00:00:00.000,00:00:03.070 >>We have a uh super interesting talk for you up next by um Amro 00:00:03.070,00:00:04.438 Abdelgawad. Uh he’s a security researcher with Immieye er 00:00:04.438,00:00:05.772 Immuneye sorry uh my words speech is getting a little 00:00:05.772,00:00:07.107 slurred today, and I’m not even drunk. [chuckles] So uh without 00:00:07.107,00:00:12.112 further ado uh I’m going to let him take off his talk. Let’s get 00:00:18.485,00:00:23.490 a big round of applause for him. [applause] [background noises in 00:00:31.932,00:00:34.801 audience] >>So when I started working on the remote 00:00:34.801,00:00:39.706 metamorphic engine research the last thing I was thinking about 00:00:39.706,00:00:44.711 back then was metamorphism. I was- [shouting from crowd] 00:00:49.082,00:00:52.352 [microphone popping] Alright. Is it okay now? [audience applauds 00:00:52.352,00:00:56.890 and cheers] Soo the last thing I was thinking about when I 00:00:56.890,00:01:00.928 started working on the remote metamorphic engine research was 00:01:00.928,00:01:04.598 metamorphism. I wasn't thinking about metamorphic at all. I was 00:01:04.598,00:01:08.335 mainly trying to create unbreakable code, a piece of 00:01:08.335,00:01:10.871 code that cannot be reversed engineered that cannot be 00:01:10.871,00:01:15.876 tampered cannot be analyzed. So anyone who has limited 00:01:18.478,00:01:20.981 experience with reverse engineering will know that it's 00:01:20.981,00:01:23.884 actually not possible to create unbreakable code it's possible 00:01:23.884,00:01:26.386 to resist the reverse engineering but really 00:01:26.386,00:01:31.058 impossible to create a piece of code that would have high 00:01:31.058,00:01:36.096 resistance to the degree that it cannot be analyzed. So, I 00:01:36.096,00:01:39.199 research this I researched the subject. I read about a lot of 00:01:39.199,00:01:42.102 papers and I learned about a lot of obfuscation techniques 00:01:42.102,00:01:44.538 amazing obfuscation techniques and I applied a lot of 00:01:44.538,00:01:49.543 techniques. But unfortunately I failed. Sequence of failure 00:01:51.945,00:01:54.982 [breathes] attempts kept going up until the moment that I 00:01:54.982,00:02:00.087 decided to simplify the problem and treat the problem as a 00:02:00.087,00:02:05.292 security problem. Well at first that actually turned to 00:02:05.292,00:02:08.061 complicate the problem rather than simplifying it because 00:02:08.061,00:02:11.531 unfortunately we don't know what security is, ya know? We know 00:02:11.531,00:02:16.870 what security is not. And we learn about weaknesses based on 00:02:16.870,00:02:21.108 knowledge of vulnerabilities and we learn about strengths in 00:02:21.108,00:02:24.411 security based on weaknesses and define weaknesses but we really 00:02:24.411,00:02:28.882 don't know what security really is. If you asked me 15 years ago 00:02:28.882,00:02:32.519 when I started my career “what is security?” You would have 00:02:32.519,00:02:35.789 lost your whole day, re- receiving my response to your 00:02:35.789,00:02:39.192 question. Today if you asked me the same question you would 00:02:39.192,00:02:43.730 really make me thinkin’. Something amazing about security 00:02:43.730,00:02:47.434 that the more we learn about it the less likely we are capable 00:02:47.434,00:02:53.206 to define it. But there's no wonder as at a certain point in 00:02:53.206,00:02:58.945 my research I came in to very such fine view for security that 00:02:58.945,00:03:02.082 security actually meant to be undefined. That security is all 00:03:02.082,00:03:07.621 about undefined expressions. Undefined expressions that aim 00:03:07.621,00:03:10.590 to take probabilities out of the equation that you’re trying to 00:03:10.590,00:03:15.662 secure. So the remote metamorphic engine research of 00:03:15.662,00:03:19.232 resisting reverse engineering started by defining security as 00:03:19.232,00:03:24.137 an undefined expression. Taking the lessons learned from there 00:03:24.137,00:03:28.608 and apply to the binary protection problem and that 00:03:28.608,00:03:33.447 resulted in flux binary mutation and only then with flux binary 00:03:33.447,00:03:36.516 mutation I started to have such fine results for resisting 00:03:36.516,00:03:41.321 reverse engineering. But resisting reverse engineering or 00:03:41.321,00:03:44.624 resisting a reverse engineer turned to be not enough. Once 00:03:44.624,00:03:49.729 you have high rates of such fine results of re- resisting reverse 00:03:49.729,00:03:52.165 engineering you will then realize that the problem is much 00:03:52.165,00:03:55.535 bigger than that. You need to also count automated tools you 00:03:55.535,00:04:00.240 need to count AI tools or machine learning and we..and and 00:04:00.240,00:04:02.742 then the problem is not only about the code the problem is 00:04:02.742,00:04:06.780 also about data. How you gonna secure the data input output 00:04:06.780,00:04:11.418 even the data all that’s being processed inside the code? 00:04:11.418,00:04:13.487 [background noise in crowd] So that resulted in the end by 00:04:13.487,00:04:16.523 adding techniques to secure the data and the code that resulted 00:04:16.523,00:04:21.528 in sort of artificial immunity. So that’s the outline of the 00:04:21.528,00:04:25.232 presentation today. And the remote metamorphic engine is 00:04:25.232,00:04:30.837 actually the name that I’ve given to the approach. Which is 00:04:30.837,00:04:35.408 a new approach for resisting reverse engineering but its its 00:04:35.408,00:04:39.146 more like a new approach rather than an actual engine. And I 00:04:39.146,00:04:43.150 decided to name the approach like that because it's not 00:04:43.150,00:04:48.088 possible without metamorphism or mutation and it’s not possible 00:04:48.088,00:04:53.460 without having the engine or the morphic engine isolated remotely 00:04:53.460,00:04:57.731 or away from the reverse engineering environment. And I’m 00:04:57.731,00:05:00.634 applying all these techniques using very simple very simple 00:05:00.634,00:05:03.570 techniques that I’m gonna go through it all with you today. 