SlideShare a Scribd company logo

Emulation-based SW protection

Download as PPTX, PDF
abdullah roomi, profile picture
abdullah roomi

This document discusses three emulation-based software protection techniques: emulation sandboxing, emulation-based encrypted code execution, and emulation-based page granularity code signing. Emulation sandboxing protects against kernel malware by executing guest OS instructions in a separate host OS memory space. Encrypted code execution protects against reverse code engineering by decrypting and executing encrypted guest code in host memory. Page granularity code signing protects against software exploits by only executing guest code with valid authentication codes computed in host memory.

Technology
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Subject: Emulation-based Software Protection Presented by: Abdullah Roomi Presented to : Dr.Belal Amro Hebron University College: Information Technology Department: Network Security and Protection
EMULATION-BASED SOFTWARE PROTECTION • Overview • Emulation Sandboxing • Problem Definition • How protection mechanism work • Advantage and Disadvantage. • Emulation-based Encrypted Code Execution • Problem Definition • How protection mechanism work • Advantage and Disadvantage. • Emulation-based Page Granularity Code Signing • Problem Definition • How protection mechanism work • Advantage and Disadvantage.
OVERVIEW OF EMULATED –BASED SOFTWARE PROTECTION • Two emulation-based software protection schemes: • Encrypted code execution . • Page-granularity code signing . • execute within trusted emulators while remaining out-of-band of untrusted systems being emulated. • The integrity and reliability of the protection mechanisms depend upon attackers remaining sandboxed within the emulated environments .
EMULATION SANDBOXING Problem Definition : Kernel malware is able to modify (attack) kernel protection mechanisms.
EMULATION SANDBOXING Protection Mechanism : 1. Host OS copies Guest OS instructions from Guest OS memory into Host OS memory. 2. Guest OS instructions are translated and executed in Host OS memory that it appears as if the original Guest OS instructions had been executed . 3. This emulation process provides a sandbox that ensures that the Guest OS instructions read and Write in the Guest OS Memory , exclusively. The Host OS Memory cannot be accessed by the Guest OS instructions thatreside in the Guest OS Memory
PROTECTION MECHANISM (CONT’D)
EMULATION SANDBOXING • Advantage : • reduce software vulnerabilities to a restricted environment. • Disadvantage: • do not protect against reverse code engineering (RCE) • do not protect against software vulnerabilities such as buffer overflows, index array ,out of bound errors, race conditions, integer overflows, and other types of memory corruption vulnerabilities. • do not provide adequate protection for computer devices and software against attempts to bypass a security policy.
EMULATION-BASED ENCRYPTED CODE EXECUTION •Problem Definition : • Reverse Code Engineering (RCE) uncovers the internal workings of a program: • Vulnerability • intellectual property (IP) discovery • To protect from RCE program code : • anti-disassembly • anti-debugging • obfuscation techniques • code may be encrypted
EMULATION-BASED ENCRYPTED CODE EXECUTION • Protection Mechanism : • Host OS copies encrypted Guest OS instructions from Guest OS memory into Host OS memory. The encrypted Guest OS instructions are decrypted in Host OS memory. The decrypted instructions always remain out-of-band of the Guest OS and are not accessible by Guest OS instructions. • Decrypted Guest OS instructions are translated (or interpreted) to a set of Host OS instructions. When this set of translated Host OS instructions execute the state of Guest OS memory and registers is modified such that it appears as if the original Guest OS instructions had been executed. • The translation process ensures Guest OS instructions never read decrypted Guest OS instructions ,emulation sandbox ensures Host OS memory is inaccessible by Guest OS instructions
PROTECTION MECHANISM (CONT’D)
EMULATION-BASED ENCRYPTED CODE EXECUTION • Advantage : • protect against reverse code engineering (RCE) • Disadvantage : • do not protect against software vulnerabilities such as buffer overflows, index array ,out of bound errors, race conditions, integer overflows, and other types of memory corruption vulnerabilities • do not provide adequate protection for computer devices and software against attempts to bypass a security policy
EMULATION-BASED PAGE GRANULARITY CODE SIGNING • Problem Definition : • Software exploitation is a process that leverages design and implementation errors ( buffer overflows, input-driven format strings, integer overflows, race conditions, etc.) • protection mechanisms : • stack canaries • variable reordering • shadow arguments • Etc. • provide a blacklist approach to software protection
EMULATION-BASED PAGE GRANULARITY CODE SIGNING • Protection Mechanism : • Host OS copies Guest OS instructions and Hash Message Authentication Code’s (HMAC) (or digital signatures) of Guest OS instructions from Guest OS memory into Host OS memory. • HMACs of Guest OS instructions are recomputed using a secret key in Host OS memory. The secret key remains in Host OS memory and is never accessible by Guest OS instructions. Guest OS instructions with valid HMACs are translated (or interpreted) to a set of Host OS instructions. This set of Host OS instructions is executed as before. • Guest OS instructions with invalid HMACs remain untranslated and therefore unexecuted. Malicious code (unless signed using the secret key) will remain unexecuted, thus protecting the system.
PROTECTION MECHANISM (CONT’D)
REFERENCES • [1] Emulation-based Software Protection William Kimball (wkimball@afit.edu) • [2] https://docs.google.com/viewer?url=patentimages.storage.googleapis. com/pdfs/US8285987.pdf • [3] http://www.virtualmvp.com/vmware-consumed-host-memory-vs- active-guest-memory/ • [4] https://www.cs.bu.edu/~goldbe/teaching/HW55813/zhou.pdf • [5] https://securebox.comodo.com/whitelist-vs-blacklist/

