This past week I spoke at the Systems and Software Technology Conference on the topic of Understanding Web Application Security in a "Web 2.0" world, and hung around to hear a few other people speak on topics that I thought were interesting.
Of note, is Paul Anderson's talk on his group's advances in the technology of binary code tracing and code obfuscation tools which his company GrammaTech sells. The first part on dis-assembly and analyis of binary code for vulnerabilities was fascinating - but I think the second portion of his talk was what peaked my attention. Essentially - his company has a suite of tools that will "transform" your code and make it nearly impossible to disassemble (he demonstrated screen shots using IDA Pro). His example was taking cat.exe, a tool we are all familiar with and taking two IDA Pro screen-shots of the binary executable. The first was just the .exe file on its own, showing all the innards and components of the binary. The second was of the same file after Paul's tools had "obfuscated" the code. IDA Pro had no idea what to do with this new binary... it found one function (the main one) and mis-labeled where it was stored (it "found" it in :data)... so this leads me to an interesting concern - so I asked the question ...
If you're now building a toolkit (or rather, perfecting it, since I'm fairly confident stuff like this exists in large quantities anyway already) and it gets into the hands of the people writing the malware (and it will) are we looking at another major set-back for signature based malware detection?
You can see this two ways, or so I think. You can look at it and say "well, this technology will change how we detect viruses and such; when it gets into the "wrong hands" it will set the good guys back pretty bad. The second way to really look at this is a two-pronged though. We're already finding code that's polymorphic and self-changing to evade detection, these tools will only further the cause and give that process enterprise-level assistance. Next - signature-based malware detection is a fairly dying and outdated method anyway...right?
So now I guess the ante has been raised in the perpetual arms race between the white-hats and black-hats. With more and more tools coming out to assist in DRM, PI security (through binary code obfuscation) are we really wasting efforts? Naturally you can guess I have my own opinion - but I'd like you to think about it for yourself.