00:05:03.570,00:05:08.575 Within the coming few minutes. So I define security as an 00:05:12.145,00:05:17.384 undefined expression following very simple analysis flow. If we 00:05:17.384,00:05:19.986 don’t know what security is but we know about a lot of 00:05:19.986,00:05:22.789 successful security solutions. So if we analyze these 00:05:22.789,00:05:27.594 successful security solutions enough, we can then find 00:05:27.594,00:05:31.531 patterns that keep repeating itself everywhere and then we 00:05:31.531,00:05:35.068 can by defining these patterns probably that will will help us 00:05:35.068,00:05:38.338 to better understand security and will help us to better 00:05:38.338,00:05:43.977 approach security. So that’s exactly what I’ve done. If you 00:05:43.977,00:05:46.980 ever do that you will find something pretty interesting 00:05:46.980,00:05:51.685 that randomization and isolation are two major patterns that we 00:05:51.685,00:05:55.222 rely on in everything. To the degree that if you take these 00:05:55.222,00:05:58.725 two patterns out of the equation or out of any security solution, 00:05:58.725,00:06:02.362 security is not gonna be possible. Randomisation like let 00:06:02.362,00:06:05.465 me give you an example like static buffer protection where 00:06:05.465,00:06:08.068 we insert a random number and then we check on the random 00:06:08.068,00:06:11.438 number when the function returns. And the respace lay out 00:06:11.438,00:06:16.409 randomization to disable jumping into ha- hard coded uh 00:06:16.409,00:06:21.581 locations. Encryption, uh asymmetric uh asymmetric and 00:06:21.581,00:06:24.784 symmetric encryption, almost everywhere you’ll find random 00:06:24.784,00:06:27.654 numbers. Without random numbers we cannot apply a lot of 00:06:27.654,00:06:32.425 security solutions. [breathes]And on the other hand 00:06:32.425,00:06:37.831 a much stronger security pattern is isolation. And if you just 00:06:37.831,00:06:41.001 treat these patterns based on their meaning randomization and 00:06:41.001,00:06:44.704 isolation, you wouldn’t really gain much from their meaning. 00:06:44.704,00:06:50.477 But analysing them in abstract mathematics you can then be able 00:06:50.477,00:06:54.347 to isolate the patterns away from their meaning and then you 00:06:54.347,00:06:57.350 will be able to extend their strength and to find their 00:06:57.350,00:07:00.587 ultimate strength and then you will be able to move freely with 00:07:00.587,00:07:04.057 these patterns, apply them other problems. So I’ve done just 00:07:04.057,00:07:08.094 that. And then I I arrived into defining randomization and its 00:07:08.094,00:07:12.465 ultimate security pattern as division by infinity. In an 00:07:12.465,00:07:16.169 inverse relation to probabilities where like you in 00:07:16.169,00:07:19.639 increase the random number as much as possible to reduce 00:07:19.639,00:07:22.942 probabilities as much as possible to zero. And then the 00:07:22.942,00:07:29.683 other hand, I defined isolation as a division by zero which is 00:07:29.683,00:07:32.886 an undefined mathematical expression and by then you can 00:07:32.886,00:07:37.123 actually take probabilities totally out of the equation. So 00:07:37.123,00:07:42.595 only then when I returned back to solve the binary protection 00:07:42.595,00:07:45.398 problem only then I started to see another dimension to the 00:07:45.398,00:07:50.103 problem. From that perspective, all the researchers that I read 00:07:50.103,00:07:52.872 about and learned about and all the failure attempt that I went 00:07:52.872,00:07:56.876 through they were all going toward inve- infinity in an 00:07:56.876,00:08:02.148 attempt to increase the time and effort needed... to disable 00:08:02.148,00:08:05.885 reverse engineering or to resist reverse engineering. So how 00:08:05.885,00:08:12.492 about going toward zero? In this case, and instead of increasing 00:08:12.492,00:08:15.895 the time and effort needed for reverse engineering we will just 00:08:15.895,00:08:21.234 reduce the time as much as possible to zero. So allow just 00:08:21.234,00:08:25.872 few milliseconds for the code to be executed. And by that there 00:08:25.872,00:08:29.376 will be no way for the code to be reversed engineered. Imagine 00:08:29.376,00:08:32.011 that you’re just generating a code that will be valid only for 00:08:32.011,00:08:34.814 six milliseconds. There would be no way that it will be reverse 00:08:34.814,00:08:40.820 engineered. Unless it will be saved and then analyzed and then 00:08:40.820,00:08:43.556 a reverse engineer will return back to try to attack the system 00:08:43.556,00:08:47.494 based on knowledge of previous execution, but then if he do 00:08:47.494,00:08:50.397 that it means that the code is expired, the code is not gonna 00:08:50.397,00:08:54.267 be used anymore so you need to generate new code and hence we 00:08:54.267,00:08:59.205 need to have metamorphic engine. But not a metamorphic engine 00:08:59.205,00:09:03.243 from the perspective of viruses or malware where they use 00:09:03.243,00:09:06.913 metamorphism just to change the way the code looks like or to 00:09:06.913,00:09:09.849 change the pattern of change the signature of the code we need to 00:09:09.849,00:09:14.854 have actually more like mutation engines more than just umm we 00:09:16.990,00:09:22.662 uhh morphic engines. [breathes] So I went by and I defined the 00:09:22.662,00:09:26.533 unbreakable code as an unpredictable code. The code 00:09:26.533,00:09:30.470 that cannot be determined and cannot be and and to keep on 00:09:30.470,00:09:34.541 changing uh and it cannot be expected before it gets 00:09:34.541,00:09:41.214 executed. And while trying to apply the randomization and 00:09:41.214,00:09:46.119 isolation techniques that we talked about I found that the 00:09:46.119,00:09:50.690 major weakness is actually the static code dynamic data which 00:09:50.690,00:09:54.260 is the model that we use to everywhere, that this is the way 00:09:54.260,00:09:56.763 we learn how to program. This is the way how we learn how to 00:09:56.763,00:10:01.434 develop our software. The code is static and the data is 00:10:01.434,00:10:05.772 dynamic and that that enables all sorts of reverse engineering 00:10:05.772,00:10:11.311 and also enables all sorts of replicable software exploits. So 00:10:11.311,00:10:14.747 I tried to change that model into the dynamic code dynamic 00:10:14.747,00:10:17.884 data that the code will keep on changing and the code will keep 00:10:17.884,00:10:21.287 on evolving while it’s being executed. And that the code will 00:10:21.287,00:10:24.824 not remain the same, will not remain static. So if you look at 00:10:24.824,00:10:27.727 the code now and try to analyze it it should look totally 00:10:27.727,00:10:30.763 different then the way it looked just ten uh a minute ago or a 00:10:30.763,00:10:34.767 few seconds ago. [breathes] So any reverse engineering attempt 00:10:34.767,00:10:38.972 goes through three main stages. Locating the code, analyzing the 00:10:38.972,00:10:41.641 code, and then breaking the code. In order to have very high 00:10:41.641,00:10:46.112 rates or R.E. resistance, we need to resist all these stages 00:10:46.112,00:10:48.948 we need to make the code unlocatable so we’re gonna make 00:10:48.948,00:10:53.786 that by storing the code remotely and and and perform 00:10:53.786,00:10:57.624 remote execution. And we’re we’re gonna disable analyzing 00:10:57.624,00:11:03.296 the code by using flux binary mutation and by setting the 00:11:03.296,00:11:06.799 lifetime of the code into few milliseconds. And then we make 00:11:06.799,00:11:09.903 the code unbreakable by allowing the code to know more about 00:11:09.903,00:11:13.239 iself that it will detect any tampering attempt if any 00:11:13.239,00:11:18.077 happened while it’s being executed. [breathes] So that 00:11:18.077,00:11:22.682 remote metamorphic engine architecture looks umm as you 00:11:22.682,00:11:27.687 see here we’ll divide the engine into two separate areas. Trusted 00:11:30.523,00:11:34.994 area and untrusted area. The trusted zone here is the area 00:11:34.994,00:11:38.898 where the reverse engineer has no access to. And the untrusted 00:11:38.898,00:11:42.535 zone is where the reverse engineer would have access to. 00:11:42.535,00:11:47.240 Emm we’ll have mutation engine stored in the trusted zone that 00:11:47.240,00:11:50.043 will keep generating code and keep mutating the code and then 00:11:50.043,00:11:54.714 push the code to be executed in the uh in the untrusted zone by 00:11:54.714,00:12:00.386 using challenge response metamorphic protocol. So why 00:12:00.386,00:12:04.023 remote? Why we have to store the engine the morphic engine 00:12:04.023,00:12:08.695 remotely away from the... reverse engineering environment? 