Defend. Detect. Deter.
1y ago
31 Views
1 Downloads
4.71 MB
26 Pages
Report/dmca
Download PDF

Transcription

Defend. Detect. Deter.ARXAN AT SMAMAHANDOUT VERSIONAPPLICATION SECURITY - BUILD IT SECURE, KEEP IT SECUREMIRKO BRANDNERARXAN Confidential8/22/171

Agenda for 30 mins Intention– Very, very short company overview– Introduce all the buzzwords– Becoming more technical as the presentation continues From Techies for Techies As as short as possible but always enough to understand Solutions– Vulnerabilities, current Platforms & Tools– Focus Application Hardening Apps for Mobile Devices (iOS, Android) Native and JavaScript– Hardening using Guards and Guard NetworksARXAN Confidential8/22/172

About ARXAN HQ SAN Francisco (CA), USAFounded in 2001Global Offices USA, EMEA & APAC140 employees (50% development)R&D in America and EuropeApplication SecurityApplication Hardening, WhiteBox Cryptography, Mobile Application ManagementARXAN Confidential8/22/17

Arxan Products, Benefits and ThreatsObjectiveBinary Protection & JS codeKey ProtectionMobile App ManagementThreatsTampering, Reversing-Engineering,Unauthorized AccessKey DiscoveryTampering, UnauthorizedAccess, public access to storeProductsBinary Code Integrity:- GuardIT and EnsureIT (Mobile)Source Code Integrity:- SecureJS (JavaScript)Key Protection:TransformIT WhiteboxCryptographyApperian EASEBroadCoverageDesktop, ServerSupport for MajorCryptographicAlgorithms: RSA, AES,ECC,DESSiOS and AndroidEmbedded & Mobile AppsMulti-Platform CoverageDiverse policiesMulti-PlatformCoverageBenefits IP Protection, Piracy –Prevention Preserve Integrity of Code andBusiness ModelsARXAN Confidential Secure PremiumContent or Data Onboarding, inspect, protect,sign, deploy, measure Preserve Integrity ofIntellectual Propertyand Business Models Your independent own store Applies parallel to MDM8/22/17

Customers and VerticalsSorry, we are not allowed to present ourcustomers in written form to the publicor provide Gartner content aboutApplication Shielding in these follow-upslides.ARXAN Confidential8/22/175

Keep SecureBinary Protection – no source code touched!?SecureAppsCodeSigningValidates origin of codePen TestingExposes vulnerabilitiesApp Protection/AppHardeningProvide self-defense and tamper-proofing;prevents tampering, unauthorizedaccess/analysis, code insertionBuild SecureStatic/Dynamic Scanning Identifies vulnerabilitiesMobile DeviceRemote debugging and tracking for BYODManagement/MobileInitiativesApplication ManagementSets authentication policies, encrypts files saved byappAuthenticationPWs, biometrics, root detection – authenticatesuser and/or environmentSecure DevelopmentARXAN ConfidentialBest practices for coding8/22/17

Multi-Platform Support for Binary Protection & JSNative CodeX86ARXAN ConfidentialARMManaged CodeJava.NETJS sourceJavaScript8/22/177

ARXAN Confidential8/22/178

Why Application Security and Arxan at all?Infos from IBM / Ponemon InstituteARXAN Confidential8/22/17

Sicher entwickeln / Sicher bleibenhttps://www.owasp.org/index.php/Mobile Top 10 2016-Top 10ARXAN Confidential8/22/17

Some Public ToolsARXAN Confidential8/22/1711

How We Protect Binary Applicationssome Guards for various platformsDetectattacks at run time Checksum Anti-Debug Resource Verification Jailbreak/Root Detection Swizzle / Hook DetectionDefendAgainstcompromise Advanced Obfuscation Encryption Pre-Damage Metadata RemovalDeterto ward off attacks Repair Custom Reactions Shut Down (Exit, Fail) Alert / Phone HomeProtected App Self-defending Tamper-resistant Hardened against hacking attacks & malware exploitsARXAN Confidential8/22/17

more Guards and Parametersfor multiple platforms, not always the same on all platforms Encryption Wrapper Authentication Value Verification Renaming Resource Encryption Data Obfuscation Custom Guards Garbage Code . more to comeARXAN Confidential. more possibilitiesParameters Different algorithms Performance vs Security Range / Invocations Execution Probabilities Seeding Logs (e.g. for renaming) Debugging Actions .8/22/1713

What makes Arxan successful?Protecting the kDetec3onChecksumGuardMobilePaymentUserLoginEach Guard provides security itselfFine grained control, fully customizableMulti-Layered Guard Networkwith Defense in Depth (first Guard layerprotects code, additional Guard layersprotect lower-level Guards) Risk-Based, Custom Created for EachApplication Randomized Binary Implementation forAutomated Variability (every buildlooks different) Think Templates for Guards! 3onLaunchControl Flow Obfusca1on GuardsString Encryp3on GuardRenaming GuardARXAN Confidential8/22/1714

