Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-13-2015, 03:08
atomix atomix is offline
Friend
 
Join Date: Aug 2004
Posts: 50
Rept. Given: 2
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 2 Posts
atomix Reputation: 3
Question Hardened Anti-Reverse Engineering System (HARES)

What do you guys think about this interesting protection method?

Source: http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/

Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It¡¯s also what allows those same hackers¡¯ dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder.

At the SyScan conference next month in Singapore, security researcher Jacob Torrey plans to present a new scheme he calls Hardened Anti-Reverse Engineering System, or HARES. Torrey¡¯s method encrypts software code such that it¡¯s only decrypted by the computer¡¯s processor at the last possible moment before the code is executed. This prevents reverse engineering tools from reading the decrypted code as it¡¯s being run. The result is tough-to-crack protection from any hacker who would pirate the software, suss out security flaws that could compromise users, and even in some cases understand its basic functions.

¡°This makes an application completely opaque,¡± says Torrey, who works as a researcher for the New York State-based security firm Assured Information Security. ¡°It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.¡±

A company like Adobe or Autodesk might use HARES as a sophisticated new form of DRM to protect their pricey software from being illegally copied. On the other hand, it could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it. As notable hacker the Grugq wrote on twitter when Torrey¡¯s abstract was posted to SyScan¡¯s schedule, HARES could mean the ¡°end of easy malware analysis. ¡±

To keep reverse engineering tools in the dark, HARES uses a hardware trick that¡¯s possible with Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split segregates the portion of a computer¡¯s memory where a program stores its data from the portion where it stores its own code¡¯s instructions. HARES keeps everything in that ¡°instructions¡± portion of memory encrypted such that it can only be decrypted with a key that resides in the computer¡¯s processor. (That means even sophisticated tricks like a ¡°cold boot attack,¡± which literally freezes the data in a computer¡¯s RAM, can¡¯t pull the key out of memory.) When a common reverse engineering tool like IDA Pro reads the computer¡¯s memory to find the program¡¯s instructions, that TLB split redirects the reverse engineering tool to the section of memory that¡¯s filled with encrypted, unreadable commands.

¡°You can specifically say that encrypted memory shall not be accessed from other regions that aren¡¯t encrypted,¡± says Don Andrew Bailey, a well-known security researcher for Lab Mouse Security, who has reviewed Torrey¡¯s work.

Many hackers begin their reverse engineering process with a technique called ¡°fuzzing.¡± Fuzzing means they enter random data into the program in the hopes of causing it to crash, then analyze those crashes to locate more serious exploitable vulnerabilities. But Torrey says that fuzzing a program encrypted with HARES would render those crashes completely unexplainable. ¡°You could fuzz a program, but even if you got a crash, you wouldn¡¯t know what was causing it,¡± he says. ¡°It would be like doing it blindfolded and drunk.¡±

¡°Imagine trying to figure out what Stuxnet did if you couldn¡¯t look at it.¡±

Torrey says he intends HARES to be used for protection against hacking¡ªnot for creating mysterious malware that can¡¯t be dissected. But he admits that if HARES works, it will be adopted for offensive hacking purposes, too. ¡°Imagine trying to figure out what Stuxnet did if you couldn¡¯t look at it,¡± he says. ¡°I think this will change how [nation-state] level malware can be reacted to.¡±

HARES¡¯s protections aren¡¯t quite invincible. Any program that wants to use its crypto trick needs to somehow place a decryption key in a computer¡¯s CPU when the application is installed. In some cases, a super-sophisticated reverse engineer could intercept that key and use it to read the program¡¯s hidden commands. But snagging the key would require him or her to plan ahead, with software that¡¯s ready to look for it. And in some cases where software comes pre-installed on a computer, the key could be planted in the CPU ahead of time by an operating system maker like Apple or Microsoft to prevent its being compromised. ¡°There are some concerns with this from a technical point of view,¡± says Bailey. ¡°But it¡¯s way better than anything we have out there now.¡±

Another way to crack HARES¡¯ encryption, says Torrey, would be to take advantage of a debugging feature in some chips. That feature allows a hardware device between the chip and the motherboard to read every command the processor executes. But taking advantage of that feature requires a five-figure-priced JTAG debugger, not a device most reverse engineers tend to have lying around. ¡°It¡¯s pretty high level stuff,¡± he says. ¡°Obviously nation states will have these things, but probably not very many others.¡±

Torrey notes that it may someday be possible to encrypt a program¡¯s code in a way that its instructions can run without ever being decrypted¡ªmaking software that¡¯s truly unhackable. But such a system, known as ¡°fully homomorphic encryption,¡± is still largely theoretical. It currently makes computer processes take millions of times longer than they would without encryption. HARES slows down the programs it protects by only about 2 percent. ¡°Fully homomorphic encryption is the holy grail, but it¡¯s an academic math problem,¡± Torrey says. ¡°This is something you can stick on your existing computer to protect your existing software.¡±

Torrey developed HARES¡¯s TLB split trick with funding in 2013 from Darpa¡¯s Cyber Fast Track program. He plans to release the project¡¯s code not at March¡¯s SyScan conference, but possibly the next month at the Infiltrate security conference in Miami.