00:12:08.695,00:12:12.065 Well if you keep the engine next to the in the reverse 00:12:12.065,00:12:14.300 engineering environment a reverse engineer will just 00:12:14.300,00:12:16.736 simply go and reverse the engine itself and will break the 00:12:16.736,00:12:21.207 engine. So in order to secure the engine itself the engine has 00:12:21.207,00:12:24.844 to be stored in a secure area in an area where the reverse 00:12:24.844,00:12:28.314 engineer doesn't have any access any access to but you don’t 00:12:28.314,00:12:31.551 really have to do that. It all comes to what you’re trying to 00:12:31.551,00:12:34.921 defend against. If you are trying to make the code keep 00:12:34.921,00:12:37.257 morphing itself and keep changing because you’re trying 00:12:37.257,00:12:42.228 to defend against intrusion or malware or umm external 00:12:42.228,00:12:45.898 intrusion so you can you can then have the the engine in the 00:12:45.898,00:12:51.604 same trusted area. Umm but today I’m mainly focused on or the 00:12:51.604,00:12:54.974 presentation is mainly focused on resisting reverse engineering 00:12:54.974,00:12:59.812 rather than using metamorphism to secure uhhh the uhh trusted 00:12:59.812,00:13:04.751 environment. [breathes] So the remote metamorphic engine is 00:13:07.520,00:13:12.225 based based on challenge response protocol. Challenge 00:13:12.225,00:13:15.695 response communication protocol that is made of morphed machine 00:13:15.695,00:13:19.365 code rather than data. And the protocol is pretty simple. It’s 00:13:19.365,00:13:23.503 that eh the trusted uh the trusted area will push four 00:13:23.503,00:13:27.974 bytes of code size and then will push the morphed code and then 00:13:27.974,00:13:32.378 the untrusted area will just receive uh will receive the the 00:13:32.378,00:13:36.015 code and execute the code and then respond back the respond to 00:13:36.015,00:13:40.620 the to the engine. And trusted area and untrusted area here can 00:13:40.620,00:13:46.392 be client and server, it can be kernel and user mode, it can be 00:13:46.392,00:13:51.230 uh guest and host machine, it can be even like an oil reader 00:13:51.230,00:13:54.934 in an oil field and then you need to check its integrity to 00:13:54.934,00:14:00.206 make sure that it’s secure it’s not tampered. Um and on the 00:14:00.206,00:14:05.011 other hand we also should count the offensive approach which is 00:14:05.011,00:14:08.981 in in this case a malware can use the trusted area as a 00:14:08.981,00:14:13.319 command and control server. And the untrusted area as the 00:14:13.319,00:14:16.022 infected machine where it’s untrusted because reverse 00:14:16.022,00:14:22.595 engineers will have access to.[breathes] So by doing that 00:14:22.595,00:14:25.765 we would actually split the execution flow into two 00:14:25.765,00:14:30.002 different areas. An area that the reverse engineer has access 00:14:30.002,00:14:32.605 to and another area where the reverse engineer doesn’t have 00:14:32.605,00:14:35.141 access to and that on its own will will create a lot of 00:14:35.141,00:14:37.410 challenges to any reverse engineer because the reverse 00:14:37.410,00:14:40.613 engineer will never see the whole picture, will see just you 00:14:40.613,00:14:44.884 know parts of the code being executed and will even determine 00:14:44.884,00:14:50.556 what decisions gonna be made on the responses or return values. 00:14:50.556,00:14:55.228 So here is a list of uh samples of the challenges that can be 00:14:55.228,00:14:59.332 pushed into that protocol which is mainly here are mainly 00:14:59.332,00:15:02.335 focused on challenges that will check on the integrity of the 00:15:02.335,00:15:07.940 environment. Uh such as in memory code integrity check. Um 00:15:07.940,00:15:11.978 execution environment integrity check. Uh detecting hoax or 00:15:11.978,00:15:15.515 trying to determine if the execution environment is real or 00:15:15.515,00:15:19.385 it’s emulated or it’s instrumented. Uh clock 00:15:19.385,00:15:23.456 synchronization. Uh clock synchronized challenge is is 00:15:23.456,00:15:26.793 actually empty challenge. It has no functionality at all where 00:15:26.793,00:15:29.929 you can just create a challenge that has to be executed to be 00:15:29.929,00:15:33.566 solved and then you would push it to the untrusted area to make 00:15:33.566,00:15:38.971 sure that it’s not analyzed. Umm and then detect virtual machines 00:15:38.971,00:15:43.509 or detect umm uh or collect hardware, um IDs to check on the 00:15:43.509,00:15:49.849 integrity of the hardware. So once you start to work on these 00:15:49.849,00:15:52.819 challenges you will find that not all the challenges will have 00:15:52.819,00:15:54.187 the same strength. Some challenges will be so easy to be 00:15:54.187,00:15:56.923 broken and some challenges will be much harder to be broken from 00:15:56.923,00:15:59.725 a reverse engineering perspective. [breathes] The 00:15:59.725,00:16:01.194 challenges the the more you gonna rely on the CPU and the 00:16:01.194,00:16:02.528 execution and the process itself that you will you will create 00:16:02.528,00:16:04.530 challenges that will all execute inside the process, this will be 00:16:04.530,00:16:06.532 the uhs- most mm- the most solid challenges. But if you’re gonna 00:16:06.532,00:16:11.537 create challenges that will eh communicate with the operating 00:16:17.343,00:16:22.348 system or resolve or communicate with APIs in the system these 00:16:25.284,00:16:29.088 are weak challenges that can be fooled easily. So that makes the 00:16:29.088,00:16:32.792 approach if it's gonna be used by any malware will be will be 00:16:32.792,00:16:38.364 weak enough to be analyzed. The only trick will be just to to 00:16:38.364,00:16:42.168 know that uh malware is analyzing the execution 00:16:42.168,00:16:45.671 environment while you are analyzing the malware. And to 00:16:45.671,00:16:48.608 make sure that you will um slow down the malware while it's 00:16:48.608,00:16:51.777 being executed so it will reveal all its functionality and you 00:16:51.777,00:16:56.782 can go on and uhh and reveal its functionality. [breathes] So in 00:16:59.285,00:17:05.391 order to ensure, emm in order in order to ensure secure the 00:17:05.391,00:17:10.196 