, Metior applies information theory techniques to analyze how an attacker can learn information from the victim. 

The researchers applied Metior in three case studies, providing new insights into the effectiveness of different attack strategies and revealing behaviors that were not fully understood.

Read more on attack strategies: Defending Against the Expanding as-a-Service Threat Landscape

According to Roger Grimes, data-driven defense evangelist at KnowBe4, Metior is a great way to take the theoretical and move it toward practical risk assessment.

“The only thing I would temper this framework’s risk analysis with is the fact that these sorts of side-channel attacks are super rare. And until any attack is made in the wild by a real-world attacker against a real-world victim, it’s really zero risk,” Grimes added.

Because of this, the security expert warned that anyone using Metior should remember that what it predicts as a particular risk or likelihood of a specific attack does not yet equate to real-world risk. 

“Ability to do something doesn’t equate to real risk by itself. Still, I applaud what Metior has done in trying to better estimate potential side-channel success rates. It’s good work.”