Modern software applications are composed of several inner connected modules enabling various features. Today’s complex business and market-driven environment constantly pushes the edge to deliver software application faster than ever. Developers are battling with delivery deadlines that are not driven by the complexity of software offerings rather by the go-to-market motivations. As a result, insecure code has become a leading security risk and, increasingly, the leading business risk as well. It’s irresponsible at every level to ignore this risk while doubling-down on anti-virus solutions and firewalls — neither of which protects applications.
It is important to have holistic view to software protection that provide check points and resolutions throughout the development cycle. It is also equally critical to empower the developers with technologies and methods to be able to automatically identify and detect certain types of attacks. There are commercial software security tools that transform cryptographic credentials so that they cannot be easily extracted.
Other tools can make software reverse engineering very hard by sensing a debugger and transforming the binary code logic such that it looks unintelligible even with a debugger attached.
Dynamic Executable Verification (DEV) as described in this paper, provides low-impact dynamic integrity protection to applications that is compatible with standard code signing and verification methods. Further we discuss a system architecture where components of the Dynamic Executable Verification are placed into a secure cloud-based service which can only be configured by an authorized security administrator. To set the context, we discuss secure boot, tampering attacks and methods to perform static and dynamic analyses. Then we dive into details of DEV techniques that aim to ensure that software cannot be tampered with either statically or dynamically, without detection. The cloud aspect of the DEV makes it even easier for developers as the burden of configuring security tools is moved into a cloud service and the risk of releasing an application with lower than intended security is reduced. We will then present a couple of application use cases before concluding the paper.