challenges we will use um um morphing techniques where we 00:17:10.196,00:17:13.499 will have the function that we need to execute and then we have 00:17:13.499,00:17:17.570 to mutate the function in a manner that the challenge cannot 00:17:17.570,00:17:21.841 be solved un unless the code is executed. And the way we’ll do 00:17:21.841,00:17:25.811 that we’ll have to rely on other morphic techniques not just like 00:17:25.811,00:17:29.315 the the uh malware morphic techniques we need to use 00:17:29.315,00:17:32.618 mutation techniques that will change the functionality of the 00:17:32.618,00:17:35.922 code, not just changing the code structure or not just changing 00:17:35.922,00:17:40.927 the code uh semantics. So here’s how we can um here’s here’s wha 00:17:43.296,00:17:46.299 how um here’s how I’m creating these challenges in the remote 00:17:46.299,00:17:49.635 metamorphic engine. Is getting the function and applying 00:17:49.635,00:17:52.305 morphic techniques on the function changing the function 00:17:52.305,00:17:56.609 structure totally and then add a head and a tail to the function. 00:17:56.609,00:18:00.913 And the head is just unused instructions and the tail is 00:18:00.913,00:18:04.951 where we will perform response mutation. So every time the 00:18:04.951,00:18:07.587 function is gonna get executed it will return different 00:18:07.587,00:18:12.024 response. Here is a sample [sound from audience] of the 00:18:12.024,00:18:18.064 code being executed. Challenges are being generated and being 00:18:18.064,00:18:22.301 sent to be executed in the untrusted area. And as you can 00:18:22.301,00:18:25.638 see the encrypted response every time the challenge is being 00:18:25.638,00:18:29.775 executed it will return back different return value and then 00:18:29.775,00:18:33.713 the morphic engine morphing engine will will receive the 00:18:33.713,00:18:36.782 response and then decrypt it back to its original value. And 00:18:36.782,00:18:39.585 the main reason why you need to do that is to make sure that no 00:18:39.585,00:18:43.656 one can fool the responses or can hook into the response and 00:18:43.656,00:18:48.661 then just uh send fake responses. [breathes] So in 00:18:53.866,00:19:00.239 order to perform mutation for every single uhhh challenge I’m 00:19:00.239,00:19:03.876 mainly using reversible instructions and the reversible 00:19:03.876,00:19:07.480 instructions what they du- what they do is that um when the 00:19:07.480,00:19:11.951 function returns before the function returns [inhales] a set 00:19:11.951,00:19:14.954 of instructions will take the return value and then mutate the 00:19:14.954,00:19:19.291 return value. So the remote metamorphic engine ge will 00:19:19.291,00:19:24.163 generate mutation key and then use that key to create a dynamic 00:19:24.163,00:19:28.601 encryption routine and then insert the encryption routine- 00:19:28.601,00:19:33.005 in the end of the function to encrypt to encrypt the response. 00:19:33.005,00:19:36.442 And then once the response is returned to the remote 00:19:36.442,00:19:40.780 metamorphic engine the it will use the same mutation key to use 00:19:40.780,00:19:44.350 to generate a decrypter that will decrypt the response and 00:19:44.350,00:19:50.423 return it back to its original value. So here as you can see 00:19:50.423,00:19:57.363 these are samples of the mutation. Umm uhh umm that we 00:19:57.363,00:20:02.401 will use to mutate the response. And this mutation is actually as 00:20:02.401,00:20:05.438 you can see here we’re using a set of reversible instructions 00:20:05.438,00:20:09.675 like addition subtraction and so on. Umm bit rotation to the left 00:20:09.675,00:20:12.845 or to the right. And then once the the response returns back it 00:20:12.845,00:20:16.982 will apply the opposite umm instruction to re to re to re 00:20:16.982,00:20:20.619 umm to reverse the the response back to its original value. 00:20:26.692,00:20:32.431 [breathes] So once you start to use these instructions, and as 00:20:32.431,00:20:35.000 you can see here if you use these instructions in the tail 00:20:35.000,00:20:39.505 any AI or reverse engineer trying to analyze that code will 00:20:39.505,00:20:44.176 be able to detect that this set of instructions is actually in 00:20:44.176,00:20:47.580 the tail of the function. So in order to disable that we have to 00:20:47.580,00:20:50.983 use the same exact instructions in the body of the function. 00:20:50.983,00:20:55.187 You- wel use that in the morphing umm uh in the morphing 00:20:55.187,00:20:57.590 techniques that we’re gonna to do the function and also we use 00:20:57.590,00:21:01.193 the same instructions in the head where we will insert use 00:21:01.193,00:21:05.364 this instructions. So this this this how like anyone analyzing 00:21:05.364,00:21:08.567 the function will not be able to determine the beginning of or 00:21:08.567,00:21:12.838 the end or the body of the function. So here after m-meh 00:21:12.838,00:21:15.074 performing the morphing techniques that I’m gonna show 00:21:15.074,00:21:19.979 you now. What you need to do is to disable any reverse engineer 00:21:19.979,00:21:23.482 or AI trying to uh automated tools trying to analyze the code 00:21:23.482,00:21:26.919 you need to disable them from determining the beginning or the 00:21:26.919,00:21:30.389 end or the middle of the function. By mixing the same 00:21:30.389,00:21:35.394 instruction sets everywhere in the function. [breathes] So the 00:21:39.798,00:21:43.235 mutation techniques that we will need to use to resist reverse 00:21:43.235,00:21:46.639 engineering is totally different than the mutations techniques or 00:21:46.639,00:21:51.577 the morphic techniques that malware would use. Malware they 00:21:51.577,00:21:57.449 use morphing or polymorphic techniques to evade antiviruses 00:21:57.449,00:22:00.853 they use polymorphic techniques simply by encrypting the code 00:22:00.853,00:22:03.789 and then when the code executes it will fold memory and then 00:22:03.789,00:22:07.760 decrypt and then will be in its original form. And on the other 00:22:07.760,00:22:10.729 hand they use metamorphic techniques to make the code 00:22:10.729,00:22:13.832 operate in the same exact way but would look totally 00:22:13.832,00:22:17.203 different, I use totally different instruction sets. So 00:22:17.203,00:22:21.440 no encryption is used in in metamorphism. Here are some 00:22:21.440,00:22:25.177 samples of what um here are some techniques that are used by an 00:22:25.177,00:22:29.014 by by malware um meta metamorphic techniques which is 00:22:29.014,00:22:33.953 like all aiming to change the structure of the code or evading 00:22:33.953,00:22:36.689 signatures but what we’re trying to do here is not really to 00:22:36.689,00:22:40.292 evade signature we need actually to resist reverse engineering. 