Torrey says that he wouldn¡¯t be surprised, however, if coders determine from his March talk how to use HARES¡¯s tricks and begin writing malware that¡¯s far harder to decode. Give hackers an unencrypted hint or two, and they have a way of figuring out your secrets.
Reply With Quote
  #2  
Old 02-13-2015, 04:20
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Looks like something useless.
It seems the HARES is just a framework for decryption on-the-fly and execution. Such protection technique used in many protectors, but does not help a lot.
Reply With Quote
  #3  
Old 02-13-2015, 04:42
Masoud Masoud is offline
Friend
 
Join Date: Dec 2014
Location: Underground
Posts: 16
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 1 Time in 1 Post
Masoud Reputation: 0
Is there any ready-to-test sample ?
Reply With Quote
  #4  
Old 02-13-2015, 06:16
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
From what I've read it is based on the split TLB technique (see uninformed or newer paper MOrE Shadow Walker).
It works like this:
When translating virtual to physical memory addresses, there is a CPU cache that helps in alleviating the performance impact caused by the translation mechanism: the TLB (translation lookaside buffer). More precisely, there are actually two TLBs: one for data lookups, and one for code lookups.
Now, the basic idea of TLB splitting is to de-synchronize those two TLBs, thereby tricking the OS into mapping the same virtual address to different physical addresses.
Using that technique, one could for instance hide a rootkit in the kernel but still be able to execute code from it. However, when reading that memory, one wouldn't see the actual code.
Reply With Quote
  #5  
Old 02-13-2015, 11:55
Conquest Conquest is online now
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
Quote:
Originally Posted by mcp View Post
From what I've read it is based on the split TLB technique (see uninformed or newer paper MOrE Shadow Walker).
It works like this:
When translating virtual to physical memory addresses, there is a CPU cache that helps in alleviating the performance impact caused by the translation mechanism: the TLB (translation lookaside buffer). More precisely, there are actually two TLBs: one for data lookups, and one for code lookups.
Now, the basic idea of TLB splitting is to de-synchronize those two TLBs, thereby tricking the OS into mapping the same virtual address to different physical addresses.
Using that technique, one could for instance hide a rootkit in the kernel but still be able to execute code from it. However, when reading that memory, one wouldn't see the actual code.
In plain simple words , you stoop down so low that you are on the same level as malwares . unlike real world, problem with the internet is that once you invent a "nuclear bomb" you cant keep it on the safe hands . so the good and the bad both guys suffer, the good guys probably more .
Reply With Quote
  #6  
Old 02-15-2015, 19:29
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
ARTeam had nice release back in the days : http://accessroot.com/arteam/site/download.php?view.309 to trace OEP using split TLB with sources included
__________________
http://accessroot.com
Reply With Quote
The Following User Gave Reputation+1 to deroko For This Useful Post:
b30wulf (02-15-2015)
  #7  
Old 02-15-2015, 20:29
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Unless Microsoft changes the internal workings of Windows to explicitly support this kind of TLB use for DRM purposes, I can't see any use aside from malware.

Which legit commercial DRM protector would ever need PatchGuard to be disabled and critical Windows structures protected since the very first x64 versions to be hooked? This would corrupt the complete protected media path and effectively disable secure boot. Doing that would destroy far more currently existing DRM than HARES could ever replace.
Reply With Quote
  #8  
Old 02-15-2015, 21:14
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
@Kerlingen: On x64 you may use hardware virtualization to catch int 0e, and of course, your vmenter can be redirected to code which will act as int 0e hook, thus implementing this on x64 is trivial In this scenario it doesn't really matter if it's old vmx which causes TLB to be flushed on vmexits or new which can preserve it, as anyhow physical page to which you want to access has P bit cleared in PTE and if TLB is flushed you come to your int 0e hook, only benefit which new vmx brings in terms of preserving TLB is just speedup in case of access to nonpaged code/data in kernel memory
__________________
http://accessroot.com

Last edited by deroko; 02-15-2015 at 21:37.
Reply With Quote
The Following User Gave Reputation+1 to deroko For This Useful Post:
b30wulf (02-15-2015)
The Following User Says Thank You to deroko For This Useful Post:
sh3dow (11-22-2022)
Reply

Tags
anti-reverse engineering

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Last 5 years in reverse-engineering bLaCk-eye General Discussion 35 03-25-2024 07:50
iOS Reverse Engineering sope General Discussion 0 05-13-2016 13:09


All times are GMT +8. The time now is 09:50.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )