It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Cryptography Breakthrough Could Make Software Unhackable

page: 1
7

log in

join
share:

posted on Feb, 3 2014 @ 08:43 PM
link   
Source - Cryptography Breakthrough Could Make Software Unhackable


The idea of “obfuscating” a program had been around for decades, but no one had ever developed a rigorous mathematical framework for the concept, let alone created an unassailable obfuscation scheme. Over the years, commercial software companies have engineered various techniques for garbling a computer program so that it will be harder to understand while still performing the same function. But hackers have defeated every attempt. At best, these commercial obfuscators offer a “speed bump,” said Sahai, now a computer science professor at the University of California, Los Angeles. “An attacker might need a few days to unlock the secrets hidden in your software, instead of a few minutes.”

...

“You could send that agent into the computing wild, including onto untrusted computers,” Sahai said. “It could be captured by the enemy, interrogated, and disassembled, but it couldn’t be forced to reveal your secrets.”


This is quite interesting and though it's still a concept in development, it shows promise.

What could it mean?

Well, it might mean that on the horizon, we'll no longer have free access to cracked copies of software on torrent sites.

On the science fiction future front, however, I see this as a necessary must in protecting Artificial Intelligence from compromise, and even more worrisome, the prospect of having one's OWN Brain hacked if one were to choose a post-biological format in replacing an antique biological body with a new improved better, faster, smarter, stronger synthetic replacement.

There's a whole host of anything and everything applicable to Information security where cryptographic solutions such as this would be important, and necessary.

As for now ... in the more immediate present and close future:
For one, something like this could equate to getting your internet anonymity back.
No more worries about the big bad spooky NSA, CIA, or any other ABC out there trying to spy on you.

While it'll take some time for this to mature and become practical and applicable, it's good news.





edit on 2/3/2014 by AliceBleachWhite because: (no reason given)




posted on Feb, 3 2014 @ 08:58 PM
link   
Being a Hacker for quite some time, I have yet to see any software that could stand up to a positive directed assault on its protection scheme.

Crypto-box protection is the best at the moment. If you have access to the key, its just as easy as any other program.

Any program that has to decrypt itself in order to run, will have an execution path that will find a worthy attacker.
(in the basement, 5 to 10 days, no shower, hot pocket wrappers everywhere)

Don't laugh, I've been there!!!



posted on Feb, 3 2014 @ 09:06 PM
link   
This will be more useful to the creators of viruses and trojans than anyone else. The method they use to prevent their software being detected by anti-virus software is obfuscation. The better the obfuscation, the harder it is for heuristic scanners to detect the virus.



posted on Feb, 3 2014 @ 09:08 PM
link   
reply to post by Arrow22
 



Any program that has to decrypt itself in order to run, will have an execution path that will find a worthy attacker.

The real problem is, that any program which has to decrypt itself in order to run must also have the decryption key stored in the source code. And the only way to protect the decryption key in that case is to obfuscate it. Right back to step one.



posted on Feb, 3 2014 @ 09:15 PM
link   
reply to post by ChaoticOrder
 


Excellent point.

However, on a level playing field (not that there ever will be one since many people settle for older tech as long as useful until forced to upgrade), the malicious code will be attempting to compromise software it can't see inside to compromise.

Whatever the case may be, it's an interesting development that should amount to some bar-raising in information security circles under hats of all colors and shades; black, white, grey, red, whatever.




posted on Feb, 3 2014 @ 10:05 PM
link   

AliceBleachWhite
reply to post by ChaoticOrder
 


Excellent point.

However, on a level playing field (not that there ever will be one since many people settle for older tech as long as useful until forced to upgrade), the malicious code will be attempting to compromise software it can't see inside to compromise.

Whatever the case may be, it's an interesting development that should amount to some bar-raising in information security circles under hats of all colors and shades; black, white, grey, red, whatever.



Once in memory, code is code. If you run a memory imager in background, you will have the source code in hex. Then it becomes a simple matter to disassemble the code and find the key.

