Periodic Reporting for period 1 - rev.ng (rev.ng: a tool for security assessments of emerging and legacy platforms)
Reporting period: 2018-10-01 to 2019-03-31
Reverse engineering, the art of understanding a piece of software without its source code, is a key tool to build a more secure digital world. In fact, one of the key principles in cybersecurity is to avoid the so-called "security through obscurity", which means that a system should be designed to be safe even if an adversary has a detailed knowledge of the whole target system. However, this principle is often ignored by developers, that tend, mostly due to resource constraints, to rely on the fact that an attacker doesn't have the source code of an application at his disposal.
In this context, reverse engineering allows an analyst to understand and examine a piece of software for which the source code is not available, enabling him to identify vulnerabilities and backdoors.
Our project, rev.ng aims at increasing the software that can be analyzed efficiently without source code. Specifically, we target software running on emerging platforms such as IoT devices and smartphones that is currently extremely difficult.
To do this, we need to optimize the quality of our output to make it quick and easy for the analyst to understand the analyzed application. On top of this, the user interface the analyst has to deal with has to be designed to maximize the efficiency of the time spent on it, a fact that has been largely disregarded in similar analysis tools.
In this context, reverse engineering allows an analyst to understand and examine a piece of software for which the source code is not available, enabling him to identify vulnerabilities and backdoors.
Our project, rev.ng aims at increasing the software that can be analyzed efficiently without source code. Specifically, we target software running on emerging platforms such as IoT devices and smartphones that is currently extremely difficult.
To do this, we need to optimize the quality of our output to make it quick and easy for the analyst to understand the analyzed application. On top of this, the user interface the analyst has to deal with has to be designed to maximize the efficiency of the time spent on it, a fact that has been largely disregarded in similar analysis tools.
During this project we performed the following key activities:
1. Investigation of the market. We identified a set of platforms that need analysis tools the most. We surveyed our existing customer base, explored the needs of new potential customers and attended international conferences to keep up with the latest trends.
2. Strategy development. Given the information above, we elaborated a more accurate strategy and business plan for the coming years.
3. UX study. We performed an in-depth user study in partnership with a professional UX design studio and identified the key pain points for users of tools similar to rev.ng and a set of remedies to implement in our product
4. Investigation of IP/legal obstacles. We investigated potential IP and regulatory issues. In particular, we investigated the status of export regulations concerning our technology in the EU.
1. Investigation of the market. We identified a set of platforms that need analysis tools the most. We surveyed our existing customer base, explored the needs of new potential customers and attended international conferences to keep up with the latest trends.
2. Strategy development. Given the information above, we elaborated a more accurate strategy and business plan for the coming years.
3. UX study. We performed an in-depth user study in partnership with a professional UX design studio and identified the key pain points for users of tools similar to rev.ng and a set of remedies to implement in our product
4. Investigation of IP/legal obstacles. We investigated potential IP and regulatory issues. In particular, we investigated the status of export regulations concerning our technology in the EU.
Compared to existing products, we can now handle a large set of different platforms that, previously, were not easy to analyze. This will enable researchers and corporations to investigate the presence of vulnerabilities or backdoors in network equipment (including 5G devices), smartphones and IoT devices.
We also developed a series of criteria to build a usable user interface, overcoming the difficulties faced by analysts in day-to-day activities and enabling them to sensibly reduce the time requires to analyze even large software projects.
We also developed a series of criteria to build a usable user interface, overcoming the difficulties faced by analysts in day-to-day activities and enabling them to sensibly reduce the time requires to analyze even large software projects.