Difference between revisions of "OWASP Reverse Engineering and Code Modification Prevention Project"

From OWASP
Jump to: navigation, search
Line 6: Line 6:
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
==Introduction==
+
==Project Description==
 +
 
 +
This project educates security professionals about the risks of reverse engineering and how to ensure that code cannot be reverse engineered or modified.  If you are placing sensitive code in an environment in which an attacker can get physical access to that environment (read: mobile, desktops, cloud, particular geographies), you should be concerned with the risks of reverse engineering or unauthorized code modification.  This umbrella project will help you understand the risks and how to mitigate them.
 +
 
 +
==A Brief History of This Problem Space==
  
 
Historically, organizations offered their customers web applications that exposed an interface to some necessary business services.  The services expose high-value functionality that allows an organization to deliver value to its clients.  Attackers had a specific set of threats or goals that they realized by exploiting vulnerabilities that the organization exposed through the application’s presentation layer.  Security practitioners address these specific sets of vulnerabilities through the web application or the associated infrastructure security disciplines.
 
Historically, organizations offered their customers web applications that exposed an interface to some necessary business services.  The services expose high-value functionality that allows an organization to deliver value to its clients.  Attackers had a specific set of threats or goals that they realized by exploiting vulnerabilities that the organization exposed through the application’s presentation layer.  Security practitioners address these specific sets of vulnerabilities through the web application or the associated infrastructure security disciplines.
Line 18: Line 22:
 
With the recent move towards mobile applications, an attacker can now see, touch, and directly modify a lot of the application’s presentation and business layer code within the attacker’s mobile computing environment.  This capability allows the attacker to realize the same traditional business threats as before (with web applications) but in genuinely new and unconventional ways.
 
With the recent move towards mobile applications, an attacker can now see, touch, and directly modify a lot of the application’s presentation and business layer code within the attacker’s mobile computing environment.  This capability allows the attacker to realize the same traditional business threats as before (with web applications) but in genuinely new and unconventional ways.
  
==Description==
+
==Licensing==
  
Write a description that is just a few paragraphs long
+
Any documentation or educational material associated with this project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
  
==Licensing==
+
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
  
 +
== What is this project all about? ==
  
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
Prevent an attacker from reverse engineering your code or making unauthorized changes to that code. The following audiences get something from this project:
  
== What is XXX? ==
+
* ''Risk Specialists'' - Understand the business and technical risks that an attacker will deploy in order to reverse engineer or modify your code in unsafe environments;
  
OWASP XXX  provides:
+
* ''Security Architects'' - Understand the architectural features that should be embedded into code to prevent an attacker from reverse engineering or modifying your code;
  
* xxx
+
* ''Penetration Testers'' - Learn how to conduct binary attacks against mobile apps understand threats that can be realized against various different platforms.  You'll have a better understanding of useful attack vectors to verify the strength of reverse engineering prevention or unauthorized code modification;
* xxx
+
  
 +
* ''Software Engineers'' - Learn things that you can do to make reverse engineering as painful as possible for someone that is interested in reverse-engineering your code. 
  
 
== Presentation ==
 
== Presentation ==
  
Link to presentation
+
Currently, there are no presentations associated with this project.  Over time, I will be presenting various technical discussions that relate to reverse engineering prevention or integrity violation at OWASP events.  Those presentations will be highlighted here.
 
+
 
+
  
  
Line 51: Line 53:
 
== Related Projects ==
 
== Related Projects ==
  
* [[OWASP_CISO_Survey]]
+
This project is associated with
 
+
* [[OWASP_Mobile_Security_Project]]
 +
* [[OWASP_AppSensor_Project]]
  
  

Revision as of 19:06, 6 January 2014

[edit]

OWASP Project Header.jpg

Project Description

This project educates security professionals about the risks of reverse engineering and how to ensure that code cannot be reverse engineered or modified. If you are placing sensitive code in an environment in which an attacker can get physical access to that environment (read: mobile, desktops, cloud, particular geographies), you should be concerned with the risks of reverse engineering or unauthorized code modification. This umbrella project will help you understand the risks and how to mitigate them.