00:22:40.292,00:22:44.129 If you make some few changes to the code to make it look 00:22:44.129,00:22:47.499 different still a reverse engineer can easily determine 00:22:47.499,00:22:52.104 what’s going on. But more importantly [inhales] because we 00:22:52.104,00:22:55.708 need to evade artificial intelligence or any automated 00:22:55.708,00:22:59.912 tools we we we need to use morphic morphing techniques that 00:22:59.912,00:23:03.582 will make it expensive for automated tools in terms of 00:23:03.582,00:23:08.587 time. Rather than just changing the signature. So the flux 00:23:13.959,00:23:19.565 mutation goals that we’re gonna have is to extend the trust so 00:23:19.565,00:23:22.501 the notion is that if you have few milliseconds of trusted 00:23:22.501,00:23:26.305 execution, we need to be able to extend that trust from few 00:23:26.305,00:23:29.975 milliseconds to cover the whole untrusted area by checking the 00:23:29.975,00:23:35.514 on on the by checking on the integrity of the execution area. 00:23:35.514,00:23:38.384 Uh in short trusted execution we need to make sure that the 00:23:38.384,00:23:41.920 challenges that we’re creating will not be solved unless the 00:23:41.920,00:23:46.292 code got get executed. And while doing that we also need to 00:23:46.292,00:23:52.531 disable the code being emulated or instrumented. [breathes] And 00:23:52.531,00:23:56.235 we need to also detect reverse engineering or and evade reverse 00:23:56.235,00:24:02.675 engineering while the code is being executed. So in order to 00:24:02.675,00:24:05.511 make it expensive for any automated tool or reverse 00:24:05.511,00:24:07.746 engineer trying to reverse engineer the code we need to 00:24:07.746,00:24:11.150 have we need to use morphing morphing techniques that will 00:24:13.319,00:24:17.189 that will require time for any automated tool to analyze the 00:24:17.189,00:24:22.861 code. So I’m using here mainly structure obfuscation. So every 00:24:22.861,00:24:26.231 time the code is being morphed the structure of the code will 00:24:26.231,00:24:30.202 be totally different. And I’m actually changing the structure 00:24:30.202,00:24:33.472 of the code not by making the structure look different but 00:24:33.472,00:24:37.409 actually by making the structure look the same. So all it’s 00:24:37.409,00:24:42.314 functions while it’s while they are being morphed, though they 00:24:42.314,00:24:45.784 are different functions at the end they will look all the same. 00:24:45.784,00:24:49.388 And that's how we can that’s how we can make make it harder for 00:24:49.388,00:24:53.225 any automated tools to determine the difference between the 00:24:53.225,00:24:56.161 functions so we’ll make it harder for any automated tool to 00:24:56.161,00:25:00.065 attack the code while it’s being executed. So these are actually 00:25:00.065,00:25:04.370 basic blocks so we you we take a function set the function and 00:25:04.370,00:25:09.074 then we would morph it into thousands of basic blocks that 00:25:09.074,00:25:13.245 they all look the same. And these basic blocks will be 00:25:13.245,00:25:17.783 totally disconnected. There’s no edges connecting these basic 00:25:17.783,00:25:21.420 blocks with one another. And then we will will have to use 00:25:21.420,00:25:26.125 self modifying techniques. Where every single basic block when 00:25:26.125,00:25:29.328 the basic block is executed it will modify itself and then 00:25:29.328,00:25:34.333 connect to the next next block only after it gets executed. So 00:25:37.002,00:25:40.739 here as you can see reverse engineer would just receive the 00:25:40.739,00:25:44.376 code as totally disconnected basic blocks and then only when 00:25:44.376,00:25:47.846 the when when these blocks start to get executed they will start 00:25:47.846,00:25:53.185 to connect to one another. And that’s how we can make it more 00:25:53.185,00:25:56.955 expensive for any reverse engineer or automated tool to 00:25:56.955,00:26:00.859 analyze the code in order for any automated tool to analyze 00:26:00.859,00:26:05.030 that code it has to emulate the execution of these basic blocks 00:26:05.030,00:26:08.133 or analyze it so it will be expensive at the end of the day 00:26:08.133,00:26:11.470 in terms of time. And then at the end you wanna make sure that 00:26:11.470,00:26:16.575 that in order for the challenges to be solved it will only be 00:26:16.575,00:26:20.379 solved if the code exs gets executed if the code gets 00:26:20.379,00:26:26.752 executed only natively or even on an emulator but not ummm on 00:26:26.752,00:26:30.556 umm umm instrumentation tool or any tool that tries to 00:26:30.556,00:26:33.392 understand try to understand the code or break the code while 00:26:33.392,00:26:39.031 it's being executed. [breathes]So here uh sample of 00:26:39.031,00:26:44.036 these basic blocks. Every basic block here is actually just one 00:26:47.706,00:26:52.411 instruction. And the morphic techniques that I’m using is 00:26:52.411,00:26:55.214 actually taking every single instruction as you can see up 00:26:55.214,00:27:00.118 here this is the original instruction and then taking that 00:27:00.118,00:27:04.056 instruction and then transform every single instruction into a 00:27:04.056,00:27:08.694 basic block. And that basic block will encrypt the 00:27:08.694,00:27:13.198 instruction and then the only way that the real instruction 00:27:13.198,00:27:18.203 will appear is by executing the basic block. So the morphic 00:27:24.543,00:27:28.947 techniques that we can use to resist reverse engineering in 00:27:28.947,00:27:31.850 the context of clock synchronization that you are 00:27:31.850,00:27:35.687 allowing the code only to execute for a few milliseconds 00:27:35.687,00:27:39.691 is totally different than the morphing techniques that is used 00:27:39.691,00:27:42.227 by malware to change the structure of the code or to 00:27:42.227,00:27:46.732 evade signatures. So here is the list of the techniques that I’ve 00:27:46.732,00:27:51.036 found to be very helpful. We need to use metamorphic 00:27:51.036,00:27:53.739 techniques plus polymorphic techniques. You cannot really 00:27:53.739,00:27:57.042 rely on metamorphism only, you need to use polymorphic 00:27:57.042,00:28:00.078 techniques. And why you need to use polymorphic techniques? 00:28:00.078,00:28:02.614 Because you have to do self modifying code you have to 00:28:02.614,00:28:06.985 generate self modifying code to make it more expensive in terms 00:28:06.985,00:28:12.391 of time for any automated tool to reverse engineer the code. 00:28:12.391,00:28:16.361 And you need to make code structure obfuscation so any AI 00:28:16.361,00:28:21.266 wouldn’t determine which function is which because the 00:28:21.266,00:28:24.036 not all the challenges will have the same strength. Some 00:28:24.036,00:28:27.439 challenges will be weak and some challenges will be strong so you 00:28:27.439,00:28:30.876 need to disable any reverse engineer to determine which 00:28:30.876,00:28:33.345 function is which and the way we’ll do that is to make all the 00:28:33.345,00:28:36.014 functions look the same and all the function will have the same 00:28:36.014,00:28:39.885 structure as I showed you.[breathes] And then 00:28:39.885,00:28:43.055 challenge responds to mutation. Which we talked about in the 00:28:43.055,00:28:47.793 beginning is that we need to... you’re generating code that will 00:28:47.793,00:28:50.429 expire in few milliseconds so you need to actually make that 00:28:50.429,00:28:53.165 code function differently. ‘Cause if it wouldn’t function 00:28:53.165,00:28:57.035 different- differently it w- can easily be faked. So every time 00:28:57.035,00:28:59.905 we execute the function it should function differently and 00:28:59.905,00:29:04.710 return different return value so it will uh transform into a real 00:29:04.710,00:29:09.715 challenge. [breathes] And slices permutation is where if you have 00:29:12.751,00:29:15.487 one hundred functions if you send these functions to be 00:29:15.487,00:29:18.557 executed in the same sequence that would be weakness as well, 00:29:18.557,00:29:23.729 you have to morph the sequence of the functions. So every time 00:29:23.729,00:29:27.199 you send functions to to be executed you will have to 00:29:27.199,00:29:32.070 rearrange the sequence of these functions while being executed. 00:29:32.070,00:29:35.207 And code size magnification is also very important here because 00:29:37.342,00:29:40.312 if you’re expiring the code in few milliseconds and you're 00:29:40.312,00:29:44.049 trying to determine if the code is is- is being executed 00:29:44.049,00:29:47.686 natively or the code is being analyzed if you’re sending just 00:29:47.686,00:29:50.389 few instructions it will be so hard for you to determine the 00:29:50.389,00:29:54.593 difference. So you have to magnify the code you have to 00:29:54.593,00:29:58.997 magnify it enough that will enable you to determine or it 00:29:58.997,00:30:04.136 will have uh larger difference between if the code is being 00:30:04.136,00:30:07.406 executed natively or the code is being emulated and by saying 00:30:07.406,00:30:11.777 emulated here I don’t really mean like being emulated CPU but 00:30:11.777,00:30:15.047 rather instrumentation that the code is being instrumented while 00:30:15.047,00:30:19.651 it's being executed and then a reverse engineer or an AI would 00:30:19.651,00:30:22.521 patch or like would uh tamper the code while it’s being 00:30:22.521,00:30:28.026 executed. [breathes] So here is a sample this is just a very 00:30:28.026,00:30:33.198 simple function that you can define in the remote metamorphic 00:30:33.198,00:30:35.901 engine. This function is just checking if the debugger is 00:30:35.901,00:30:39.404 connected to the process. And I’ve chosen this function 00:30:39.404,00:30:43.341 because it’s just very short and small enough to fit into the 00:30:43.341,00:30:49.548 screen. So we’ll start morphic techniques by inserting use this 00:30:49.548,00:30:54.553 instructions unused instructions. And then after 00:30:57.189,00:31:00.992 inserting these unused instructions and randomizing uh 00:31:00.992,00:31:04.096 every time you will insert different set of instructions 00:31:04.096,00:31:07.399 this is how we can change the a little bit the structure of the 00:31:07.399,00:31:12.537 code on the first stage. And then here we’re also can use 00:31:12.537,00:31:16.508 expansion so you can replace one instruction that does memory 00:31:16.508,00:31:19.511 operation you can change it with a different set of instructions 00:31:19.511,00:31:22.080 that perform the same exact operation but in a different way 00:31:22.080,00:31:26.051 and using different instructions.[breathes] So th- 00:31:26.051,00:31:31.056 the first morphing stage you will reach uh uh that code. And 00:31:33.225,00:31:37.562 then in the second morphing stage, ‘cause we need to make it 00:31:37.562,00:31:40.966 harder for any reverse engineer to analyze the code we need 00:31:40.966,00:31:45.971 actually to tr- change the structure of the code and make 00:31:49.307,00:31:53.912 it much harder for any automated tool to hook into any part of 00:31:53.912,00:31:57.115 the code so every single instruction should look totally 00:31:57.115,00:32:02.387 different and should... and should be moved into totally 00:32:02.387,00:32:05.624 different position inside the function or inside the binary 00:32:05.624,00:32:09.761 code. [breathes] So what I’m doing here is actually um taking 00:32:09.761,00:32:11.730 that code and then inserting a label into every single 00:32:11.730,00:32:15.433 instruction and then inserting the jump after every single 00:32:15.433,00:32:16.768 instruction and by that I’m totally free to move any 00:32:16.768,00:32:18.103 instruction anywhere. Because the sequence of execution will 00:32:18.103,00:32:20.105 always be the same. So this code here that you see is exactly the 00:32:20.105,00:32:21.439 same as that one. By inserting labels and inserting jumps after 00:32:21.439,00:32:23.508 every instruction to the next one you are free to move any 00:32:23.508,00:32:28.513 instruction any where er you’re free to move any of these basic 00:32:42.460,00:32:47.632 blocks anywhere. These two are exactly the same. Just doing 00:32:47.632,00:32:52.637 trans tran transposition here. So after doing that and changing 00:32:58.543,00:33:02.814 the structure of the code and doing transposition and mm 00:33:02.814,00:33:05.784 pushing moving every single instruction in a different uh 00:33:05.784,00:33:09.855 location we’ll take every single basic block and then use 00:33:09.855,00:33:14.192 polymorphic techniques to transform this basic block into 00:33:14.192,00:33:19.197 self modifying code. So that basic block we’re gonna take it 00:33:21.299,00:33:24.402 and transform it into that morphed basic block which is a 00:33:24.402,00:33:28.607 self modifying basic block. As you can see here this is a 00:33:28.607,00:33:32.978 mutation a randomly generated mutation key that I’m using to 00:33:32.978,00:33:37.983 create randomly encryption and decryption routines. And here as 00:33:40.719,00:33:44.556 you can see this is a randomly generated self modifying code so 00:33:44.556,00:33:47.592 every single basic block which is actually every single 00:33:47.592,00:33:51.897 instruction will be transformed into a s-uhh self modifying 00:33:51.897,00:33:57.569 basic block on its own. And here is the hel- helper function that 00:33:57.569,00:34:00.372 just helps to allocate the location of the code in memory. 