Log in

View Full Version : Protecting software code by Guards


Shub-nigurrath
May 26th, 2005, 04:03
Hi all,
first of all to open the discussion I would introduce this paper

https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2001-49.pdf

(if you're not able to download ask it to me).

The method the authors are proposing is really interesting and theoretically could be a pain in the ass whenever found in real applications.

The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan (http://www.arxan.com/) which is selling the relative product (EnforcIT, http://www.arxan.com/products/ati/), can also be easily found in the product's brochures..

Obviouslly there's not evaluations, but I was wondering if someone already meet an application protected with this technology..just to practically see if it's so "uncrackable"..

Moreover as a bonus in the site there's an interesting paper, not so amazing, but interesting..
http://www.arxan.com/ati/A-Survey-of-Anti-Tamper-Technologies.pdf

disavowed
May 26th, 2005, 08:51
Quote:
[Originally Posted by Shub-nigurrath]The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan

Actually, the authors are the founders of Arxan and are making use of their own patent.

naides
May 26th, 2005, 10:17
Quite Interesting concept, indeed.

They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance. Given my absolute ignorance in the field, I can venture some naive coments:

1)By the very nature of code monitoring and self healing, these creatures are reading the code and writing the code, i/e they become ad-hoc debuggers. Hooking on APIs that perform these type of intervetions or making the code read/only thorugh external intervention with a kernel debugger one could unmask these activities and pinpoint the guards.

2)Polymorphism, even when it is automatic, has constrains, has a pattern. Getting one's hands on the protector software may be a key to discover the features of a prototypic guard, an find them heuristically in the code. No mather how polymorphic, they WILL interact with the OS through a finite and perhaps small number of APIs


3) Because the guard monitoring activity IS an Add-on to the original software flow, wouldn't it necessarily entail creating at least temporarily, new threads? Monitoring the creation of threads may clue the cracker to the guards code.

Flame on

Shub-nigurrath
May 26th, 2005, 12:23
didn't noticed that the authors were also involved in the company but makes sense ..about the protection would be extremely interesting to find proteted apps around that seems not actually.

disavowed
May 26th, 2005, 22:06
Quote:
[Originally Posted by Shub-nigurrath]about the protection would be extremely interesting to find proteted apps around that seems not actually.

That's because all of their work has been government-related and not commercial.

I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 ("http://www.woodmann.com/forum/showthread.php?t=7090") would work against these guards (to allow in-memory patching without the guards realizing it).

Shub-nigurrath
May 27th, 2005, 02:35
well i started this thread having in mind that paper and that type of attacks..

Extremist
May 27th, 2005, 16:01
Quote:
[Originally Posted by disavowed]I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 ("http://www.woodmann.com/forum/showthread.php?t=7090") would work against these guards (to allow in-memory patching without the guards realizing it).


That paper mentions guards as a technology that's inadequate against the trick...

dELTA
May 29th, 2005, 11:53
Quote:
They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance.
This immediately gives me flashbacks of Xtreme Protector we-will-fuck-your-code-up-so-bad-it-won't-even-run-when-not-being-tampered-with tactics...

...which is of course one of the best kind of protections there is, not even licensed users can run the code, they might after all actually be an evil replicated clone of the original licensed owner, but anyway.

naides
May 29th, 2005, 17:42
On that vein, can you imagine these guards misfunctioning or running amok?

They may decide some stupid bug is tampering, and decide to "repair" some critical file in your system. Notice that for true "code healing" they need to permanently write their changes to the disk, not only in memory.
No, wait, this belongs to a Sci-Fi Horror movie: A strain of "guards" start "repairing" each other until they become self concious, start injecting copies of themselves in the network, get into the Department of Defense computers. . . well, You know the rest

dELTA
May 30th, 2005, 04:21
Quote:
well, You know the rest
Yeah, two DoD officers accidently walk into a janítor's closet, finding three photo model gorgeous blond janitor girls having sex with each other, and also inviting the officers to join in... Or am I thinking of the wrong movie here?

Silver
May 30th, 2005, 06:29
Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation

Interesting doc though. Great stuff.

naides
May 30th, 2005, 08:55
Quote:
[Originally Posted by Silver]Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation .


It is against the rulez of the board to post or request names of CopyRighted material. Besides it would not be ethical, dELTA himself directed and played the lead role on that Movie. That is why the girls and the DoD officers Spoke English with a heavy Swedish Accent.

dELTA
May 30th, 2005, 09:07
Since it is not against the rules to name the target if you own the copyright yourself, for anyone interested I think we are talking about Sperminator 2: The Second Cumming, aren't we? And don't worry about exposing me, I was using my artist name, Jack Ass(protect)-crack.

Shub-nigurrath
May 30th, 2005, 09:15
I think we are diverging a little from the original's thread topic, isn't it?

dELTA
May 30th, 2005, 09:22
I'll take that as a direct insult to my artistic work, one more time and you will be banned.

Shub-nigurrath
May 30th, 2005, 12:30
well, given the direction taken by the posts I were threating instead of being "banned" of being "fu..ked", that would have been terribly worst! :-)

naides
May 31st, 2005, 18:34
Hey Shub:

I could not resist doing some silly posting on the thread you started. No offense intended.

It will be question of time until this protection strategy becomes more widespread.
Right now these guys are suggesting they are more interested on Goverment/Millitary/High security code, so I doubt it will pop up on shareware or even commercial demos anytime soon. Theoretical RCE with no hands on is not very productive and not very attractive.

Shub-nigurrath
June 1st, 2005, 03:21
I know I know, even if the concept is already present. Guards thought as little parts of code able to check or repair the monitored code are since now a reality, is what some loaders/unpackers of common protectors are already doing.

What is not so easily found is a generic procedure to map guards into a program.

My remarks were about the attitute of the threads to sometime diverge anyway that is..no problems.

longbkit
December 20th, 2011, 02:43
Hello all, I would like to reactivate this thread, since our company are using this solution from Arxan company. We are not expert in this field of reverse engineer so we cannot judge the safety of this method. So I will be very grateful if someone could identify the drawbacks of this method in term of safety or show up some real instances that this solution is broken already.

Thank you very much.

OHPen
December 20th, 2011, 06:53
@longbkit: Arxan protection system is divided in two sections the commercial one and the military one. Both are implementing the concept of so called guards, which is nothing more than a fancy name for binary code instrumentation, IPC and various injected thread in the protected binary communicating with some sort of "master". Although not quite familiar with the military version the concept of "guards" is following the principal of make code more difficult to trace and and analyse at runtime, as static analysis is not possible.

We thought about buying the technology but at the end it turned out that this approach won't resist a serious attack.

The strength of a protection can be measured in the variety of reverse engineering counter measures and settled base techniques like obfuscation, control flow transfer and well a certain amount of complexity ( for example ) something like a vm approach + a little bit of creativity. I mean honestly the idea of having threads and processes communication between each other is really not new to us, right ? but do you really know an application which makes heavy use of it ??? I'm only aware of a few application which doing "stuff" using ipc and rpc. And why ? Because it seems that it is quite difficult to have all those in parallel running execution entities syncronized correctly.
From my developer point of view this is simply some sort of lazyness or maybe the missing capability for a proper system design, i don't know.....

Another word on Arxan: The biggest advantage of that system is that it is rather unkown in the commerical sector ( due to its military history ) + the system itself has a certain complexity which forces an attacker to invest time, its for sure not a two week project to break the protection.

Regards,
OHPen.

Maximus
December 20th, 2011, 10:13
I did try to find a protected sample/application protected with it some month ago, but failed at.

...If you do really want to know if it's strong enough or not, attach here a protected sample (or a link to a downloadable software protected with it) for analysis

@OHPen: the 'military-grade' isn't worth much... leaving apart wikileaks, you'd remember there's no supermarket for getting the best reversers working for you out there, and I'd be VERY, very surprised if they really had many of them... or even enough
it reminds me of this funny thing: http://www.wired.com/dangerroom/2011/12/crack-code-become-spy/
...and i guess you can easily recognize the x86 in it

OHPen
December 21st, 2011, 04:32
@Maximus: LoL, its funny that you mention that contest. This was exactly my thought when i saw it the first time. MUST BE CODE !!! But afaik they introduced it as some crypto blahblah stuff. I just can imaging having a few crypto gurus sitting in front of that code snipped trying to figure out which alternative of whatever cipher it could be !!! ;DDDD Good luck guys, hehe.

