- Data can be Code
Lots of the attacks we have seen trick a program into accept data that is really code.
- SQL injection
- XSS
- Code is Data
Reverse Engineering is the opposite
- Executable code can be written and edited, just like any other document.
- Ultimately, an attacker/analyst can do anything they want with a program.
Definition : The process of analysing software to understand its functionality, often without access to source code. By examining low-level code, protections can be removed and the function of programs altered. Good protection tends to slow down this process, not stop it.
Goals :
- Security research (e.g., vulnerability discovery, malware analysis).
- Debugging and performance optimisation.
- Learning how compilers and systems work.
Common Techniques
- Look for strings
- Identify key tests and check the values in the register using a debugger.
- Swap
jeandjneetc. - Replace the instructions that perform checks with a
nop(no operation).
Defences
- Dynamically construct the code.
- But attacker can run the code!
- Encrypt the binary
- The program must include the key for it to be executable
- Obfuscation (e.g., mix data and code so it’s not clear which is which)
- Can slow down attacks by months or years!
- Online activation
- Can be completely disabled (patched out) by an attacker
- Require online content
- Require hardware dongle
- Hardware-based protection: store and run part of the code in tamper-resistant hardware.