SoylentNews is people
SoylentNews
from the cracker-jack-anti-crack-hack dept.
Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It’s also what allows those same hackers’ dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder.
At the SyScan conference next month in Singapore, security researcher Jacob Torrey plans to present a new scheme he calls Hardened Anti-Reverse Engineering System, or HARES. Torrey’s method encrypts software code such that it’s only decrypted by the computer’s processor at the last possible moment before the code is executed. This prevents reverse engineering tools from reading the decrypted code as it’s being run. The result is tough-to-crack protection from any hacker who would pirate the software, suss out security flaws that could compromise users, and even in some cases understand its basic functions.
http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/
(Score: 5, Insightful) by Kell on Wednesday February 18 2015, @05:03AM
What prevents me from extracting the flash binary code, running the binary in a sandbox emulator and stepping through each code instruction one at a time and extracting the machine code sequentially? Unless there is something very subtle here, this appears to give no protection whatsoever if you control the environment. If you don't control the environment, then you don't have a problem in the first place.
Scientists ask questions. Engineers solve problems.
(Score: 3, Informative) by kaszz on Wednesday February 18 2015, @05:13AM
Exactly!
And you could also do a black box analyze. Do X see what I/O action steps is taken to do that.
(Score: 5, Insightful) by bzipitidoo on Wednesday February 18 2015, @05:26AM
Shh! He has to sell it to a bunch of gullible music executives and software vendors first.
Say any more, and you might be accused of reverse engineering his scheme. That would be a serious violation of the DMCA.
Just like Creationists, they want to believe!
(Score: 5, Interesting) by linuxrocks123 on Wednesday February 18 2015, @05:57AM
Nothing. It uses a well-known trick, called the TLB Split. Also, the CPU claims that the cold boot attack wouldn't work on it, but it would.
I posted a detailed analysis when this was discussed on Slashdot: http://slashdot.org/comments.pl?sid=6967529&cid=49051091 [slashdot.org]
(Score: 3, Informative) by Kell on Wednesday February 18 2015, @07:08AM
Your analysis (and very polite response to idiot trolls) on the green site is well written and informative. I look forward to seeing more of your comments on Soylent!
Scientists ask questions. Engineers solve problems.
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @09:22AM
To my surprise, following that link I didn't get the beta design, but the old one. Did Slashdot finally drop beta?
(Score: 2) by kaszz on Saturday February 21 2015, @03:34AM
Asfaik that green mess just gives you a sane page sometimes. Kind of like jackpot on the casino. You won't win everytime ;)
(Score: 2) by FatPhil on Wednesday February 18 2015, @09:32AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Funny) by q.kontinuum on Wednesday February 18 2015, @10:28AM
I think the right term is soylenced?
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 5, Funny) by Nerdfest on Wednesday February 18 2015, @11:06AM
I prefer "it has soyled itself".
(Score: 2) by FatPhil on Wednesday February 18 2015, @02:08PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Wednesday February 18 2015, @01:59PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @09:55AM
And oddly enough, the first time I try to visit Slashdot in the year since migrating here it spits out a 503 service offline error.
(Score: 2) by francois.barbier on Wednesday February 18 2015, @10:43AM
The website you linked doesn't appear to work.
It returns "503 Service Temporarily Unavailable" in the HTTP header.
It says "404 File Not Found" in the title bar.
It says "503 - Service Offline" in the page content
Sounds like great programming !
(Score: 2) by tibman on Wednesday February 18 2015, @06:41PM
Errors Beta.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @05:13PM
On your slashdot reply chain, you went over why DMA attacks through Firewire should in theory work, but can be blocked by disabling it in the firmware (usually fine because Firewire peripherals are not too common these days.) However, under the responses about it also being an issue with PCI/PCI express, etc I think something got missed: aren't most of the common/modern PCMCIA-cardbus (and whatever that smaller port that is replacing it is called) just hot-swappable PIC/PCI express? If so, that becomes a potential attack vector that is more commonly used (although it too is way less popular these days thanks to the overwhelming success of USB.)
(Score: 2) by linuxrocks123 on Wednesday February 18 2015, @10:06PM
Yeah, evil PCMCIA cards might be an issue, but, like you said, the ports are becoming very rare. I think they can be disabled similar to FireWire, too, but I'm not 100% positive.
(Score: 2) by kaszz on Saturday February 21 2015, @03:36AM
Modern Cardbus is a PCI-express x1 lane (asfair).
Just build yourself a memory snoop client and have fun..
(Score: 5, Interesting) by frojack on Wednesday February 18 2015, @05:23AM
I've heard that a lot of the vulnerabilities are found by fuzzing techniques, shooting random data through the software till it misbehaves, or takes a different branch, and then looking at what caused the instruction pointer to jump to the unexpected address.
Most of this can be done with modern instruction level debuggers. At that level, you are running machine assembly level code, and you can get there with test harnesses that freeze things when ever instruction pointer gets to the offset you are interested in. By that time, it would already be decrypted in memory for you.
Removing the encryption would also seem to be not that hard, because the instructions have to be in clear text when passed to the processor, and you could record each instruction as it goes by. To have any kind of performance, you would have to decrypt blocks of code, put them in a non-execute-protect memory segment and begin execution. Those blocks would have to be size-able chunks of code or you would spend more time decrypting and loading than executing the code. So you could grab huge chunks of code at once.
Seems like a short term gain if you ask me.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by GeminiDomino on Wednesday February 18 2015, @02:32PM
Just perfect. Another "trick" that's going to prove ultimately worthless for the stated use case, but will come in real handy for scumbags writing malware.
"We've been attacked by the intelligent, educated segment of our culture"
(Score: 1) by monster on Thursday February 19 2015, @08:26AM
Encrypted code being unencrypted at runtime (with even keys composed on the fly with bits from here and there) has been a staple functionality of malware in the last 25 years, at least. Doesn't seem so novel, at least on first look.
(Score: 2) by GeminiDomino on Thursday February 19 2015, @04:09PM
True, it's a new technique to the same end, which means there will be a period before the anti-malware programs catch up, and when they do, any program that uses it is going to be flagged as a false positive, thus rendering it all but useless.
"We've been attacked by the intelligent, educated segment of our culture"
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @03:47PM
this sounds like a way to consume a million times more power just to get some more security-through-obscurity.
intel are you there?
(Score: 2) by kaszz on Saturday February 21 2015, @03:39AM
Get rid of Microsoft and save lot's of carbon release..
(Score: 2) by Bot on Thursday February 19 2015, @08:20PM
No need to make programs impossible to reverse engineer anymore.
Just code it in perl.
Account abandoned.