Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Encryption Method Fights Reverse Engineering

Posted by Soulskill on from the with-many-obfuscations,-all-bugs-are-deep dept.

New submitter Dharkfiber sends an article about the Hardened Anti-Reverse Engineering System (HARES), which is an encryption tool for software that doesn't allow the code to be decrypted until the last possible moment before it's executed. The purpose is to make applications as opaque as possible to malicious hackers trying to find vulnerabilities to exploit. It's likely to find work as an anti-piracy tool as well. To keep reverse engineering tools in the dark, HARES uses a hardware trick that’s possible with Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split segregates the portion of a computer’s memory where a program stores its data from the portion where it stores its own code’s instructions. HARES keeps everything in that “instructions” portion of memory encrypted such that it can only be decrypted with a key that resides in the computer’s processor. (That means even sophisticated tricks like a “cold boot attack,” which literally freezes the data in a computer’s RAM, can’t pull the key out of memory.) When a common reverse engineering tool like IDA Pro reads the computer’s memory to find the program’s instructions, that TLB split redirects the reverse engineering tool to the section of memory that’s filled with encrypted, unreadable commands.

3 of 215 comments (clear)

  1. Bring it on, folks! by aaaaaaargh! · · Score: 5, Insightful

    The crackers are going to love breaking this in 1, 2, 3 ...

  2. Re:More of the same: by DocSavage64109 · · Score: 5, Insightful

    Assuming this encryption actually works, it probably wreaks major havoc with processor caching and branch prediction algorithms. I'd be interested in seeing benchmarks of this encryption in action vs the non-encrypted version.

  3. Does it matter? by aepervius · · Score: 5, Insightful

    As long as you can hide to the software you are debugging it, you can step by step through it until it is decrypted. So for all the money, all the added complexity, all you won is only a slight bit more time. The only real copy protection is when part of the code is not run locally but on a different remote machine. For example if you have something on a server which needs to be queried and allow you to continue with the software, like some of the online authorization.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org