Chapter 12  Insecurity in Software

What is SRE?

Software reverse engineering.   Serious attackers use SRE techniques to find and exploit flaws, or create new ones.  Also:
bulletremove usage restrictions on software
bulletfinding and exploiting software flaws
bulletcheating at games
bulletbreaking DRM systems

Tools for SRE:

bulletdisassembler (converts an executable to into assembly code.  IDA pro and Hackman programs)
bulletdebugger (used to set break points, to step through the code.  SoftICE and OllyDbg programs)
bullethex editor (in use to modify or pathc the exe file.  UltraEdit and HIEW programs)

Regmon monitors all accesses of the Windows registry.  Filemon monitors all accesses of files.  VMWare allows users to set up virtual machines.

DISASSEMBLER: STATIC VIEW, the code must be decrypted before it can be executed (an attacker can look at the decryption code and get access to the exe file.

FALSE DISASSEMBLY:  Jumps in the code + self modifying code (modifies its code in real-time)

DEBUGGER: DYNAMIC VIEW  can treat complex code as a blackbox.

ANTI-DEBUGGING TECHNIQUES:  Don`t handle threads well.  Possible to implement a hardware-based debugger.  A program can monitor the use of these debug registers and stop if they are in use.  A program can also monitor for inserted breakpoints.  The debugger does not prefetch instructions.  There might be rubbish in some of the memory locations.

Software Tamper Resistance:

Guards:  Code breaks when tampering occurs.  The code hash sections of itself as it executes and compare the computed hash values with the known hash values of the original code.  Hashed only on executable code, it is too costly to do it on plain text.


Metamorphism Revisited:  Clones.  Negative when it comes to Trudy; Break once, brake everywhere.  Instead we make software that  changes where it is put, so the copies are not identical just like viruses that mutate.

Digital Rights Management:

  Encryption is not enough since the receiver of the paid software is a potential attacker who has the key.

  Will use anti-disassembly, anti-debugging, obfuscation in addition to a strong cipher.

  Digital Right Management is an attempt to provide "remote control" over digital content.  We would like to distribute digital content, but we want to retain some control-remote control-over its use after it has been delivered.




Persistent protection:  We must protect the digital content so that the protection stays with the content after it`s delivered.  Examples:

bulletNo copying
bulletRead once
bulletDo not open until Christmas
bulletNo forwarding


Encryption is only used to ensure that the data can be securely delivered.

Security by obscurity:  It is difficult to understand where the key is.  Software obfuscation is the same.

Kerckhoffs Principle:  Cryptodesign need to be open.

Analog hole: The content can be captured in analog form.  Digital music can be recorded using a microphone and movies can be recorded from the screen with a videocamera.

Human nature: A big problem in DRM.  Bigger that with passwords.

A DRM system:

Using a SDS (secure document server) and the client software (software plugin to the Adobe PDF reader).  The document is encrypted into the server and the client has to login to the server to get the key to decrypt the document.  The SDS resides in the corporate headquarters and is relatively secure.

The servers need to:

bulletprotect keys
bulletauthenticate users
bulletapply the required persistent protection to the document

The clients need to:

bulletprotect keys
bulletauthenticate users
bulletenforce the persistent protection

High level design of the client software:

bulletThe software has an outer Shell that attempts to create a tamper-resistant barrier (anti-disassembly and anti-debugging techniques)


bulletTo avoid disassembly:  executable code is encrypted
bulletFalse disassembly is used to protect the part of the code that performs the decryption
bulletExecutable code is only decrypted in small slices so that it`s more difficult for an attacher to obtain the entire code in decrypted form.


bulletTo avoid debugging:  Monitor for the use of debug registers, monitor man-in-the-middle
bulletThe obfuscation is applied to the security critical operations, including key management, authentication and crytpgraphy.
bulletThe authentication information is cached (don't want to ask the user for the password many times, the information is stored at a different place in memory every time)
bulletThe digital content is encrypted using AES (Advanced Encryption Standard) block cipher
bulletScrambling is also used (in addition to the strong cipher).  The keys are also obfuscated by splitting them into multiple parts and hiding some parts in data and other parts in code.


If we can not trust the operating system, then the DRM client software can easily be undercut by attacks on the OS.

Software Development:   Ross Anderson

Standard approach to software development:  penetrate and patch  

It is cheaper and easier to let customers do the testing.


Software is open to the users.  You would think that the more "eyeballs", the more security flaws would be found.  The book though thinks that these "eyeballs" do not look for security flaws.


Microsoft get more attention from Hackers.  No one can look at the code.


Link: [208]