Browse Prior Art Database

A method for execution of partially decrypted memory image of encrypted binaries

IP.com Disclosure Number: IPCOM000238842D
Publication Date: 2014-Sep-22
Document File: 1 page(s) / 17K

Publishing Venue

The IP.com Prior Art Database

Abstract

Executable packing and/or Binary encryption is a popular method for obfuscating the content of binary executables. It can be seen as a contributing determinant in order to prevent reverse engineering, analysis, modification and disassembly of programs. While there are some malicious uses of this technology, such as malware trying to hide its presence in the code, there are legitimate uses of it such as Digital rights management (DRM) and prevention of binary code/data tampering by an attacker. The popular voice-over-IP service and instant messaging client Skype owned by Microsoft is one of most well-known users of binary encryption and obfuscation. Their methods are on the frontier of this technology, being investigated by black-hat hackers, some slides discussing their methods for binary obfuscation, among other security methods, can be found here: · Silver Needle in the Skype by Philippe Biondi and Desclaux Fabrice: http://www.oklabs.net/wp-content/uploads/2012/06/bh-eu-06-Biondi.pdf · Skype Uncovered by Desclaux Fabrice: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf A Major vulnerability of binary encryption is that the binary has to reside in an unpacked and decrypted state somewhere in memory: you can deduce the text section of an encrypted executable by waiting for it to decrypt and monitor the machine's RAM. An example state-of-the-art solution to this problem for x86 ELF executables in the slides for the Shiva tool: https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mehta/bh-us-03-mehta.pdf Shiva breaks a binary up into "crypt blocks". The code section is partitioned into Code blocks which are placed into pages, by using demand paging Shiva decrypts a page only when there's a page fault and the code of the requested page needs to be executed. · More information about this, and about how Shiva can be defeated, can be seen in the work Strike/Counter-Strike: Reverse Engineering Shiva by Chris Eagle: https://www.blackhat.com/presentations/bh-federal-03/bh-federal-03-eagle/bh-fed-03-eagle.pdf We propose a new binary packing, encryption and decryption tool that can be used on any binary executable or shared library and provide a novel decryption approach that makes reverse engineering of the input binary nearly impossible.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 58% of the total text.

Page 01 of 1

A method for execution of partially decrypted memory image of encrypted binaries

Given a native binary executable or shared library and one or more encryption keys, the target file is encrypted, offline at the developer's machine, using the input key(s). A new file is provided for distribution to costumers.

Upon execution of the encrypted binary, a process of the proposed tool starts, takes control of the target program's execution and appropriate system security measures are performed.

Next, the appropriate decryption key is fetched (can be either embedded into the target file or gained via a secured network connection from a remote server in order to provide an extra layer of protection).

Finally, partial file decryption and code execution are performed using our new approach as described below.

Our major contribution is an innovative new way for encrypted binary decryption. it splits the text section of the binary into code fragments and makes sure only a small number of them reside in a decrypted, yet obfuscated, form in memory at a given time.

In addition, each time the control flows into a code path that needs decryption, it gets (see details below) decrypted in an amorphous manner, i.e.:

· Code Reordering Optimization is performed with a random profile: this ensures a different basic block order, by reversing the condition of conditional branches,

  which adds another layer of uncertainty and obfuscation while maintaining semantics and safety · Function I...