SBIR-STTR Award

New tools are needed to perform vulnerability assessments of software protection techniques currently being developed in response to the DoD Anti-Tamper (AT) / Software Protection Initiative. As evident in the commercial sector, after a new technique is developed for protecting intellectual property resident within software, a counter measure around that technique is subsequently developed and widely distributed through the Internet. This leads to a never-ending cycle of constantly improving the protection in order to stay in front of the reverse engineering community. HBGary proposes that an automated runtime disassembly engine can overcome most obfuscation techniques because it will run actual program instructions and will not have to deal with interpreting complex code. So long as the test tool can achieve near 100% code coverage, it is expected to be able to reverse engineer the whole program. Exhaustive execution of all possible control flow paths is achieved with a technique described as Automated Flow Resolution. Executed code is disassembled during runtime and ultimately recovers program instructions, control flows, and data registries.

HBGary proved during Phase I that instructions could be obtained from obfuscated programs with runtime data flow tracing and single-step debugging. Control flows were recovered with intelligent mutations made deterministically using an algorithmic process called Automated Flow Resolution. The software prototype was successful. During Phase II HBGary will develop a decompiler that goes beyond existing reverse engineering tools, which rely heavily on static analysis and are ineffective against protected and self-modifying codes. This next generation decompiler will evolve from the success of Phase I research to “truly observe” a program at runtime, while collecting instructions and behavior dynamically, and operate in stealth-mode from self-protecting codes. While collecting instructions, the decompiler will manipulate the program to observe new behaviors without detection and collect instruction flows for reverse engineering and program understanding. The primary goals of Phase II will be to extend, apply, and make robust Automated Flow Resolution against larger and more complex real world software. Advanced debuggers will be developed to defeat and overcome more difficult obfuscated and self-modifying programs. Phase II will focus heavily on data flow analysis.