Adding ProtectionGuardSpec Configuration file is written to specify whichArxan Guards to place in the applicationbinary and where.You know what is protected in which way atwhat time!Arxan GuardInsertionEngine EngineGuard InsertionUnprotectedexecutable, DLL,Shared Library orLib or JarARXAN ConfidentialBuild Script is modifiedGuardto run Arxan product.LibraryArxan inserts Guardsspecified in the GuardSpecinto the unprotectedbinary. Guard Librarycontains many differentGuard Types andthousands of Guardinstances.ProtectedApplication or LibBinaryGuards fullydissolve intobinary andcannot beisolated oridentified. Noaccompanying libraries orneed toconnect toArxan at runtime.8/22/1715

Integration with focus on iOS / Android Xcode/xcodebuild integration per Xcode plug-in / xcodebuild Integration into LLVM toolchain Java Integration with gradle (therefore also Android Studio) APK protection Native Integration with ndk-build Integration into LLVM toolchain Protection (Guard Insertion) Engines usable per IDE or build management /command line, therefore usable from Jenkins etc.ARXAN Confidential8/22/1716

Guards and managable Impact Guards are protectionprimitives that are insertedinto your application. Guards are inserted for eachbinary based on theconfiguration of each Guarddefined in the GuardSpec. Guards add security but alsoincrease code size andexecution time which canbe adjusted by usingparameters. How much is amatter of goodconfiguration.ARXAN ConfidentialProtectionStrengthPerformance8/22/1717

Application Protection of JavaScript JavaScript Protection (SecureJS) source transformation protection supports ECMAScript 5,6 not binary protection in the cloud solution or on premise supporting multiple architecturedevelopment platforms, hybrid apps Very fast obfuscation Static and dynamic protection (Guards) Apache Cordova Solution Example package Several enhanced topics in development Other frameworks in workARXAN Confidential8/22/1718

SecureJS FeaturesUseful performance? Product has been performance andexternally pen tested against competitionwith very good results Generally available for 4 months now–––––In evaluation with plenty of early bird companies for6 monthsApplied even in Web GamingCordova solutions / examplesMore enhancements, size and performanceoptimization upcomingMore Guards and features for server environmentsGuards include Operator Removal and Minification anddynamic Guards are interwovenARXAN Confidential8/22/1719

JS - Which One Would You Rather Hack? “Ugly” one linerActually regular, executableCodeContains:–––––ARXAN ConfidentialInterwoven GuardsTransformations like renaming inoverall projectDebugger detectionChecksumsAnd more 8/22/17

Processing from Cmd line / Jenkins / CloudInputs Single files Whole folders, ZIP files Various options Configuration fileARXAN Confidential8/22/1721

Java Protection Example and DecompilationARXAN Confidential8/22/1722

Passive Guard Example: Control Flow ObfuscationBefore: UnprotectedAfter: ProtectedMakes code very difficult toread and breaks staticanalysis. Techniques usedinclude inserting dummycode, instruction substitution,path merging, block andsymbol shuffling, inlining,opaque predicates, jumpinstructions, and moreARXAN Confidential8/22/17

Checksum Guard detects TamperingChecksum ofProtected Range ofbinary created andhidden in theprotected binary.ARXAN ConfidentialOriginalChecksum:Checksum at RunTime if GuardProtectedRangeTamperedCodeAt runtime aChecksum of theProtected Range iscreated andcompared againstOriginal Checksum.Guard triggers if nomatch8/22/1724

React: Self-Repairing a Tampered AppOriginalProtected AppProtectedRange isencryptedand storedinto theapplicationARXAN (Original)If app is found tobe tampered withthen the ProtectedRange can selfheal using themaster version tooverwrite thetampered versionso programexecution cancontinue.8/22/1725

Thank you!Mirko Brandner – mbrandner@arxan.comAdditional Information Available at Arxan.comARXAN Confidential8/22/1726

Defend. Detect. Deter. 1 ARXAN AT SMAMA HANDOUT VERSION APPLICATION SECURITY -BUILD IT SECURE, KEEP IT SECURE MIRKO BRANDNER. ARXAN Confidential 8/22/17 2 . Detect attacks at run time Checksum Anti-Debug Resource Verification Jailbreak/Root Detection Swizzle / Hook Detection Deter to ward off attacks

Related Books

Mirc Magazine Issue 1 Vol. 4 Fall 2010

Mirc Magazine Issue 1 Vol. 4 Fall 2010

DETER DETECT DEFEND APR 22 NFORCED - Patriot One

DETER DETECT DEFEND APR 22 NFORCED - Patriot One

Deter Detect Defend Ul 22 Nforced

Deter Detect Defend Ul 22 Nforced

MiCorp Emerging strategies

MiCorp Emerging strategies

Duty to Defend: What the Courts Say STATE LIST State Duty to Defend - IIABA

Duty to Defend: What the Courts Say STATE LIST State Duty to Defend - IIABA

Department of Homeland Security Strategic Plan - dhs.gov

Department of Homeland Security Strategic Plan - dhs.gov

Implementing Effective Physical Security Countermeasures Job Aid - CDSE

Implementing Effective Physical Security Countermeasures Job Aid - CDSE

Election Infrastructure Insider Threat Mitigation Guide

Election Infrastructure Insider Threat Mitigation Guide

Seapower - Raytheon

Seapower - Raytheon

National Strategy to Combat Weapons of Mass Destruction

National Strategy to Combat Weapons of Mass Destruction

Magellan Healthcare, Inc.* 2021 2022 Magellan Care Guidelines

Magellan Healthcare, Inc.* 2021 2022 Magellan Care Guidelines

PopularTags

Recent Views