Cheers - Dave



posted on Feb, 4 2014 @ 01:21 AM
link   

bobs_uruncle

Once in memory, code is code. If you run a memory imager in background, you will have the source code in hex. Then it becomes a simple matter to disassemble the code and find the key.

Cheers - Dave


Aha.
So, that's how all the cool kids are doing it these days!


Well, in one vein, the optimisms expressed here for defeating this work in development gives me hope that the torrent sites still have some measure of time to continue offering the latest in retail software.

On the other hand, it gives me a wee bit of sad that we're still out a solution for regaining online anonymity from the spooks, just on principle.

I mean, secure is suppose to be SECURE, not, "secure except where big brother is concerned".

eh.


edit on 2/4/2014 by AliceBleachWhite because: (no reason given)



posted on Feb, 4 2014 @ 01:37 AM
link   
It might take a collaboration of both software and hardware to pull this off. There could be an on-chip mechanism that works in conjunction with the cyphered machine code that would make it extremely difficult, if not impossible, to hack the program. These things are definitely over due, as we have certainly seen just the beginning of the damage caused by cyber espionage



posted on Feb, 4 2014 @ 05:57 AM
link   
It's funny that self-decrypting software is being ignored as a solution.

In self-decrypting software, each instruction not only contains the operation to execute, but also the code to decrypt the next instruction.

Altering the instruction stream would result in a totally different execution path, thus never allowing hackers to peek inside the actual software.



posted on Feb, 4 2014 @ 03:10 PM
link   

AliceBleachWhite

bobs_uruncle

Once in memory, code is code. If you run a memory imager in background, you will have the source code in hex. Then it becomes a simple matter to disassemble the code and find the key.

Cheers - Dave


Aha.
So, that's how all the cool kids are doing it these days!


Well, in one vein, the optimisms expressed here for defeating this work in development gives me hope that the torrent sites still have some measure of time to continue offering the latest in retail software.

On the other hand, it gives me a wee bit of sad that we're still out a solution for regaining online anonymity from the spooks, just on principle.

I mean, secure is suppose to be SECURE, not, "secure except where big brother is concerned".

eh.
edit on 2/4/2014 by AliceBleachWhite because: (no reason given)


Unfortunately the PTB and their spawn like the NSA have brokered deals with almost everyone and as mentioned elsewhere in this thread, but almost anything can be broken with a little work. The best algorithm I have worked on was a random time domain key seeded and variable key length (512b to 8192b, AES/FIPS) polymorphic encryption engine (it can be sent as a large virus in its software only form) that was written in PDC Prolog. So if you want security, you might want to get one of these ;-)

There are 3 levels of public and private keys plus the variable keys generated by the handshaking modules. Everything is encrypted and the variable keys are passed dispersed and embedded within the data being transferred. Only the two handshaking modules know the keysets and they are contained in transient register space of the handshaking processors where they are dispersed within the data space. The processors holding the codes are embedded micro-controllers and use not only random number generators, but also ambient surrounding environmental conditions to produce the embedded keys (that's why they are micro-controllers with A/D inputs rather than microprocessors but you could use an AIO like an ARM Cortex A8). Each time based packet set which is randomly sent from 1 to 10 seconds has the keys changed in both content, size and embedding pattern.

All this security slows down the effective data transfer rate by about 15%, but imagine trying to de-encrypt a 5 minute digital voice communication or a 10 minute data stream without know where the key changes are located, where the keys are or what size the keys are? It's orders of magnitude more secure that a straight 1024 bit key. So, the technology exists, it's just a question of whether or not the general public can get their hands on it and use it.

Cheers - Dave



posted on Feb, 5 2014 @ 06:19 AM
link   
reply to post by masterp
 


Back in the days, we used SoftICE to do kernel level debugging and in the end, everything will reveal itself, even if it had to be done instruction by instruction as you suggest. Today Syser and BugChecker are the tools to use that will allow you to disassemble even a piece of software engineered as you describe. Do not underestimate the patience and innovation of a real hacker and the power of the tools available.



posted on Feb, 5 2014 @ 06:48 AM
link   

masterp
It's funny that self-decrypting software is being ignored as a solution.

