2. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Prof. Pascal Junod
• Computer security veteran, MSc ETHZ’00, PhD EPFL’05.
• Prof. @ HES-SO / HEIG-VD, co-founder of strong.codes
• Research interests:
• Industrial cryptography
• Software security, software protection
• Ethical hacking
• http://crypto.junod.info, @cryptopathe
3. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Agenda
4. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Agenda
• Software Security ?
• Secure Software Development
• Man at the End
• Software Protection
5. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Software Security?
6. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Published Software
Vulnerabilities
Source:https://web.nvd.nist.gov/view/vuln/statistics
7. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Trinity of Troubles
Complexity
ExtensibilityConnectivity
8. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Complexity
millionsofSLOC
0
5.5
11
16.5
22
2001 2003 2009 2010 2012 2015
Linux kernel
9. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Connectivity
• Ubiquitous networking
• Service Oriented Architectures, networking of
legacy applications
10. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Extensibility
• Plugins, extensions
• Loadable OS drivers
• Scripting, components, applets, controls
• Extensible platforms: J2EE, .NET, etc.
11. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Secure Software
Development
12. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Usual Threat Model
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
13. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Security Development
Lifecycle
• Process advocated by Lipner & Howard, « S.
Lipner and M. Howard, «The trustworthy computing
security development lifecycle», Microsoft Corp.,
2005.
• Available on http://msdn.microsoft.com/en-us/
library/ms995349(classic).aspx
14. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Security Requirements
• « Security from the grounds up » —> integration of
security into the development process
• Nomination of a security advisor
• Identification of key security objectives
• Describe security goals, challenges, and plans
15. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Security Objectives
• Financial risks
• Reputation risks
• Privacy and regulatory risks
• SLA
• Legal risks
16. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Security Design
• Security architecture definition
• Definition of software attack surface
• Threat modeling
• Assets
• Risks and their likelihood
• Definition of countermeasures
17. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Threats etc.
• Threat: person or object that is dangerous
• Vulnerability: weakness, security hole
• Attack/exploit: technique used to exploit a
vulnerability
18. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Threats
• Non-target specifics: viruses, worms, trojans, etc.
• Employees
• Organized crime, cyber-criminals
• Corporation, nations
• Natural threats
19. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Vulnerabilities
API abuse // Authentication // Authorization // Availability
Code permissions // Code quality // Concurrency
Configuration // Cryptography // Encoding //
Environmental
Error handling // General logic error // Input validation
Logging and auditing // Password management // Path //
Protocol errors // Range and type errors // Sensitive data
protection // Session management // Synchronization
and Timing // Unsafe mobile code // Dangerous APIs
20. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Threat Modeling
Source:http://www.owasp.org
21. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Threat Modeling Methods
• Various methods:
• STRIDE
• DREAD
• TRIKE
• CVSS
• Generic goals: identify components, data flows, trust
boundaries
22. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Implementation of Security
• Application of adapted coding and testing
standards
• Specialized libraries
• Use of static analysis code scanning tools in IDE
• Code reviews
23. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Software Release
• Final security review
• Internal / external security audit (white-/black-box
« pen-test »)
• Answer the question « Is this software ready to go
to production from a security standpoint? »
24. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Security Servicing
• Monitoring
• Evaluation of reported vulnerabilities
• Release of security advisories and patches
• Take response actions (review of development
process, legal, etc.)
25. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Basic Security
Principles
26. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Least Privilege
Give each component only minimal rights
necessary to carry out its task.
27. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Defense in Depth
Use several redundant protection
mechanisms.
28. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
User Participation
A security procedure is efficient only
if all its users adhere to its principles.
29. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Choke Point
A security mechanism is effective only
if there is absolutely no means to
bypass it.
30. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Deny by Default
Forbid everything but what is
authorized.
31. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Weakest Link
The adversary will always attack the
weakest link of the security chain.
32. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Fail Securely
Always ensure that an exception does
not open a security hole.
33. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
No Security by Obscurity
Do not rely on the secret of the
implementation to keep the system
secure.
34. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Simplicity
Everything should be made as simple
as possible, but not simpler.
35. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Man at the End
36. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
OK, then?
• What happens when you have implemented a
perfectly secure software?
• It gets hacked!
37. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Usual Threat Model
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
38. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Man at the End
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
39. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Malicious Reverse
Engineering
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
40. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Digital Rights Managements
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
41. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Cloud Computing
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
42. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Software Protection
43. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Man at the End
Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
44. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Defenses
• Obfuscate the code, to slow down a reverse
engineer
• Tamper-proof the code, to prevent modification
• Mark the code, to identify illegal distribution
45. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Attacks
• strings
• objdump
• gdb
• jailbreak exploit
• IDA Pro
• Hopper
• Radare
• Patch
• PirateBay
• P2P networks
46. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
strong.protect
• Jailbreak detection
• Virtualization detection
• Debugger detection
• Control flow flattening
• Routine split / merge
• Bogus control flow
insertion
• Junk code insertion
• Code tamper-proofing
• Code watermarking
47. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
What is actually
strong.protect?
• strong.protect is a compiler generating native code
• It is based on the LLVM compilation framework
• A free evaluation version is available as open-
source software (see http://o-llvm.org)
48. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Supported Language and
Platforms
49. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
How to Use strong.protect
• Easy to integrate within modern IDEs, such as Eclipse, Xcode,
Visual Studio, etc.
• Works in your environment, no need to share code with us.
• Usable out-of-the-box, no need for particular modification of
software development process, compatible with multiple
environments
• Protection is fully customizable to your particular application needs
• No required modification of the source code, applicable to multiple
languages
50. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Solution Features
Comparison
Feature
name Open
S ource
Version
C ommercial
Version
C ode
substitutions
(-‐sub) 9 24
Bogus
control
flow
(-‐bcf) 1 8
C ode
flattening
(-‐fla) static dynamic
Function
merging
(-‐mer) X
Tamper
proofing
(-‐tp) X
C onstant
encryption
(-‐xse) X
Anti-‐debugging
(-‐ade) X
Basic
block
splitting
(-‐splitbbl) X
Integer
substitution
(-‐subinit) X
Obfucation
profiler X
Feature
C omparison
51. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
Code Size Increase for
ChatSecure App
0
10
20
30
40
50
60
no*
protection
"2sub*2
subinit"
"2fla" "2mer" "2tp" "2fla*2mer*
2sub*2
subinit"
Increase(in(binary(code(size
Binary*code*size
C ompiler)options %)increase
no)protection 0.0%
"3sub)3subinit" 8.9%
"3fla" 18.4%
"3mer" 22.9%
"3tp" 22.5%
"3fla)3mer)3sub)3subinit" 91.8%
52. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
How to Use strong.protect
53. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
strong.codes Team
54. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015
https://strong.codes