00:34:03.241,00:34:07.245 And as you can see this part actually will transform into 00:34:07.245,00:34:10.649 self modifying and it will modify itself while it’s being 00:34:10.649,00:34:15.654 executed. To uumm uh um to unfold into the original 00:34:17.989,00:34:24.195 instruction or the original basic block. And also the jump 00:34:24.195,00:34:28.533 that you see here the jump that is after the instruction is also 00:34:28.533,00:34:32.637 gonna be morphed so any AI or reverse engineer trying to 00:34:32.637,00:34:36.074 understand wh- wha- which instruction would be next he 00:34:36.074,00:34:38.910 wouldn't be able to know or any automated tool trying to analyze 00:34:38.910,00:34:41.546 the code they wouldn’t be able to know which next instruction 00:34:41.546,00:34:44.883 w-which instruction would be next until the code is executed 00:34:44.883,00:34:48.920 and the code self modify and decrypt itself and then will 00:34:48.920,00:34:52.524 jump to the next basic block and then the next basic block will 00:34:52.524,00:34:56.328 self modify and decrypt itself in memory and then will reveal 00:34:56.328,00:34:59.965 the next instruction and so on. And we need to do that because 00:34:59.965,00:35:04.536 we only have few milliseconds for the code to be executed and 00:35:04.536,00:35:08.707 we wanna make it very expensive for any automated tool to try to 00:35:08.707,00:35:12.877 solve the code within that allowed time frame. Like th- 00:35:12.877,00:35:16.414 these techniques might not be that interesting if if you just 00:35:16.414,00:35:19.484 give the reverse engineer as much time as he want to reverse 00:35:19.484,00:35:23.488 engineer the code but in the context of the code has to be 00:35:23.488,00:35:25.991 executed in few milliseconds these techniques are very 00:35:25.991,00:35:29.894 helpful. And for sure it's gonna be helpful if you wanna add if 00:35:29.894,00:35:36.434 you would add multiple layers of self modifying. [breathes] So at 00:35:36.434,00:35:40.205 the end you will the code will be morphed into these 00:35:40.205,00:35:43.975 structures. Here as you can see these are like three basic 00:35:43.975,00:35:46.711 blocks so every single instruction will be transformed 00:35:46.711,00:35:51.716 into these randomly generated basic blocks. Here is a sample 00:35:53.785,00:35:58.790 of the code being executed and self modifying. Just to give you 00:36:01.393,00:36:06.398 a feel. Ah- all the basic blocks they will end up looking exactly 00:36:09.367,00:36:13.638 the same and while being executed they will change and 00:36:13.638,00:36:18.643 they will connect and they will un- unfold in memory. As you can 00:36:34.592,00:36:39.898 see here the this code will change now and unveal unreveal 00:36:39.898,00:36:44.903 that instruction. Sorry. So these morphic techniques if it’s 00:37:13.798,00:37:17.702 used n-normally you know to to just to morph a piece of code 00:37:17.702,00:37:20.905 it’s it wouldn’t be helpful at all but the point is that the 00:37:20.905,00:37:24.175 code will have only few milliseconds to be executed and 00:37:24.175,00:37:27.812 to respond back to the remote metamorphic engine with the 00:37:27.812,00:37:32.817 right response. So here as you can see these are four different 00:37:40.058,00:37:43.528 generation four different samples of the same function 00:37:43.528,00:37:48.533 being morphed and every time the function is morphed it will it 00:37:52.837,00:37:58.376 will respond back with a totally different return value. And then 00:37:58.376,00:38:01.913 the engine will receive the return value and then decrypt it 00:38:01.913,00:38:05.884 and return it back to its original value and as you can 00:38:05.884,00:38:10.321 see here the response time is six milliseconds. I was here 00:38:10.321,00:38:13.558 connecting the trusted and untrusted area the remote 00:38:13.558,00:38:17.862 metamorphic engine and the and a client on a same machine and a 00:38:17.862,00:38:22.834 local localhost. If you’re gonna connect it remotely it might be 00:38:22.834,00:38:27.839 much longer than that. And here as you can see every time the 00:38:31.509,00:38:35.880 code is being morphed it will it will be umm it will it will 00:38:35.880,00:38:39.651 result in a totally different code size. So the code size will 00:38:39.651,00:38:44.222 be different, the structure will be different, and the 00:38:44.222,00:38:50.295 instruction sets that are used will be totally different. As 00:38:50.295,00:38:54.532 you can see the first time it it uh the original code actually if 00:38:54.532,00:38:59.137 you if you just assemble it, it will be around maybe thirty or 00:38:59.137,00:39:03.041 forty bytes and here these thirty forty bytes of the 00:39:03.041,00:39:05.310 original code are being transformed into fifteen 00:39:05.310,00:39:10.315 thousand bytes or um like two thousand or the five thousand 00:39:12.584,00:39:17.589 five or six thousand instructions. [breathes] Now, in 00:39:24.462,00:39:29.467 order to determine if the code is being really executed or if 00:39:35.440,00:39:39.410 it if the challenge really being solved without being tampered or 00:39:39.410,00:39:43.581 without being reverse engineered or without being emulated or 00:39:43.581,00:39:48.586 instrumented. If someone just hooked into the challenge 00:39:55.193,00:39:59.430 response protocol and then tried to just set the return value 00:39:59.430,00:40:04.602 into any value I’m trying to fool the protocol umm the remote 00:40:04.602,00:40:10.241 metamorphic engine can easily detect that. So any em any any 00:40:10.241,00:40:13.945 immunity system in nature actually is based on knowing the 00:40:13.945,00:40:18.583 self, so the remote metamorphic engine actually tries to learn 00:40:18.583,00:40:23.788 and know about the self by comparing the responses or the 00:40:23.788,00:40:27.191 challenges that are returned comparing it to the previous 00:40:27.191,00:40:30.662 execution. So we have the same function we would execute it 00:40:30.662,00:40:34.532 maybe five times and everytime the code would look different 00:40:34.532,00:40:37.368 the structure would look different and the the function 00:40:37.368,00:40:40.038 would actually include totally different functionalities 00:40:40.038,00:40:43.641 because it’s mutated. And every time the function get morphed 00:40:43.641,00:40:46.477 and being sent to be executed it will return a different return 00:40:46.477,00:40:50.181 value. But then the engine will use the the randomly generated 00:40:50.181,00:40:54.585 decrypted decryption er mutation key to solve the challenge and 00:40:54.585,00:41:01.259 return it back to the original value. [breathes] So as you can 00:41:01.259,00:41:04.829 see here if anyone tries to tamper the code while it’s being 00:41:04.829,00:41:08.800 while it’s being executed or tried to tamper the response 00:41:08.800,00:41:12.270 while the response is being returned by just simply hooking 00:41:12.270,00:41:15.840 into the response and then sending faking the response the 00:41:15.840,00:41:22.580 engine can easily determine that by comparing the responses with 00:41:22.580,00:41:27.585 the previously returned responses. So as you can see 00:41:29.721,00:41:35.626 here these are seven different mutated functions of the same 00:41:35.626,00:41:39.230 exact functions. Every time the function is being sent to be 00:41:39.230,00:41:42.900 executed it will return back totally different value and then 00:41:42.900,00:41:46.604 all these values should decrypt back to the same exact value. So 00:41:46.604,00:41:49.240 the remote metamorphic engine can determine if there’s any 00:41:49.240,00:41:53.778 tampering attempts. If the the decrypted value will look 00:41:53.778,00:41:57.181 totally different or result in a different value than all the 00:41:57.181,00:42:02.120 previously generated code. On the other