Anti-debug and Anti-tamper: more than just a powerful new feature
Published on September 27, 2016 by Alexander Goodwin
Today we released Dotfuscator v4.25 that includes, for the first time, anti-debug defense and alert capabilities. Dotfuscator Professional users can now configure Dotfuscator to inject logic to defend against the unauthorized use of a debugger in production. We’ve already previewed this capability in our Java/Android product, DashO, and this latest anti-debug feature sits alongside our other “detective controls” including anti-tamper and shelf-life.
On one hand, a new release of Dotfuscator Professional is not big news – we’re constantly improving our products and this is our fourth Dotfuscator Professional release in the past 12 months – but I think we’ll look back at the inclusion of the anti-debug control as a kind of watershed moment – not in a narrow sense of Dotfuscator’s evolution – but in the evolution of application risk management more broadly.
Why? Here’s (some of) what’s “special” – not “just new.”
A single control mitigates traditionally distinct categories of risk.
Historically, the controls to manage intellectual property theft and software piracy were wholly separate from data integrity and data protection controls. Not true with an effective anti-debug control.Whether a hacker is trying to pirate your app, steal your data, or alter the behavior of a critical piece of infrastructure software as part of a larger crime – a production debugger is always a hacker’s weapon of choice.
As implemented inside Dotfuscator and DashO, the anti-debug control effectively mitigates both risk categories.
Consider how the following exploits that stem directly from debugger hacks cross data, operational, and IP risk boundaries:
|Debugger Hack||Resulting vulnerability and risk|
|Bypassing encryption and other techniques used during data transmission and/or storage exposes otherwise secured data.||Unauthorized data access leads to data loss, loss of revenue, privacy breaches, regulatory non-compliance, and trade secret theft.|
|Insert and modify data within your application||Interrupt application flow circumventing controls and governance and voiding authorization and access controls.|
|Trace logic and the flow of your application||Expose intellectual property for reuse and exploitation|
|View encryption functions, the values of dynamic keys and when and how sensitive information is saved to your file systems and databases||Security and operational breach exposes data and systems beyond any one application.|
Event detection and alerts span 3rd party application analytics and monitoring platforms.
Mitigating multiple risk categories brings with it the requirement that event detection and reporting be surfaced inside the dashboard(s) of choice for each stakeholder. Application stakeholders span development, operations, business and audit functions and each brings their own analytics and monitoring requirements and preferences.
The examples highlighted in this latest Dotfuscator release include multi-tenant cloud services and, if/when required, on-premises options are supported as well. Specifically, the following screenshots show the same telemetry being published inside Microsoft’s HockeyApp and Application Insights, Google Analytics, and even Twitter. For on-premises requirements, we’ve validated event capture inside Microsoft’s TFS and our own PreEmptive Analytics.
Cloud-based application analytics supporting Dotfuscator’s anti-debug telemetry
On-premises application analytics supporting Dotfuscator’s anti-debug telemetry
Application risk management controls are automated through deep integration with DevOps processes and toolchain
In order to be effective, application risk management controls must not
- Slow development velocity,
- Compromise application quality,
- Increase operational complexity,
- Negatively impact user experience, or – last but not least,
- Create more risk than they mitigate.
These exacting requirements can only be reliably and consistently met when control implementation, testing, and monitoring is integrated throughout the application lifecycle from design through deployment and into production. For modern development organizations, this translates into integration throughout a “DevOps toolchain.”
Here are concrete examples of what this means for PreEmptive Solutions’ implementation:
- Cross-platform support: Anti-debug is effective across desktop .NET, ASP.NET (including Azure web services), UWP, Android, and Java.
- Fully automatable within TFS and VSTS environments
Injection post-compile ensures that real-time incident responses are
- Consistent and comply with corporate governance obligations
- Fully auditable as configuration files that drive injection are stored as build artifacts after the fact
- Dynamically configurable at build time (and integrate with Windows PowerShell Desired State Configuration for further automation) to ensure resulting telemetry can be directed to appropriate
- Dev, test, and prod analytics endpoints as an application moves through its lifecycle
- Regional endpoints to satisfy regulatory and jurisdictional obligations
- Fully compatible with other application security controls such as obfuscation, watermarking, digital signing, etc.
To learn more (and download a more detailed white paper) and/or evaluate the software described here, visit: Top 5 reasons why Dotfuscator’s new anti-debugging and anti-tamper technology is changing the way developers manage risk.