Arrrrr, Lets Randomize Yer Binaries

Thomas Ptacek | June 27th, 2006 | Filed Under: Industry Punditry, Reversing

Ghost Pirate LeChuck

V.I. Labs had the misfortune of getting lumped into “our” Dark Reading article, and based on their collateral let me just say, “not a fan”.

First: “powerful, out-of-the-box security solutions that protect against piracy, tampering, and theft of high value or mission critical software applications”. Where have I heard that before? Oh yeah, in the code that forced me to use that little red piece of plastic to look up the “secret codes” in the manual for The Secret of Monkey Island (ye ARRRR glad ‘ta be dead, right?).

Paul Kocher’s Cryptography Research has the real deal here, in a system called Self Protecting Digital Content. The wrong and the short of it: “reference monitor” code runs on a virtual machine with an instruction set architecture deliberately designed to make tracing, reversing, and altering code a huge bitch.

V.I. Labs product encrypts binaries, in a fashion that is on paper reminiscent of DVD AACS. Application code is still just application code, written in, say, Visual C++, still targeting the Windows ABI and the Intel ISA. It’s just hidden until it’s time to run it.

Because this system is ultimately running native code on Win32, I want to know why it doesn’t simply have the same chain-of-trust issues that the XBox has. (That link, by the way, needs to be taught in Universities).

I have two more technical reactions to this pitch:

  1. Thwarting “reverse engineering” by protecting binaries would monkeywrench only a minority of the projects we’ve been on, where our best source was black-box testing of network protocols.

  2. The “secure execution monitor” seems like a rehash of HIPS, a la Entersys/MCAF, Okena/CSCO, and Sana. It’s not an easy response to “logic-level” threats, which don’t rely on buffer overflows but rather weak authentication protocols, inconsistent authorization, or just plain bad design.

    So it also doesn’t really impact the type of threats we’re talking about at Black Hat.

Then I have two marketing reactions:

  1. If I’m an enterprise security manager, tell me what value this technology offers me by obscuring the binaries I’m running on my server. We get paid to break open commercial apps. Enterprises want us to do it, so they can preempt vulnerabilities and have some degree of predictability.

  2. If I’m an enterprise software vendor, and rolling a simple “golden” build of a known-good revision of my code can take a week and involve a meeting with QA, support, and sales engineering, tell me how this product gets over the objection that it is essentially randomizing the build.

No comments yet. Be the first.

Leave a reply