hand the engine can be 00:42:06.457,00:42:11.462 able to determine if the... the code being executed natively or 00:42:13.765,00:42:17.435 in a healthy way compared to being instrumented or being 00:42:17.435,00:42:21.439 analyzed based on time. So we in in this challenges for example 00:42:21.439,00:42:24.675 were allowing five hundred milliseconds for the code to be 00:42:24.675,00:42:31.416 executed and to return back. And then the engine can determine if 00:42:31.416,00:42:36.721 the code is being eh analyzed or the code is being emulated or 00:42:36.721,00:42:40.191 being instrumented if the response returns back in a 00:42:40.191,00:42:46.130 higher time frame than the allowed time frame. So the way I 00:42:46.130,00:42:51.269 actually set that allowed time frame, I’m actually doing it 00:42:51.269,00:42:56.874 manually. By executing the code natively and then measuring the 00:42:56.874,00:43:01.212 code execution time of the code. And then would allow because 00:43:01.212,00:43:03.881 every time you send the code to be executed would return back in 00:43:03.881,00:43:08.886 a different time frame so you have to enable umm uh time frame 00:43:08.886,00:43:13.624 because the code will all will keep on fluctuating. Umm some ah 00:43:13.624,00:43:20.198 mainly allowing the average of the execution time multiplied by 00:43:20.198,00:43:25.603 three to five factors and this way it’s like it’s based on the 00:43:25.603,00:43:28.906 assumption that if the code is being analyzed there must be at 00:43:28.906,00:43:32.009 least two or three instructions being inserted to analyze the 00:43:32.009,00:43:37.982 code. Err uhh there must be at least comparison instructions. 00:43:37.982,00:43:43.521 [breathes] So as you can see here uh on these all the same 00:43:43.521,00:43:47.725 functions. These are all the same generation uh seven 00:43:47.725,00:43:51.028 different generations of the same function. Every time it's 00:43:51.028,00:43:54.365 being executed it will return back in a slightly different 00:43:54.365,00:43:57.969 time frame. The first time return back in forty-five 00:43:57.969,00:44:01.806 milliseconds second one sixty-five milliseconds and then 00:44:01.806,00:44:05.309 in this sample I’m allowing only five hundred milliseconds for 00:44:05.309,00:44:08.513 the code to be executed and then once the return value returns 00:44:08.513,00:44:11.716 back in a higher time frame the engine can determine that the 00:44:11.716,00:44:16.220 code is being analyzed and then it can uummm act in a different 00:44:16.220,00:44:22.960 way. In case of uh malware using these techniques perhaps that 00:44:22.960,00:44:26.430 would be the most tricky part of it you know. Malware wouldn't 00:44:26.430,00:44:30.368 really be able to uh change the pattern because the malware 00:44:30.368,00:44:33.237 would still have to communicate with the API still will have to 00:44:33.237,00:44:37.041 communicate with the operating systems. So still you can 00:44:37.041,00:44:39.877 determine or you can signature the the malware based on 00:44:39.877,00:44:43.915 behavioral allowances but the tricky part is that the malware 00:44:43.915,00:44:47.718 can be analyzing the code or analyzing the reverse engineer 00:44:47.718,00:44:50.621 while the reverse engineer is analyzing the code. Or the 00:44:50.621,00:44:54.125 malware can analyze the execution or the instrumentation 00:44:54.125,00:44:56.627 environment while the instrumentation environment is 00:44:56.627,00:45:01.232 analyzing the malware. So that might eliminate or just the 00:45:01.232,00:45:04.535 tricky part you know once you know about it it’s gonna be so 00:45:04.535,00:45:08.472 easy to bypass it but if you don’t know about it malware can 00:45:08.472,00:45:13.377 evade and umm evade the analysis and maybe act in a totally 00:45:13.377,00:45:16.981 different way. And in this case the functionality is even not 00:45:16.981,00:45:20.384 stored in the executable file that you’re analyzing, all the 00:45:20.384,00:45:23.621 functionalities are stored remotely. And then you wouldn’t 00:45:23.621,00:45:30.461 be able to go to the next step in analyzing the code. So it’s 00:45:30.461,00:45:33.397 it’s just this trick you know that the malware can use to 00:45:33.397,00:45:36.567 evade reverse engineering so it’s the technique is not really 00:45:36.567,00:45:43.541 that umm um wouldn’t really add much you know to malware evading 00:45:43.541,00:45:49.046 malware as much as it can be used for um defensive approaches 00:45:49.046,00:45:53.017 trying to eliminate the code from being reverse engineered or 00:45:53.017,00:45:56.721 pushing integrity checking functions to check on the 00:45:56.721,00:46:00.124 integrity of the code or the integrity of the environment 00:46:00.124,00:46:03.160 you’re executing the code in. And this is actually the most... 00:46:07.431,00:46:13.604 umm this is the most challenging part is that how can you really 00:46:13.604,00:46:18.743 trust in any nodes that you are connecting to? How can you trust 00:46:18.743,00:46:23.014 in the integrity of things in your network? How can you trust 00:46:23.014,00:46:27.051 the integrity of the processes that are running in your network 00:46:27.051,00:46:30.655 when you are relying on static code? If you’re relying on 00:46:30.655,00:46:35.793 static code and that static code can be hooked can be patched can 00:46:35.793,00:46:40.197 be tampered in memory and then you wouldn’t really be able to 00:46:40.197,00:46:45.736 determine or trust its input or output. So the remote 00:46:45.736,00:46:51.609 metamorphic engine can be used to check on the integrity of 00:46:51.609,00:46:57.381 connected things and to ensure that things cannot be reverse 00:46:57.381,00:47:00.651 engineered so it will be much harder to be reverse engineered 00:47:00.651,00:47:05.656 umm or or get tampered. [breathes] On the other hand... 00:47:11.328,00:47:14.365 execution time also you can determine that the code is being 00:47:14.365,00:47:17.635 analyzed or the code is being faked if the response return 00:47:17.635,00:47:22.173 back in a lower time frame than the allowed time frame. In this 00:47:22.173,00:47:25.910 case maybe someone is trying to fake the responses and executing 00:47:25.910,00:47:32.116 it in a much faster CPU or performing any tampering 00:47:32.116,00:47:35.586 attempts that would that would result in the code being 00:47:35.586,00:47:41.559 returned very fast. So these two variants would help a lot to 00:47:41.559,00:47:44.862 determine if the code is being executed natively or it’s being 00:47:44.862,00:47:49.867 tampered or is being reverse engineered. [whisper off mic] 00:47:57.408,00:48:02.346 So... I’m running out of time so if you have any questions you 00:48:04.448,00:48:07.518 can feel free to email me I’m gonna be using this email 00:48:07.518,00:48:12.256 address for the coming couple of weeks and uh with that it’s been 00:48:12.256,00:48:15.493 an honor to be part of your day today. Thank you for joining me. 00:48:15.493,00:48:20.498 Have a good day. [applause] Thank you.