A new instruction overlapping technique for improved anti-disassembly and obfuscation of x86 binaries

The problem of correctly recovering assembly instructions from a binary has received much attention and both malware and license validation code often relies on various anti-disassembly techniques in order to complicate analysis. One well-known anti-disassembly technique is to use overlapping code such that the disassembler starts decoding from an incorrect byte, but still recovers valid code. The actual code which is supposed to be executed is instead hidden inside a decoy instruction, and is overlapped with the disassembled code. We propose and investigate a new novel anti-disassembly method that allows for exceptional flexibility in the hidden instructions, while at the same time providing a disassembled main path that is executable. This allows the approach to be very efficient against static linear sweep disassembly, but also to be more difficult to detect using dynamic analysis methods. The idea is to utilize highly redundant instructions, e.g., multibyte no-operation instructions, and embed the hidden code in the configurable portions of those instructions. By carefully selecting wrapping instructions, providing overlaps, the hidden execution path can be crafted with great flexibility. We also provide a detection-algorithm, together with testing results, for testing software such that the hidden execution path can be identified

eavesROP: Listening for ROP Payloads in Data Streams (preliminary full version)

We consider the problem of detecting exploits based on return-oriented programming. In contrast to previous works we investigate to which extent we can detect ROP payloads by only analysing streaming data, i.e., we do not assume any modifications to the target machine, its kernel or its libraries. Neither do we attempt to execute any potentially malicious code in order to determine if it is an attack. While such a scenario has its limitations, we show that using a layered approach with a filtering mechanism together with the Fast Fourier Transform, it is possible to detect ROP payloads even in the presence of noise and assuming that the target system employs ASLR. Our approach, denoted eavesROP, thus provides a very lightweight and easily deployable mitigation against certain ROP attacks. It also provides the added merit of detecting the presence of a brute-force attack on ASLR since library base addresses are not assumed to be known by eavesROP

Blockchain-based publishing layer for the Keyless Signing Infrastructure

A Keyless Signing Infrastructure (KSI) provides users with a means to timestamp documents on a per-second basis. The KSI consists of a global infrastructure with several server layers and by using Merkle hash trees, the root hash can be used to verify the integrity and timestamp of a document. Regular publication of root hashes, e.g., once per month, allows a document to be verified without support of the servers, but the previously proposed publication channels have several limitations. In this paper we address these limitations and show how a blockchain can be used as an additional publication layer on top of a KSI. Using the scripting capabilities in transactions, new features are introduced to the publication of root hashes. This includes faster publication, proof of origin for the publisher and the possibility for third parties to explicitly verify root hashes before they are published. These improvements will allow the verification of documents to be simpler, more flexible and more secure

Secure RPC in embedded system - Evaluation of some GlobalPlatform implementation alternatives

In secure computing systems, isolation between different components is normally the basis for security. However, ab- solute isolation is seldom desired nor practical. Often for the system to function, a secure communication channel between otherwise isolated components is also needed. In this work, we consider implementation of the secure Remote Procedure Call (RPC) mechanism defined by the GlobalPlatform spec- ification on top of some different isolation mechanisms. Fur- thermore, implementation details, performance and security will be discussed

Secure RPC in embedded systems - Evaluation of some GlobalPlatform implementation alternatives

In secure computing systems, isolation between different components is normally the basis for security. However, absolute isolation is seldom desired nor practical. Often for the system to function, a secure communication channel between otherwise isolated components is also needed. In this work, we consider implementation of the secure RPC mechanism defined by the GlobalPlatform specification on top of some different isolation mechanisms. Furthermore, implementation details, performance and security will be discussed

Exploiting Trust in Deterministic Builds

Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language

A Technique for Remote Detection of Certain Virtual Machine Monitors

The ability to detect a virtualized environment has both malicious and non-malicious uses. This paper reveals a new exploit and technique that can be used to remotely detect VMware Workstation, VMware Player and VirtualBox. The detection based on this technique can be done completely passively in that there is no need to have access to the remote machine and no network connections are initiated by the verifier. Using only information in the IP packet together with information sent in the user-agent string in an HTTP request, it is shown how to detect that the traffic originates from a guest in VMware Workstation, VMware Player or VirtualBox client. The limitation is that NAT has to be turned on and that the host and guest need to run different operating system families, e.g., Windows/Linux