Future Security Apps May All Have To Work With GOTD Wrapper

Back to Giveaway of the Day

Giveaway of the Day Forums » Talks

Future Security Apps May All Have To Work With GOTD Wrapper

(4 posts) (3 voices)

Started 9 years ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

threatpost.com/darpa-protecting-software-from-reverse-engineering-through-obfuscation/114656/

DARPA [the folks that created the Internet] is working on software code obfuscation. What's that mean? The GOTD wrapper is a great example... it means preventing someone(s) from getting their hands on the original program code.

One or a few companies can look at it now as "So what -- at most we're only talking a few apps from a few sites", but when it's everything everywhere, can't hide behind that excuse any longer. :)

Posted 9 years ago #
Anonymous
Unregistered

I think by "The GOTD wrapper is a great example... it means preventing someone(s) from getting their hands on the original program code. " you mean we cannot get our hands on the original program Themida programme code.

After installation of a giveaway I can see all the binary programme code of the giveaway. Just as when I install their unwrapped trial.

Or do you mean something else? Like we do not see the source code of the giveaway? We only see the resulting binaries. But that has nothing to do with being wrapped or not. With a disassembler you can get something back that produces the same binary as the original. But you will miss out all the programmers comments. And understandable names of the variables and constants. With a disassember reverse engineering is made simpler. But not easy.

Presently Themida de-encrypts the giveaway's installer in RAM and then lets it run free to place unencrypted binaries on the user's hard disk, leaving them open to reverse engineering. Themida is selling the new clothes of the emperor in that respect. Themida has only removed the temp-bug of the first wrapper. That is all.

I think the DARPA Project will result in permanently encrypted binaries that are de-encrypted in RAM temporarily if you execute them. Just like AxCrypt delivers encrypted user files: if you double-click a text file encrypted by AxCrypt, it will de-encrypt in RAM and start your word processor to work on the de-encrypted file. After you are done, saved the edited file and closed your word processor, AxCrypt will come into action again and store an encrypted version of the edited file on disk and permanently remove any readable temporary file.

But clear code that is in RAM is not 100% secure. You could write a utility to read RAM and save it. You will need encrypted code in RAM/file and an extra de-encryptor (hardware?) placed between the I/O-buffer and the processor. It will fetch encrypted code data from the I/O-buffer, de-encrypt it and send the clear code to the processor. Perhaps Intel/AMD will built this de-encryptor into a new generation of processors. Each encrypted binary will carry its decrypting key in a way comparable to Themida.

Posted 9 years ago #
krypteller
Member

Actually, the code does not to be encrypted in the classical way. Because it does not contain sensitive data, but contains machine instructions and addresses. It would suffice to shuffle them in a pseudo-random way, like a deck of cards. If a hacker sees real code, but shuffled, he cannot do anything with it without knowledge how the code was shuffled. A built-in de-shuffler would need much less processing power than a built-in de-encryptor, I assume. It is not necessary to shuffle all lines in one go. Blocks with a length of a power of 2 (65536 of 8 byte lines = 64 bits per block?) would do. Hardware implementation of a maximum-length generator takes only a shift register and a couple of logical XOR ports.
See http://www.gaussianwaves.com/2010/09/maximum-length-sequences-m-sequences-2/
http://nl.mathworks.com/help/comm/ref/pnsequencegenerator.html
Nice subject for a bachelor thesis, followed by a MSc graduate project and finalised by a PhD. Perhaps a post-doc? And after that a well-paid job at Intel.

Posted 9 years ago #
mikiem2
Moderator

Comparing it to shuffling cards might be a better, or at least friendlier analogy than the DARPA researchers jigsaw puzzle. :)

The Themida-based GOTD wrapper keeps you from getting your hands on the enclosed setup file, but it doesn't alter that file, or the installed app AFAIK. My understanding is that it does 2 things -- it's an encrypted container, like a password protected .zip file, & when it's run it decodes & runs its contents in RAM in a way that cannot be easily captured. I could be wrong on the way it functions re: RAM, but I'd think anything with any focus on security would protect anything it stored there.

Running processes in RAM have been a recent issue with a couple of mobile OS vulnerabilities I think. Data stored in RAM has been the subject of security research with encryption software like Truecrypt, and with the POS [Point Of Sale] card readers that retailers use -- in both cases there were vulnerabilities to so-called memory scraping.

I Think some of the protections involve random memory addresses, so there's no one place in RAM to look for the code or data, while others encrypt before it's stored in RAM, & others look to protected sandboxes etc. Microsoft's work compressing data stored in RAM might provide some interesting tools or possibilities there perhaps?

"Perhaps Intel/AMD will built this de-encryptor into a new generation of processors."

I think this is an area where Intel has spent tons of money on research, & why they bought McAfee. I *think* some of the results are in the new Skylake CPUs.

arstechnica.com/information-technology/2015/08/the-many-tricks-intel-skylake-uses-to-go-faster-and-use-less-power/

Some instructions have been made faster, with Intel claiming that the AES acceleration instructions have increased encryption performance by up to 33 percent (in CBC mode) or 17 percent (in GCM mode).

The threatpost article & the original it referenced both quoted the researchers as saying they've got a long way to go before they make it efficient. And if they expect wide adoption they'll have to do better than something like the open source UPX compacter -- I think it's relatively small bit of inefficiency is one of the reasons cited that more people don't use it.

While the DARPA researchers talk about using new way to encrypt program code, the program file(s) itself would still be encrypted, same as the GOTD wrapper & a lot of malware, so the net effect to anti-virus software would be the same as now, with encrypted executables -- code that it cannot examine doing things that it cannot examine. And of course if the results of the DARPA work are open source, the bad guys/gals will use it to worsen the nightmares of the security software folks.

"Nice subject for a bachelor thesis, followed by a MSc graduate project and finalised by a PhD. Perhaps a post-doc? And after that a well-paid job at Intel. "

I'd expect the DARPA funded professors will use that to attract the best & brightest, who will do the bulk of the work under the auspices of the professors, & said professors will reap the biggest rewards. The professors also might do related research developing patents & forming their own companies to exploit them, but that's the tip of the iceberg -- research is like a whole separate world. Those students that make breakthroughs will use that to launch their own careers, while the ones that don't will likely wind up knocking on Intel's door just as you've said.

Posted 9 years ago #

RSS feed for this topic

Reply

You must log in to post.