More Related Content

PDF
Bryan Sanabria New
Bryan Sanabria
 
PDF
Sherry Reda Eskander
Sherry Reda
 
PDF
Silence Group
Piyanat Thanasombat
 
PDF
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
PDF
Vladimir Polshchikov-IT Administrator
Vladimir Polshchikov
 
PPT
Software
Prabhu Govind
 
PDF
Linux binary Exploitation
Arcangelo Saracino
 
PDF
IRJET- Development of Uncrackable Software
IRJET Journal
 
Bryan Sanabria New
Bryan Sanabria
 
Sherry Reda Eskander
Sherry Reda
 
Silence Group
Piyanat Thanasombat
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
Vladimir Polshchikov-IT Administrator
Vladimir Polshchikov
 
Software
Prabhu Govind
 
Linux binary Exploitation
Arcangelo Saracino
 
IRJET- Development of Uncrackable Software
IRJET Journal
 

Similar to Emulation-based SW protection (20)

PDF
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Priyanka Aash
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PPT
Software security
Roman Oliynykov
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
x86 Software Reverse-Engineering, Cracking, and Counter-Measures 1st Edition ...
gobaadosks
 
PDF
Automatic reverse engineering of malware emulators
UltraUploader
 
PDF
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PDF
A taxonomy of obfuscating transformations
emanuele_nl
 
PDF
System Integrity
Vasily Sartakov
 
PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
PDF
Native Code Execution Control for Attack Mitigation on Android
Fraunhofer AISEC
 
PDF
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
PDF
ESET’s guide to deobfuscating and devirtualizing FinFisher
ESET Middle East
 
PDF
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
PDF
Automatic binary deobfuscation
UltraUploader
 
DOCX
Mansour Alirfan5632632IntroductionProposalResults.docx
infantsuk
 
PDF
You Can Run but You Can’t Read: Preventing Disclosure Exploits in Executable ...
ch0psticks
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Priyanka Aash
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Software security
Roman Oliynykov
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
x86 Software Reverse-Engineering, Cracking, and Counter-Measures 1st Edition ...
gobaadosks
 
Automatic reverse engineering of malware emulators
UltraUploader
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
A taxonomy of obfuscating transformations
emanuele_nl
 
System Integrity
Vasily Sartakov
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
Native Code Execution Control for Attack Mitigation on Android
Fraunhofer AISEC
 
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
ESET’s guide to deobfuscating and devirtualizing FinFisher
ESET Middle East
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
Automatic binary deobfuscation
UltraUploader
 
Mansour Alirfan5632632IntroductionProposalResults.docx
infantsuk
 
You Can Run but You Can’t Read: Preventing Disclosure Exploits in Executable ...
ch0psticks
 
Ad

More from abdullah roomi (10)

PDF
Swap
abdullah roomi
 
PPTX
Sudo`
abdullah roomi
 
PPTX
IPsec
abdullah roomi
 
PDF
Network File System (NFS)
abdullah roomi
 
PDF
RSS Application Using Dom
abdullah roomi
 
PPTX
Security in Windows operating system
abdullah roomi
 
DOCX
Wireless Sensor Networks
abdullah roomi
 
PPTX
Mobile Forensics
abdullah roomi
 
PPTX
Nginx as a Revers Proxy for Apache on Ubuntu
abdullah roomi
 
PPTX
it project
abdullah roomi
 
Swap
abdullah roomi
 
Sudo`
abdullah roomi
 
IPsec
abdullah roomi
 
Network File System (NFS)
abdullah roomi
 
RSS Application Using Dom
abdullah roomi
 
Security in Windows operating system
abdullah roomi
 
Wireless Sensor Networks
abdullah roomi
 
Mobile Forensics
abdullah roomi
 
Nginx as a Revers Proxy for Apache on Ubuntu
abdullah roomi
 
it project
abdullah roomi
 
Ad

Recently uploaded (20)

PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
What is a Computer? Input Devices /output devices
GulJan8
 