That saved my day ;D

I agree with you. Neither the goverment nor the military has a lot of skilled rev engineers. They simply are not enabled to pay them. Stupid but true. On the other side i like that because it increases our market value!
I doubt that you will see arxan stuff floating around here because they usually try to avoid sharing on a large scale. This is the reason why the military and commercial branch has been splited developmentwise, just to prevent the military stuff getting hacked as well when somebody cracks the commercial protection. Another reason why you haven't seen any of the arxan stuff here is, that they do not sell their protection to everybody, only large customers and B2B software.

Regards,
OHPen

Maximus
December 21st, 2011, 05:26
B2B... much money, minimal risks of being cracked since almost nobody accesses it, minimal risks it goes in cracker's hands... a good choice, indeed^^

Nevertheless, since they used that obfuscation technology with Flex, I were curious to find at least a sample somewhere. Too much brag and no living sample, imho.
Have you had the possibility to view/access a sample obfuscated with it? Or do you know a commercial app that uses it? I've heard time ago that blizzard's warden obfuscation was coming from it - is blizzard among their customers?

If you translate the site's buzzwords in practical terms... aha... Uniloc is the patethic company that sued and won M$ for 300M$... until M$ asked a review from a competent judge that dismissed immediately their claims and Uniloc did file bankruptcy or so Uniloc... hm... had it been used for some game?

OHPen
December 21st, 2011, 07:15
Haven't had a possibility to look at a commercial app, but i once had access to an protected example application. Thats where my knowledge about it is coming from. Have to mention that this was 3 years ago...but at that time the obfuscation was pretty much like any other stuff out there. There focus is not on obfuscation, more on infrastructure like their guards, "self-healing" code and a special feature i like "asynchronous bad condition crashes" ))), they also taint the code flow for runtime analysis. It's new to me that they use the same obfuscation technique like flexera, but why not...

The problem here is, that things like that are quite performance costy, so it won't be used very often...

It was some time ago that i heard about uniloc, wasn't very popular, right !? I would love to see some up-to-date example of arxans protection system ( full featured ) too!! I don't know companies names which are using arxan as they tend to handle everything with a NDA.

Regards,
OHPen

Maximus
December 21st, 2011, 15:35
ah, I understand now what it is about. Ah well, I was hoping for something more interesting - it is something like the multithreaded guards that cross checks each other and so on, then.
I remember having read some paper about such things, time ago.

Now i see how they can offer protection for so many platforms, fact I was wondering about... just matter of some c/c++ adapting, then. The 'Java' protection in the list was ...odd, in my view.

OHPen
December 21st, 2011, 15:59
yep, thats it. i mean sure for obfuscation they have to go down on fileformat level but this is no more rocketscience today. having a few public libraries, connect them together and you have your own binary instrumentation framework...

longbkit
December 25th, 2011, 22:59
Thanks you guys for the responses.

They are selling out their product at a very high price, this for sure limits the number of protected app floating around over the Internet,
so that less hackers will ever touch it. However, what I think is that there is some real high value product that attracts best hackers from
all over the world, and that is enough to hack Arxan if their algorithm or idea comes with some critical failures.

The thing that makes me not trusting in Arxan is that there is very few comments from best hackers about their product. How come a anti-reverse engineer
algorithm being safe if no hacker knows about it, or put differently, they are just safe because no one ever try to hack it.

Thank you.

FrankRizzo
January 1st, 2012, 01:35
Last I heard Arxan was nearly dead. I used to work for a competitor, and that was the news that we got. They weren't getting the government contracts for investigating things like they used to, and as a result either went out of business, or at least scaled back what they were doing in a major way. For the record, GLAD to be out of that business, didn't like the secrecy, and the security clearance bullshit.

longbkit, from what we were told from companies where Arxan had presented before us, they were considered to be almost like a joke protection. They were considered to be "JUST a software protection solution" which in the world they were trying to play in, wasn't sufficient.


Ohhh.. And to address the comments above about the government not having any good reversers, don't you believe it! They have groups that you never hear about that are VERY clever.