Protecting software code by Guards

[Shub-nigurrath]

Hi all,
first of all to open the discussion I would introduce this paper

https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2001-49.pdf

(if you're not able to download ask it to me).

The method the authors are proposing is really interesting and theoretically could be a pain in the ass whenever found in real applications.

The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan (http://www.arxan.com/index.php) which is selling the relative product (EnforcIT, http://www.arxan.com/products/ati/index.php), can also be easily found in the product's brochures..

Obviouslly there's not evaluations, but I was wondering if someone already meet an application protected with this technology..just to practically see if it's so "uncrackable"..

Moreover as a bonus in the site there's an interesting paper, not so amazing, but interesting..
http://www.arxan.com/ati/A-Survey-of-Anti-Tamper-Technologies.pdf

[disavowed]

The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan

Actually, the authors are the founders of Arxan and are making use of their own patent.

[naides]

Quite Interesting concept, indeed.

They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance. Given my absolute ignorance in the field, I can venture some naive coments:

1)By the very nature of code monitoring and self healing, these creatures are reading the code and writing the code, i/e they become ad-hoc debuggers. Hooking on APIs that perform these type of intervetions or making the code read/only thorugh external intervention with a kernel debugger one could unmask these activities and pinpoint the guards.

2)Polymorphism, even when it is automatic, has constrains, has a pattern. Getting one's hands on the protector software may be a key to discover the features of a prototypic guard, an find them heuristically in the code. No mather how polymorphic, they WILL interact with the OS through a finite and perhaps small number of APIs


3) Because the guard monitoring activity IS an Add-on to the original software flow, wouldn't it necessarily entail creating at least temporarily, new threads? Monitoring the creation of threads may clue the cracker to the guards code.

Flame on

[Shub-nigurrath]

didn't noticed that the authors were also involved in the company but makes sense ..about the protection would be extremely interesting to find proteted apps around that seems not actually.

[disavowed]

about the protection would be extremely interesting to find proteted apps around that seems not actually.

That's because all of their work has been government-related and not commercial.

I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 would work against these guards (to allow in-memory patching without the guards realizing it).

[Shub-nigurrath]

well i started this thread having in mind that paper and that type of attacks..

[Extremist]

I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 would work against these guards (to allow in-memory patching without the guards realizing it).

That paper mentions guards as a technology that's inadequate against the trick...

[dELTA]

They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance.

This immediately gives me flashbacks of Xtreme Protector we-will-fuck-your-code-up-so-bad-it-won't-even-run-when-not-being-tampered-with tactics...

...which is of course one of the best kind of protections there is, not even licensed users can run the code, they might after all actually be an evil replicated clone of the original licensed owner, but anyway.

[naides]

On that vein, can you imagine these guards misfunctioning or running amok?

They may decide some stupid bug is tampering, and decide to "repair" some critical file in your system. Notice that for true "code healing" they need to permanently write their changes to the disk, not only in memory.
No, wait, this belongs to a Sci-Fi Horror movie: A strain of "guards" start "repairing" each other until they become self concious, start injecting copies of themselves in the network, get into the Department of Defense computers. . . well, You know the rest

[dELTA]

well, You know the rest

Yeah, two DoD officers accidently walk into a janítor's closet, finding three photo model gorgeous blond janitor girls having sex with each other, and also inviting the officers to join in... Or am I thinking of the wrong movie here?

[Silver]

Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation

Interesting doc though. Great stuff.

[naides]

Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation .

It is against the rulez of the board to post or request names of CopyRighted material. Besides it would not be ethical, dELTA himself directed and played the lead role on that Movie. That is why the girls and the DoD officers Spoke English with a heavy Swedish Accent.

[dELTA]

Since it is not against the rules to name the target if you own the copyright yourself, for anyone interested I think we are talking about Sperminator 2: The Second Cumming, aren't we? And don't worry about exposing me, I was using my artist name, Jack Ass(protect)-crack.

[Shub-nigurrath]

I think we are diverging a little from the original's thread topic, isn't it?

[dELTA]

I'll take that as a direct insult to my artistic work, one more time and you will be banned.