Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Encryption Method Fights Reverse Engineering

Posted by Soulskill on from the with-many-obfuscations,-all-bugs-are-deep dept.

New submitter Dharkfiber sends an article about the Hardened Anti-Reverse Engineering System (HARES), which is an encryption tool for software that doesn't allow the code to be decrypted until the last possible moment before it's executed. The purpose is to make applications as opaque as possible to malicious hackers trying to find vulnerabilities to exploit. It's likely to find work as an anti-piracy tool as well. To keep reverse engineering tools in the dark, HARES uses a hardware trick that’s possible with Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split segregates the portion of a computer’s memory where a program stores its data from the portion where it stores its own code’s instructions. HARES keeps everything in that “instructions” portion of memory encrypted such that it can only be decrypted with a key that resides in the computer’s processor. (That means even sophisticated tricks like a “cold boot attack,” which literally freezes the data in a computer’s RAM, can’t pull the key out of memory.) When a common reverse engineering tool like IDA Pro reads the computer’s memory to find the program’s instructions, that TLB split redirects the reverse engineering tool to the section of memory that’s filled with encrypted, unreadable commands.

8 of 215 comments (clear)

  1. Bring it on, folks! by aaaaaaargh! · · Score: 5, Insightful

    The crackers are going to love breaking this in 1, 2, 3 ...

  2. Really? by jythie · · Score: 4, Insightful

    Does anyone in the industry who actually works with computers believe these kinds of claims? Such technologies are great for getting buy in from marketing, the legal dept, underwriters, and content owners, but outside making the life of developers more difficult I have not heard of them actually stopping reverse engineering.

    The only time these kinds of tools seem to 'work' is when you are producing something which lacks the popularity to be worth the effort, which is not a good sign.

  3. In 3...2...1... by PvtVoid · · Score: 4, Insightful

    ... somebody exploits this to write malware that's truly a bitch to reverse-engineer.

    1. Re:In 3...2...1... by suutar · · Score: 4, Insightful

      and viruses/trojans that are immune to signature-based scanning. Better get serious about process privilege and running stuff in revertable VMs.

  4. Sigh. by ledow · · Score: 4, Insightful

    Another way to crack HARESâ(TM) encryption, says Torrey, would be to take advantage of a debugging feature in some chips... But taking advantage of that feature requires a five-figure-priced JTAG debugger, not a device most reverse engineers tend to have lying around."

    Or running the code in a VM.

    Really? This sounds just the same as someone saying that DEP would stop this kind of reverse engineering (the concept seems incredibly similar to me, maybe I'm wrong). If someone wants to reverse engineer software, they will have the tools to do so and, in this modern world, any software thats run on physical hardware but not in a VM must have a limited lifespan.

    If all else fails, emulate the machine. Slow, yes, but reverse-engineering and debugging tools need to be incredibly slow anyway.

    Sorry, but this is a slashvertisement for something with precisely zero deployments in real-life software that people might want to reverse-engineer.

    And, as said, all you've done is make it easier to create malware that's difficult to remove. So, in effect, such facilities in processors will end up being beefed up to take account of this and rendering the technique obsolete.

    In all of recorded computing history, every technique for preventing reverse-engineering or debugging has turned out not to work, or to be so onerous on users that nobody ever actually enables it.

  5. Re:More of the same: by DocSavage64109 · · Score: 5, Insightful

    Assuming this encryption actually works, it probably wreaks major havoc with processor caching and branch prediction algorithms. I'd be interested in seeing benchmarks of this encryption in action vs the non-encrypted version.

  6. Does it matter? by aepervius · · Score: 5, Insightful

    As long as you can hide to the software you are debugging it, you can step by step through it until it is decrypted. So for all the money, all the added complexity, all you won is only a slight bit more time. The only real copy protection is when part of the code is not run locally but on a different remote machine. For example if you have something on a server which needs to be queried and allow you to continue with the software, like some of the online authorization.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  7. Re:Intel Already Does This by Anonymous Coward · · Score: 2, Insightful

    not released until skylake. can't believe this is +4 informative. should be -1 no research.
    https://software.intel.com/en-us/intel-isa-extensions