HARES: Hardened Anti-Reverse Engineering System presented at Syscan 2015

by Jacob Torrey,

Summary : I propose presenting my work: Hardened Anti-Reverse Engineering System (HARES), a prototype anti-reverse engineering technique providing a method to seamlessly execute AES-encrypted applications with neither the key nor any decrypted instructions residing in accessible memory (even to a compromised kernel) on an unmodified x86 computer. My work shows that with the combination of a thin-hypervisor implementing Intel's AES-NI instructions in a TRESOR-like configuration and TLB-splitting on Nehalem and newer CPUs can be used to transparently (without hardware modification) decrypt and execute a fully-encrypted (AES-128) application without leaking sensitive instruction information to readable memory (keys will never be in memory, thus additionally protected against cold-RAM attacks). Doing so will prevent any of the application's code from being accessible by software memory acquisition tools, cold-boot RAM attacks or debuggers (in-circuit emulators (ICE) and memory-bus snoopers excepted). The decrypted instructions are stored in "execute-only" memory, ensuring that any attempts to access them, even by a compromised kernel is prevented by hardware. An advantage of the HARES system is that due to the use of TLB-splitting, existing applications can be seamlessly encrypted without access to source code or requiring a re-compile. Our tests with a prototype system built in-house demonstrate successful execution of Windows 7 32-bit PE files (.exe) with an approximate performance hit of ~2% on our synthetic test-suite applications.
HARES provides a significant improvement in preventing the theft of algorithm IP by fully-encrypting the code sections of a binary. This proves a much harder technique to bypass than even the most sophisticated code-obfuscation and reordering techniques. An additional advantage of the HARES solution is since TLB-splitting creates a Harvard architecture on a per-process basis, code-injection attacks are thwarted, as well as mining an encrypted binary for ROP gadgets. The current prototype only supports user-space Windows 7 applications, however future versions are envisioned to support kernel-mode drivers as well.