From owner-freebsd-hackers@FreeBSD.ORG Thu Feb 21 17:26:51 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C7A516A400 for ; Thu, 21 Feb 2008 17:26:51 +0000 (UTC) (envelope-from edelkind-freebsd-hackers@episec.com) Received: from episec.com (episec.com [69.55.237.141]) by mx1.freebsd.org (Postfix) with SMTP id C55AD13C4E5 for ; Thu, 21 Feb 2008 17:26:50 +0000 (UTC) (envelope-from edelkind-freebsd-hackers@episec.com) Received: (qmail 13675 invoked by uid 1024); 21 Feb 2008 17:26:50 -0000 Date: Thu, 21 Feb 2008 12:26:50 -0500 From: ari edelkind To: freebsd-hackers@freebsd.org Message-ID: <20080221172650.GK79355@episec.com> Mail-Followup-To: ari edelkind , freebsd-hackers@freebsd.org References: <86068e730802181718s1ad50d3axeae0dde119ddcf92@mail.gmail.com> <47BA3334.4040707@andric.com> <86068e730802181954t52e4e05ay65e04c5f6de9b78a@mail.gmail.com> <20080219040912.GA14809@kobe.laptop> <47BCD34F.7010309@freebsd.org> <20080221023902.GI79355@episec.com> <86hcg25kk5.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86hcg25kk5.fsf@ds4.des.no> Subject: Re: encrypted executables X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 17:26:51 -0000 des@des.no wrote: > ari edelkind writes: > > Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is > > already being traced. As for core files, a process can use > > setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory > > pages may be encrypted or unloaded, to be decrypted or loaded on > > demand. > > The person running the application can trivially replace ktrace(), > ptrace() and setrlimit() with non-functional stubs using LD_PRELOAD. And any application that executes its own code before running the system's dynamic loader -- or is statically linked, for that matter -- is free to unset LD_PRELOAD. There are many attack vectors. There are plenty of countermeasures. There are numerous attacks on each countermeasure. It goes on. This is all common knowledge, even among those creating anti-reverse-engineering techniques; in fact, it's usually prominently stated in an included disclaimer. It's unfortunate to note that, in many countries these days, the most effective deterrent against attacks on binary encryption is legal action. Some corporations add just-in-time page decryption to their binaries specifically for this recourse (e.g., against a competitor who creates applications that hook into the original software). ari