Jacob Torrey, Senior Research Engineer for Assured Information Security (AIS) is soon to be giving talks about his newly created system called HARES (Hardened Anti-Reverse Engineering System). The main goal of HARES is to make it harder for hackers to dissect code and reverse engineer it with malicious intent.
Torrey’s method encrypts software code such that it’s only decrypted by the computer’s processor at the last possible moment before the code is executed. This results in extremely protected code from any hacker who would pirate the software then figure out the security flaws that could be used for their own gain.
To keep reverse engineering tools at bay, HARES uses a hardware trick that’s possible with both Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split separates the part of a computer’s memory that stores a programs data from the part where the instructions are stored. All of the instructional parts of the memory are encrypted such that it can only be decrypted with a key that resides in the computer’s processor. When a reverse engineering tool reads the computer’s memory to find the program’s instructions, the TLB split redirects the tool to the section of memory that’s filled with encrypted, unreadable commands.
This is however, a simplified version of what is expected from HARES, and a much more in-depth technical analysis will be given at Torrey's upcoming talk at SysScan in the next month.
According to Torrey's blog, there are a couple of common misunderstandings that should be cleared up from previous articles relating to HARES.
1. HARES is a software-only solution that does not require modifications to the existing Intel Core-i series CPU, as long as the CPU is fairly modern. HARES is implemented as a thin-hypervisor. HARES is not a "perfect security" tool, it only aims (and claims) to significantly increase the difficulty to reverse engineer a program.
2. The AES key (128 or 256-bit) for the system is not stored in a non-volatile fashion in the CPU, it must be securely loaded into the CPU at each boot and does not persist between reboots.
3. HARES uses TLB-splitting to protect the decrypted instructions, even a compromised OS kernel that tried to read out the in-memory decrypted instructions would only see the encrypted memory page(s); if the CPU is performing an instruction fetch on the page, it would transparently be redirected to the decrypted copy.
The same blog also goes on to describe a few potential weaknesses with what the system can achieve.
1. Yes, HARES will most certainly be vulnerable to physical attacks and side-channels, Intel SGX is a very exciting technology that should encompass much of the security benefits of HARES in a more hardened, hardware-based manner.
2. HARES does not protect against AMT & SMM attacks. DMA attacks will be discussed in Torrey's upcoming talks.
3. HARES could be vulnerable to being loaded into an emulated CPU, or a nested VMM; during his technical talks at both Syscan and INFILTRATE, he will cover secure deployment mechanisms and key management ideas that would significantly reduce the likelihood of being run in an emulated environment.
It's a fact of life that even though HARES is designed with good intent, there will always be people out there set on abusing it. This new system could result in malware that's near impossible to figure out the inner workings. On the whole however, it should be beneficial for the majority of users and companies who license software as it would be far harder to crack.