Emulation-based SW protection

  • 1. Subject: Emulation-based Software Protection Presented by: Abdullah Roomi Presented to : Dr.Belal Amro Hebron University College: Information Technology Department: Network Security and Protection
  • 2. EMULATION-BASED SOFTWARE PROTECTION • Overview • Emulation Sandboxing • Problem Definition • How protection mechanism work • Advantage and Disadvantage. • Emulation-based Encrypted Code Execution • Problem Definition • How protection mechanism work • Advantage and Disadvantage. • Emulation-based Page Granularity Code Signing • Problem Definition • How protection mechanism work • Advantage and Disadvantage.
  • 3. OVERVIEW OF EMULATED –BASED SOFTWARE PROTECTION • Two emulation-based software protection schemes: • Encrypted code execution . • Page-granularity code signing . • execute within trusted emulators while remaining out-of-band of untrusted systems being emulated. • The integrity and reliability of the protection mechanisms depend upon attackers remaining sandboxed within the emulated environments .
  • 4. EMULATION SANDBOXING Problem Definition : Kernel malware is able to modify (attack) kernel protection mechanisms.
  • 5. EMULATION SANDBOXING Protection Mechanism : 1. Host OS copies Guest OS instructions from Guest OS memory into Host OS memory. 2. Guest OS instructions are translated and executed in Host OS memory that it appears as if the original Guest OS instructions had been executed . 3. This emulation process provides a sandbox that ensures that the Guest OS instructions read and Write in the Guest OS Memory , exclusively. The Host OS Memory cannot be accessed by the Guest OS instructions thatreside in the Guest OS Memory
  • 7. EMULATION SANDBOXING • Advantage : • reduce software vulnerabilities to a restricted environment. • Disadvantage: • do not protect against reverse code engineering (RCE) • do not protect against software vulnerabilities such as buffer overflows, index array ,out of bound errors, race conditions, integer overflows, and other types of memory corruption vulnerabilities. • do not provide adequate protection for computer devices and software against attempts to bypass a security policy.
  • 8. EMULATION-BASED ENCRYPTED CODE EXECUTION •Problem Definition : • Reverse Code Engineering (RCE) uncovers the internal workings of a program: • Vulnerability • intellectual property (IP) discovery • To protect from RCE program code : • anti-disassembly • anti-debugging • obfuscation techniques • code may be encrypted
  • 9. EMULATION-BASED ENCRYPTED CODE EXECUTION • Protection Mechanism : • Host OS copies encrypted Guest OS instructions from Guest OS memory into Host OS memory. The encrypted Guest OS instructions are decrypted in Host OS memory. The decrypted instructions always remain out-of-band of the Guest OS and are not accessible by Guest OS instructions. • Decrypted Guest OS instructions are translated (or interpreted) to a set of Host OS instructions. When this set of translated Host OS instructions execute the state of Guest OS memory and registers is modified such that it appears as if the original Guest OS instructions had been executed. • The translation process ensures Guest OS instructions never read decrypted Guest OS instructions ,emulation sandbox ensures Host OS memory is inaccessible by Guest OS instructions
  • 11. EMULATION-BASED ENCRYPTED CODE EXECUTION • Advantage : • protect against reverse code engineering (RCE) • Disadvantage : • do not protect against software vulnerabilities such as buffer overflows, index array ,out of bound errors, race conditions, integer overflows, and other types of memory corruption vulnerabilities • do not provide adequate protection for computer devices and software against attempts to bypass a security policy
  • 12. EMULATION-BASED PAGE GRANULARITY CODE SIGNING • Problem Definition : • Software exploitation is a process that leverages design and implementation errors ( buffer overflows, input-driven format strings, integer overflows, race conditions, etc.) • protection mechanisms : • stack canaries • variable reordering • shadow arguments • Etc. • provide a blacklist approach to software protection
  • 13. EMULATION-BASED PAGE GRANULARITY CODE SIGNING • Protection Mechanism : • Host OS copies Guest OS instructions and Hash Message Authentication Code’s (HMAC) (or digital signatures) of Guest OS instructions from Guest OS memory into Host OS memory. • HMACs of Guest OS instructions are recomputed using a secret key in Host OS memory. The secret key remains in Host OS memory and is never accessible by Guest OS instructions. Guest OS instructions with valid HMACs are translated (or interpreted) to a set of Host OS instructions. This set of Host OS instructions is executed as before. • Guest OS instructions with invalid HMACs remain untranslated and therefore unexecuted. Malicious code (unless signed using the secret key) will remain unexecuted, thus protecting the system.
  • 15. REFERENCES • [1] Emulation-based Software Protection William Kimball (wkimball@afit.edu) • [2] https://docs.google.com/viewer?url=patentimages.storage.googleapis. com/pdfs/US8285987.pdf • [3] http://www.virtualmvp.com/vmware-consumed-host-memory-vs- active-guest-memory/ • [4] https://www.cs.bu.edu/~goldbe/teaching/HW55813/zhou.pdf • [5] https://securebox.comodo.com/whitelist-vs-blacklist/