Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid vs. Owlfish |
| CYCLONE Hx9: NSA Exploit of the Day »
February 24, 2014
New Results in Software Obfuscation
Amit Sahai and others have some new results in software obfuscation. The papers are here. An over-the top Wired.com story on the research is here. And Matthew Green has a great blog post explaining what's real and what's hype.
Posted on February 24, 2014 at 6:35 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
One of the best DefCon presentations I saw was "Trolling with Math", about how binaries can be protected from reverse engineering by messing with the reverse engineer :) Offensive security versus trying to obscure what is going on. Somebody running IDApro could be detected and then exploits in that program used to stop them, or virtual forensic machines detected and open their web browser to an exploit serving page, or just constantly rebooting their system and erasing logs
Pop writers did the same with homomorphic encryption, until everyone was fully convinced it had been reduced to a plug-in that you could download, then sprinkle on any and every database while the clouds parted and angels began to sing. The truth is, it's a resource dog, and it leaks.
Matthew Green's opening paragraph certainly made me smile :-)
And BTW, anytime you see the term 'thoroughly reviewed' run the other way. It's utterly meaningless.
Yup it looks like that, only my BF app barfed on it, maybe "cut-n-past" is not hacking it.
For any budding coding wanabees out there try writing your own BF interpreter that runs inside a Word doc or spread sheet, it can be done... and you will definatly learn something .
 of the many things that could be learned patience and determination are but two, however a wise man should quite quickly pause for thought long enough to realise that important time is passing that could be more productivly used quaffing ale.
Thanks to Matthew Green for his thoughtful explanation. However... what interests me more is the related further concept of securely running a program on a hostile compromised system, without letting the hostile host system compromise the program. It seems logical to me that math and cryptography could somehow help solve this problem someday with enough smart minds thinking about it.
This interests me because it seems obvious that no hardware vendor can be trusted anymore. We have to assume all hardware vendors have been taken over by human-rights-hostile governments (like the USA! but really any and all governments since it's human nature to consolidate and grow power) coercing them to do bad things to everyone. So code has to be secured from that worst case scenario or it's wide open, and can't be trusted.
It still has the issues with inputs and outputs passing through insecure parts though (i.e. keyboards, screens, etc)... so... sigh.
DARPA Looks To End the Scourge of Counterfeit Computer Gear (found on SlashDot)
Posted by samzenpus on Monday February 24, 2014 @04:47PM
from the knocking-out-knock-offs dept.
"Few things can mess up a highly technical system and threaten lives like a counterfeit electronic component, yet the use of such bogus gear is said to be widespread. A new Defense Advanced Research Projects Agency (DARPA) program will target these phony products and develop a tool to 'verify, without disrupting or harming the system, the trustworthiness of a protected electronic component.'"
It would be guaranteed to be propaganda if the NSA, CIA, or FBI were to issue this "fatwa". By have the "trusted" military undertake this agenda item, the idea is to "smooth" over the FUD with regard to "spying". If DARPA says something is okay, one can be fairly certain that it is equipped under the covers for spy agency work.
The usefulness of all of the big projects I take on tends to, in the end, be less than the usefulness of the ale I take in now. It's all about the ratio of effort to reward.
I've been planning on writing an essay on how to approach making an alternative to SQL for relational databases that is not-horrible (e.g. designed so that building SQL strings is not a thing, designed to minimize code-reuse and copy-pasting, without developers having to do stupid things that hurt peformance like "AND (@Var IS NULL OR Column1 = @Var)"). I kind of write a bit here and there, and then stop when I realize it's a jumble of semi-related thoughts, at which point I get out the laser pointer to watch my cat go crazy. I've been doing this for weeks. The goal is to eventually get people together to actually design the language, and maybe an implementation, but just that first part seems to be going nowhere. I hate writing, and I kind of suck at it.
I have a lot of ideas for languages (including a couple of nice to work with, safer alternative replacements for C and C++), I just need to find a proxy to take all of my ideas and do the work for me, while I do tasks with a hgiher reward to effort ratio, like drink ale.
What if I don't want my software obfuscated? I'd prefer to compile it myself à la Gentoo or something similar.
I think the projects I referenced before should get more praise than this research. These people are talking in theory about obfuscating programs. The projects I mentioned effectively built black box obfuscators for software. Let's do a CODESEAL type architecture as an example:
1. Memory is encrypted.
2. Persistent storage is encrypted.
3. Control flow can only go to permissible, predefined code blocks.
4. Trusted boot process to load signed image.
5. Everything outside of the main chip is untrusted.
This is a black box obfuscator in silicon. It wants to ensure so no attached device or software can violate the security policy. This has confidentiality and integrity requirements. The software one loads into it can be an image both parties inspected. This architecture is already available commercially so it's way past theory. This is the kind of design that should be getting press.
There's quite a few others. Point being that the key to obfuscated execution was a good hardware design, not more math. The engineers already solved this problem in dozens of ways. I've done it too. A few designs are even Linux compatible. More of the security and cryptographic community should put effort into bringing such things into usable form as they will be much more useful than theoretical work.
I fully understand the problem having grown up sufficiently to realise there is nothing heroic or sexy about pulling "all nighters" etc over a hot keyboard, especialy when there is little or nothing in it for me just my employer or some ungratful other.
I actually told one employers senior managment some years ago --when their idiot "contracting" project manager was giving me grief and sugesting my continuing employment was dependant on working an extra 30 hours per week gratis-- "You pay I'll play, after all that idiots on billable". It caused quite a flap, anyway the "idiot" was out the door quicker than I, even though it took me two weeks to find a new employer and then work my months notice... As for the "mega important project" I was offered incentives to stay but turned them down (I don't play that game and told them so). Any way I bumped into one of the people that worked there for a while after I left, some time later at a trade show and over a drink they told me the company failed to get the project to work in time and lost the subsiquent contracts and they like me jumped ship as they could see the company had to down size which it duely did significantly...
The thing is that nearly all research shows that working more than seven hours on a mentaly taxing task is actually self defeating very very quickly (it's why commercial vehical drivers and airline pilots are legaly not alowed to work more than a certain number of hours). So not only is burning the midnight oil antisocial and not heroic or sexy it's actually counter productive as mistakes rise rapidly with a tired mind. And recent research also shows that drinking strongly caffinated drinks and taking in lots of simple carbs (sugars etc) is equally counter productive.
Apparently for the best "mental output" the thing to do is start the day with protien and mild excercise, drink plenty of water throughout the day  and avoid carbs especialy sugars, have a lunch of vegtable soup or broth, then after work do some High Intensity Training (HIT) consume some complex carbs do a half hour of walking/swiming/cycling rest/winddown for a couple of hours in low light and quiet with a class of milk or two  then get a good nights sleep of atleast a couple of three hour cycles, and importantly if you feel mentaly tired at work take a short "cat nap" or as it's called by managment gurus a "power nap". All of which appears to be the opposit of what managment want the actual productive workers to do...
Sadly though most alcoholic drinks are not good for you, though the more natural it is the better, so some wines and naturaly produced beers can cross over to slightly good for you in proper moderation ...
There is one drink that gets quite a bit of argument about not just in the scientific but social and cullerany worlds and that's tea. Historians have noted that historicaly the size of cities is decided by disease. However societies that drink weak beer or tea have significantly larger cities with greater population densities. The original argument was it's because the water gets boiled. However it appears that when looking at those who drink beer/coffee and those who drink beer/tea or just tea those societies that drink tea have less disease and manage higher population densities .
And before you ask it I follow this life style, lets just say I wish I'd done a lot more of it when I was younger ;-)
 Apparently there is some contraversy about how much fluid you should drink, but the general medical concensis is we don't drink enough. For many years the armed forces have told people to "watch your urine colour" it should be clear or pale straw, not yellow or darker under normall conditions (though watch out for some medications that do darken it irrespective of hydration level).
 It appears that most "energy drinks" and "sports drinks" are of little or no benifit to a normal health person --and can infact be quite harmfull to some-- and research has shown faster recovery and more sustained performance in athalets if they drink milk instead after training (though some people do have issues).
 Apparently a health liver can deal with the alcohol in about half a pint of (weak) beer per hour but no more. The downside is what the liver does with it which means you need to burn energy. So a farm labourer of a hundred years or so ago could safely drink eight pints of beer across the working day, but not so for us sedentry desk dwelling types :-(
 One thing that is clear is smoking is bad for you and most people now accept that after 50years. However there is a bit of the message most people have not taken onboard. That is the risks of drinking and smoking are not addative they appear to have a significantly greater risk when the activities are combined as has happened in most social gtherings for quite some time. However in the UK where premature death from smoking and drinking are some of the highest in the world smoking in pubs clubs and other indoor venues is now baned. It will --if I live long enough-- be interesting to see what happens to the UK mortality figures, especialy in "socialy deprived" areas.
 Tea bush leaves have traditionaly been added to food that is stored as it apparently helps it keep longer. Science has subsiquently found that some species of tea do have antibacterial properties (and some are researching anti viral as well). However there is considerable disagrement as to if this has any benifit when humans drink tea... I suspect from "history" that it does. So maybe "milky tea" might be the new "super drink" ;-)
@ Nick P,
Whilst those points are both practical and efficient there is a problem with them.
And it's the dreaded "trusted platform" issue.
Put simply at some point the code is de-obsficated to be executed, and if an attacker can get at that point then it's game over.
Untill fairly recently against better sense large numbers of people were instead of "keeping their feet on the ground" were going and "sticking their heads in the clouds".
What has caused problems for cloud suppliers is the Ed Snowden revelations, have briefly woken some of these head in a cloud dreamers, who are turning back to having the hardware under their control (not that it makes it any more trustworthy as you know). However the Cloud suppliers have a lot of money invested and I can't see them giving up without a significant fight. Thus I have a feeling that in a little while companies that have pulled out of cloud usage will "sleepwalk" right back in when the enticements become good enough.
Cloud computing involves using "untrusted hardware" as a fundemental assumption currently, whilst current encryption can make "data at rest" fairly secure the same is very far from true for actual "computation".
When combined with other techniques code obsfication will hopefully eliminate the "trusted platform" issue, but I'm far from sure on that...
You nailed my three biggest problems: diet, exercise and sleep. Eating healthy is one of those things where I know how to do it, I will give advise on it, but the knowledge doesn't stop me from living on what can best be described as the bachelor diet (did you know you can get pizza delivered?). Exercise is what I get when I'm angrily pacing while arguing with the talking head on TV, who apparently isn't listening to a word I say.
As for sleep, poor diet and exercise compounds my sleeping problem. When I decide to sleep, my brain tends to have other ideas. Usually those ideas include how to fix SQL, what should go into a more modern alternative to C, cryptographic algorithms and protocols, etc. I'll go to bed between 11pm and 2am, and fall asleep between 2 and 4 in the morning, to get up between 6 and 8 to go to work. Weekends I like to think of as that hazy series of naps before I have to get up for work. I stopped drinking coffee, as it tends to compound the problem; drive to work half-asleep (totaled my last car that way), drink 3-6 cups of coffee to make it throughout the day, then I get even less sleep than the night before. I do drink tea, and have cut back on soda in favor of water (they pipe it into my home for next than nothing, and it's zero calories!)
Work itself isn't bad, I'm hourly, and my company generally doesn't want us working overtime, unless there is a good reason for it. But still, I spend an hour to an hour and a half driving, and 8 hours dealing with code every day, and when I get home I'm not really in the mood to do anything one would consider productive (especially if it involves looking at a computer screen).
GPUs will be the next frontier in hiding code. Can run with ephemeral keys encrypted, impossible to detect.
@ Clive Robinson
And it's the dreaded "trusted platform" issue.
You've identified the elephant/gorilla/NSA in the room.
I'd suggest that every vendor that claims ISO 15408/27000 compliance is in fact non-compliant. Let the law suits begin. If I were a small device vendor that has the responsibility to assure ISO compliance I'd suggest that they have suffered harm by the U.S. government.
And, Nick P clued me in that you may not be a you.
@ Clive Robinson
"Put simply at some point the code is de-obsficated to be executed, and if an attacker can get at that point then it's game over."
The trick is making it harder and harder to extract it. Even if we invent software obfuscation, it will be implemented on some kind of hardware. Like I noted in my counterpoint to Bruce, computers don't run math. So, I think it's safe to say most hardware type attacks on an engineered solution like CODESEAL will be a risk for chips running theoretically secure obfuscated software.
"Cloud computing involves using "untrusted hardware" as a fundemental assumption currently, whilst current encryption can make "data at rest" fairly secure the same is very far from true for actual "computation"."
I totally agree. The hackers at conventions like Black Hat are already giving them reasons to worry. Turns out that mutually distrusting computations shared on an insecure COTS board doesn't result in secure multi-tentant systems. Mind blowing.
The push to cloud type designs is one of the reasons for my MPP architecture exploration. The idea is to get rid of all that cloud crap. Instead, it's just nodes with CPU and memory. The CPU might be microcoded to run safe language like Java. Physical and address separation could be used to separate tenants or processes. Dedicated nodes would handle IO subject to a security policy. Dedicated, highly assured nodes for management and logging. Thing is, there's so little software in security-critical part of the design that it might be made with at least medium assurance. Too much OS and hardware in current cloud systems to assure.
RobertT suggested that here a long while ago. He suggested them for other security problems too.
Eating healthy is one of those things where I know how to do it, I will give advise on it, but the knowledge doesn't stop me from living on what can best be described as the bachelor diet
Having a life long adiction to tasty food, I know of the problem as my waist line will attest to :-(
However "bloke chow" reminds me of the old joke of,
The wages of sin are death... but the hours are good
Take the pizza you know the base is loaded with sugar and salt, likewise the tomato paste which is likewise thickened with the likes of chemicaly processed animal hair. The chease is well re-cycled rotten milk again with all sorts of unplesant chemicals. Then there is the partialy rotted belly fat and gut muscle stuffed into animal intestines and loaded with salt and sugar and even more strange chemicals some of which are known carcanogens which we call peperoni. We then apply heat to make more carconegens... Knowing all this you would think we would treat it as being worse than a bowl of live maggots, but know we gleefully stuff ourselves with slices of pizza because for some strange inexplicable reason the unpalatable devils brew of salt, sugar, fat and leathal chemicals by the application of "Hell's Fire" some how becomes a tasty meal...
As for excercise it's not the pacing up and down that does you good it's the arobic excercise of screaming at the anoying talking head that gives you the cardio vascular work out ;-)
Some time ago there was a conferance of cardiac medical proffesionals up in Liverpool, an eminent cardiologist during their talk said "The best way to murder some one was to feed them lots of indian food, because all the ghee that sticks to the blood vessal walls and kills them is put down to natural causes at autopsy"...
Honeypots could be a highly complementary defence when also considering obfuscation! Not only would layers upon layers of honeypots potentially keep even the most determined attackers busy for a while; one may even learn more of the hostiles' strategies... and possibly even provides the ability detect 0-days and apply appropriate actions automatically before it even becomes an issue.!? ;-)
Honeypots could be a highly complementary defence when also considering obfuscation!
Only if they are implemented correctly which does not happen currently.
Honeypots and tarpits have a problem which few wish to talk about, which are they are fairly easy to enumerate and thus avoid.
I pointed out quite some time ago on this blog how they are very suseptable to side channels that reveal what they are to somebody who knows what to look for.
In essence a honeypot or tarpit is code that sits in a spin awaiting input ontop of an OS. This has a number of charecteristic signitures, but worse many are run as multiple virtual systems on single hardware instances which adds further identifing signitures.
As was once pointed out 'you can put a wolf in sheeps cloathing but it still behaves like a wolf not a sheep'. And it's these differences or deltas that strip of the cloth to reveal the real animal underneath.
Typically I wouldn't examine write-up for weblogs, nonetheless need to express that this particular write-up really required us for you to do it! The creating preference has become impressed me. Many thanks, pleasant post.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.