source code dump?

Posted on
  • I have been pondering this question for a couple days after watching some of the new defcon conference videos.

    let's say(for a hypothetical situation) you create a product using the espruino technology and your product gets released into the general population. Someone purchases your product for penetration purposes. And starts picking away at the circuitry. Will it be possible to do some sort of memory dump and get the firmware and your Javascript source code off the microprocessor?

    I stumbled across this company that does this: http://www.break-ic.com

    However, from a hobby prospective, which, in my opinion, was the reason for the Espruino's birth, I don't really see a concern for 'security measures'.

  • Seeing as the processor on the Espruino Board is listed on break-ic.com's list of offerings, I'd reckon they could read it all... (also, is that site for real? They look super halfassed. Content copy-pasted from wikipedia and stuff like that)

  • Well, you could set the read only bits in the flash memory, so the device couldn't be read by the normal means - but that website may have discovered a way around ST's protection.

    Then there's the ability to just connect via serial/USB and access the console, but you can turn that off.

    To be honest the only thing I could suggest is to use minification/obfuscation tools on the JS before you upload it, maybe using the compiler on some functions when it is a bit more mature. Then your code is as open to this kind of thing as basically anything on a microcontroller.

  • I stumbled across:http://www.cl.cam.ac.uk/~sps32/mcu_lock.html it was an interesting read. Most of the topic was way over my head, but none-the-less the topic is still interesting.

    What I gathered is some of the attacks can be implemented with little money which Is interesting and makes me wonder how much money and time microcontroller companies actually put into securing their chips. It's probably not worth investing much time or money for the hobby market; however, I gather finances and time is probably well invested for military and the health market.

  • It's a hard one - my personal feeling is that trying to protect your software on anything is virtually impossible now. Even worse if you want to be able to do firmware updates.

    Even companies like Sony and Microsoft who are extremely motivated and basically design their own chips for Playstation/XBox don't seem to be able to manage it.

    On top of that I do wonder whether it really matters that much - especially on Microcontrollers I reckon it's often easier to write something again from scratch than to try and reverse engineer someone else's code.

    I guess if someone has access to your binaries they could analyse them and find ways to break your code remotely - maybe that's more of an issue with military/medical, however any security researcher would strongly disagree with the idea of 'security through obscurity'.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

source code dump?

Posted by Avatar for d0773d @d0773d

Actions