In self-decrypting software, each instruction not only contains the operation to execute, but also the code to decrypt the next instruction.

Altering the instruction stream would result in a totally different execution path, thus never allowing hackers to peek inside the actual software.


That is a good point, and actually part of what I was alluding to in my post above. There would be an external and internal (in CPU) encryption key system that would have to work in conjunction to decrypt the next instruction. I know that Intel and AMD are experimenting with such systems. The problem being, that to implement them would require all new hardware, so it will require attrition to get systems like that into everyday use.



posted on Feb, 5 2014 @ 09:13 AM
link   

ChaoticOrder
reply to post by Arrow22
 



Any program that has to decrypt itself in order to run, will have an execution path that will find a worthy attacker.

The real problem is, that any program which has to decrypt itself in order to run must also have the decryption key stored in the source code. And the only way to protect the decryption key in that case is to obfuscate it. Right back to step one.


Not true; the encryption key can be on a server, not locally. Online DRM. Although, this means the program has to make a call for it and still runs the risk of being caught by packets.

Although, we see a very similar approach in computer games like Diablo III, that has still never been pirated to this day.



posted on Feb, 5 2014 @ 09:14 AM
link   
Obfuscation has always been considered a poor form of security. It's going to have to something much more special.



posted on Feb, 5 2014 @ 09:16 AM
link   

charlyv
It might take a collaboration of both software and hardware to pull this off. There could be an on-chip mechanism that works in conjunction with the cyphered machine code that would make it extremely difficult, if not impossible, to hack the program. These things are definitely over due, as we have certainly seen just the beginning of the damage caused by cyber espionage


Naw, what you're talking about is a "crude" dongle. There will always be dongle emulators afoot.



posted on Feb, 5 2014 @ 11:58 AM
link   
Nothing will ever be "unhackable." There's a way into everything.
If you want something to be truly "unhackable", keep it in your in your head ^up there and off of computers and documents.

Until we develop technology to hack into thoughts and memories. Um, then we'll have to regroup and come up with a new plan.
edit on 2/5/2014 by unb3k44n7 because: (no reason given)



posted on Feb, 6 2014 @ 05:47 AM
link   

Laykilla
Although, we see a very similar approach in computer games like Diablo III, that has still never been pirated to this day.


Diablo III hasn´t been pirated not because it is "unhackable", but for the simple fact that you have to connect to the Blizzard servers in order to play. If you have no internet connection, you cannot play the game even if you bought it legit.

You can even download Diablo III for free from the Blizzard website, but in order to play you need a license key and that license key is not checked by the Diablo III software, but rather by the Blizzard servers. So in order to run a "pirated" copy of the game, you would have to hack the servers to accept any license key or something similar. In a way, that made the game pretty hack-proof, however not after compromising customer satisfaction and ease of play.

To add to this, there are hacked copies of Diablo III out there that will connect to custom (non-Blizzard) servers and let you play unlicensed games.
edit on 6/2/2014 by RationalDespair because: (no reason given)



posted on Feb, 8 2014 @ 08:06 PM
link   
reply to post by AliceBleachWhite
 


I'm a computer geek, and I may be wrong, but I don't buy it. My sense is that there is basically an algebra of computable expressions, which links all computations that create the same result, and that this algebra is always invertible. Which is to say of some obfuscated expression results in a certain computation being done, it can be shown that there is a way to trace it back to a much simpler, non-obfuscated expression that does the same thing, in reasonable computational time. I haven't read the literature on this, so I'm a bit out on a limb, but I feel confident of this fact: At the end of the day, a computer program is a set of instructions, in a language, telling a computer what to do. Without a separate encryption layer (which a hacker in a post above addresses) these instructions can always be interpreted by a human, just as a computer, or they won't work on the computer.



posted on Feb, 9 2014 @ 10:14 PM
link   
reply to post by AliceBleachWhite
 


More details on this from phys.org:

phys.org...

It looks real, but its hiding the real code in a lot of noise, so right now there is a lot of overhead in running it. I look forward to someone publishing more on how it works.



new topics

top topics



 
7

log in

join