Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

June 8, 2018 2157 Views Sebastian Holst

In its recent GitHub $7.5B acquisition announcement, Microsoft promised to “bring its developer tools and services to new audiences.” “New audiences” in this context mean, quite literally, GitHub’s 28 million developer users. As the “largest open source community in the world,” GitHub audiences will most surely also mean new requirements, new priorities, and new expectations – but these will also come with old biases. And there is no better example of open source bias than code obfuscation.

For the typical open source developer, obfuscation is “like a pearl onion on a banana split” – it simply does not belong (with thanks and apologies to Philip Marlowe in Raymond Chandler’s The Long Goodbye).

The argument is simple enough – there is no reason to prevent the reverse engineering of open source applications because the source code is already public. It’s like picking an unlocked door.

In addition to the sheer lunacy of the act, the benefits of open source development (access to existing code and limitless engineering resources) far outweigh any advantage that might come from jealously hiding your own handiwork from the rest of the world.

The argument is compelling – if you only concern yourself with intellectual property (IP) issues and ignore user privacy and safety.

Privacy and security obligations trump IP policy and must drive DevOps practices

There is no praise or reward for unsafe software – no matter how efficiently or innovatively developed.

Runtime application self-protection (RASP), as defined by Gartner, is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.

Examples of RASP attack “prevention and detection” include Android root detection, application tamper detection, and unauthorized debugger/emulator detection. These scenarios share the following important qualities:

Advanced techniques are required to evaluate and ultimately detect these runtime incidents,
Bad actors are actively upgrading their attack patterns to evade detection,
Evaluation and detection “techniques” must continuously evolve to stay ahead of evolving exploit patterns.

Increasing the time required for bad actors to dissect – and ultimately evade – RASP prevention and detection algorithms reduces the cost and complexity of effective RASP controls.

Reducing the requirement for all developers to keep up with these development patterns further reduces the cost of security and streamlines a development organization’s ability to respond quickly.

Including multiple RASP checks throughout an application with multiple detection and response layers can dramatically improve overall RASP effectiveness and extend the lifespan of RASP controls.

Privacy and safety controls typically also require audit records to demonstrate compliance. Unless carefully designed, privacy and safety compliance steps can also increase cost and reduce overall efficiency.

PreEmptive Solutions pioneered RASP before it had a name – in 2006, Dotfuscator first included Tamper detection and defense. Anti-debug, (Android) root detection, emulator detection, etc. have all followed.

What we have validated over the past 12+ years is that post-compile injection of RASP controls helps to meet each of these requirements.

Ensure advanced detection and evaluation algorithms
Minimizing development training and expertise to implement
Ensure controls can be distributed throughout systems without impeding core development schedules
Generating audit logs and other compliance evidence to meet regulatory and statutory obligations

…and what’s this got to do with obfuscation?

As mentioned above – slowing discovery (and impeding evasion) of RASP controls improves privacy and safety – while simultaneously lowering the cost and complexity of implementing those controls. The PCI Council recommends obfuscation to better secure rooted device detection, Google recommends obfuscation to impede hacks on SafetyNet, and the list goes on-and-on. Obscuring RASP controls via obfuscation is a recommended (and increasingly required) practice.

Post-compile injection lets you develop in open source – while injecting (and optionally obfuscating) your RASP controls post compile.

Is there a role for obfuscation to play in the open source community?

YES IF,

If RASP controls are required AND
Your RASP technology can be wholly injected post-compile (no logic or APIs are included in the app source code itself)

It’s the inverse of the IP scenario above. Putting your RASP control source inside your project for hackers to see would be “sheer lunacy” as the benefits of injection (improved safety and privacy for users and lower cost and complexity of security derived from injection) far outweigh any advantage that might come from dogmatically publishing source that actually has nothing to do with the application you’re building.

Like most everyone – we at PreEmptive are energized by Microsoft’s acquisition of GitHub – and we look forward to helping new audiences effectively and efficiently protect their apps and the data they process.

Latest NIST publication reinforces Developer Obligations (and liability)

On June 11, NIST released Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework. While a solid piece of work in its own right, this document is noteworthy because it stands as one more proof point - in an already long list of proof points, that development processes, the developers themselves, and the organizations they belong to, ALL share some degree of responsibility (liability) for:

Untrusted Environments, Valuable Apps? Put the Protection in the App.

IT environments are evolving. Disappearing are the days of in-house, fixed-endpoint, limited access server stacks — replaced instead by a combination of private and public cloud solutions, mobile applications and IoT devices.

As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure with a growth rate topping 10 percent year-over-year, while Statista reports that users downloaded more than 178 billion apps in 2017 alone — and are on track to break 250 billion over the next few years.

What does this mean for organizations? That application environments are quickly moving beyond the purview of in-house IT, exposing both apps and network services to steadily growing risk. It creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but also can’t ignore the threat of app and data compromise or reverse-engineering and tampering.

In a recent developer survey, Xamarin.Android developers were 50% less likely to have included rooted device detection or anti-tamper prevention as their Java Android peers were. Yet, both sets of apps are being deployed through the same marketplaces onto the same devices and are governed by the same regulations (PCI, GDPR, HIPAA to name just a few that expect these kinds of controls).

Why are more Xamarin.Android apps going unprotected?

I recently had the opportunity to sit down with Sebastian Holst, PreEmptive’s Chief Strategy Officer, to talk about his most recent trip to Capitol Hill where the topic of the day was copyright protection for small businesses – and for development shops in particular.

The life of a security architect is rarely simple. Assessing, defending and improving corporate networks requires thorough knowledge of industry best practices designed to secure critical data, combined with real-world understanding of hacker tricks and tactics meant to undermine this purpose.

As noted by the InfoSec Institute, this is an in-demand job that often comes with high expectations, odd hours and the need for constant professional evolution to stay ahead of cybercriminal threats. Complicating matters is the breakneck pace of technological advancement. The rapid rise of cloud deployments, mobile applications and IoT devices can make even best-laid security strategies seem like flies in amber — hopelessly out-of-date and effectively immobile.

Here’s a look at what’s really bugging security architects — and how they can break the mold of static security to combat emerging threats.

Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

Latest NIST publication reinforces Developer Obligations (and liability)

Put the Protection in the App

Untrusted Environments, Valuable Apps? Put the Protection in the App.

Are Xamarin.Android app users at risk?

Changes are coming for US Copyright – Should Developers Even Care?

Fly in Amber: What’s Bugging Infosec Architects?

Latest Blog Posts

Latest NIST publication reinforces Developer Obligations (and liability)

Put the Protection in the App

Are Xamarin.Android app users at risk?

Changes are coming for US Copyright – Should Developers Even Care?

Fly in Amber: What’s Bugging Infosec Architects?

Twitter