A Brief History of This Problem Space

Historically, organizations offered their customers web applications that exposed an interface to some necessary business services. The services expose high-value functionality that allows an organization to deliver value to its clients. Attackers had a specific set of threats or goals that they realized by exploiting vulnerabilities that the organization exposed through the application’s presentation layer. Security practitioners address these specific sets of vulnerabilities through the web application or the associated infrastructure security disciplines.

Most often, attackers successfully realized their threats by providing malicious input that they fed into the web application’s presentation layer. Classic attack vectors used by attackers that use this technique include: SQL Injection, Cross-Site (XSS) Scripting, and URL parameter tampering vulnerabilities. Often, security professionals detect the presence of these vulnerabilities through source code analysis or penetration testing. In response to the detection, security professionals recommend to the organization that its Software Engineers should mitigate these vulnerabilities by applying secure coding techniques and adding appropriate data validation security controls to the affected application. Generally, this is sage advice and it works well for traditional web-based applications. In this common scenario, this advice is enforceable because the organization is hosting the web application in a highly controlled (more trustworthy) environment where only the organization’s Software Engineers can modify the application’s underlying code.

In present day, consumers have demanded richer user experiences than what organizations could traditionally offer through web applications they exposed online. In response to these demands, organizations began augmenting the user experience with mobile applications. These applications offer genuinely quicker and richer user experiences than what users would otherwise get through traditional browser-based web applications.

In making the switch to mobile applications, organizations are now deploying more of the presentation layer and business layer of the application on a phone instead of on their own servers. As a result, they lose a lot more control over who gets to see or modify their application’s code. Before the switch, most of the application’s presentation and business layer functionality was hidden within the organization’s trusted server environments. Outside users or attackers did not get much of an opportunity to see executing code in action.

With the recent move towards mobile applications, an attacker can now see, touch, and directly modify a lot of the application’s presentation and business layer code within the attacker’s mobile computing environment. This capability allows the attacker to realize the same traditional business threats as before (with web applications) but in genuinely new and unconventional ways.

Licensing

Any documentation or educational material associated with this project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is this project all about?

Prevent an attacker from reverse engineering your code or making unauthorized changes to that code. The following audiences get something from this project:

  • Risk Specialists - Understand the business and technical risks that an attacker will deploy in order to reverse engineer or modify your code in unsafe environments;
  • Security Architects - Understand the architectural features that should be embedded into code to prevent an attacker from reverse engineering or modifying your code;
  • Penetration Testers - Learn how to conduct binary attacks against mobile apps understand threats that can be realized against various different platforms. You'll have a better understanding of useful attack vectors to verify the strength of reverse engineering prevention or unauthorized code modification;
  • Software Engineers - Learn things that you can do to make reverse engineering as painful as possible for someone that is interested in reverse-engineering your code.

Presentation

Currently, there are no presentations associated with this project. Over time, I will be presenting various technical discussions that relate to reverse engineering prevention or integrity violation at OWASP events. Those presentations will be highlighted here.


Project Leader

Jonathan Carter


Related Projects

This project is associated with


Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Q1
A1
Q2
A2

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Reverse Engineering and Code Modification Prevention Project
Purpose: The purpose of the project is to educate application security experts about the risks and appropriate mitigation techniques that organizations should implement to prevent an adversary from reverse engineering or modifying the developer's code within untrustworthy environments. The primary audiences for this project include: security analysts, security architects, security designers, security champions within the software engineering communities, and security auditors. In each of these roles, this project will educate them about the relevant risks and how to combat those risks as it relates to their particular role.
License: Apache 2.0
who is working on this project?
Project Leader(s):
  • Jonathan Carter @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Jonathan Carter @ to contribute to this project
  • Contact Jonathan Carter @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases