Date: Wed, 20 Feb 2008 21:39:03 -0500 From: ari edelkind <edelkind-freebsd-hackers@episec.com> To: freebsd-hackers@freebsd.org Subject: Re: encrypted executables Message-ID: <20080221023902.GI79355@episec.com> In-Reply-To: <47BCD34F.7010309@freebsd.org> References: <86068e730802181718s1ad50d3axeae0dde119ddcf92@mail.gmail.com> <47BA3334.4040707@andric.com> <86068e730802181954t52e4e05ay65e04c5f6de9b78a@mail.gmail.com> <20080219040912.GA14809@kobe.laptop> <f8e3d83f0802200451r463f188bn881268b9b2768846@mail.gmail.com> <47BCD34F.7010309@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> >#!/usr/local/bin/mysecyritywrapper > ><...encryted code goes where...> > > > > In this way. it'll be hard to use truss, ktrace, strace etc... > > No, not really. All of those tools can trace through > to sub-processes, so whenever the code gets decrypted and > starts executing (whether it's in the main process or > in a sub-process), they'll be able to follow the system > calls it makes. Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is already being traced. As for core files, a process can use setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory pages may be encrypted or unloaded, to be decrypted or loaded on demand. An approach that handles all of the above, with the possible exception of setrlimit(RLIMIT_CORE,...), is "shiva", though it's available only for linux and distributed as an executable. http://www.securiteam.com/tools/5XP041FA0U.html Even then, the developers explicitly state that this can only slow the determined attacker in his endeavors, but the solutions everyone seems to be proposing here won't help. Mind you, it's true that disabling core dumps with a resource limit doesn't keep one from creating a core image using gcore, but since gcore generally must either attach to a process using ptrace() or access mapped code segments in the original binary (depending on the implementation), it won't help in such a case, either. That said, here's a set of slides from a talk on attacking shiva-encrypted binaries: http://www.blackhat.com/presentations/bh-federal-03/bh-federal-03-eagle/bh-fed-03-eagle.pdf ari
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080221023902.GI79355>