Protecting a system deployed in a "hostile" environment

Like everyone else, there is no magic bullet. The user can turn off the machine, get HD as a slave on another machine, back up everything, cancel the engine of your code, and then successfully crack it. After the user has physical access to the executable file, he is potentially compromised, and there is nothing to do to stop him in 100% of cases.

The best you can do is make the job of a potential cracker as hellish, but no matter what you do, it will not be indestructible.

Using self-destruction in case of something wrong can be handled by an attacker who has backed up everything.

Using the key in the USB driver helps make the life of the cracker more complicated, but can ultimately be defeated by a competent decisive cracker: code that unencrypted things cannot be in an encrypted state (including the part that receives the key), so this is a big weakness. Hacking this part of the code to save the key in another place hits the key.

If the software authenticates on a remote server, this can be done by attacking the client and bypassing authentication. If he receives the key from the server, you can sniff the network to intercept the server data containing the key. If the server data is encrypted, the cracker can decrypt it by analyzing software that unencrypts it and catches unencrypted data.

In particular, all that would be much easier for an attacker if he uses an emulator to run your software that can save snapshots of memory (including an unencrypted version of the algorithm). Even easier, if it can manipulate and eject memory right away while starting your software.

If you do not expect your unreliable client to be very decisive, you can simply complicate the situation and hope that they never get enough energy and skill to break them.

The best solution, in my opinion, is to get all the software on your trusted server and get their server to just ask your server to do the job and save your algorithms on your server. This is much safer and simpler than anything else, since it eliminates the main problem: the user no longer has physical access to the algorithm. You should really think about how to do this, eliminating your needs in order to save the code in the client. However, even this is not indestructible, the hacker can determine what the algorithm does by analyzing what is the output to the input function. In most scenarios (it doesn't seem like this is your case), the algorithm is not the most important in the system, but data instead.

So, if you really cannot avoid running the algorithm on the untrustworthy side, you cannot do much more than what you have already said to do: encrypt everything (mainly on the hardware level), authenticate and verify everything, destroy important data before than someone would think about backing it up if you suspect something is wrong and have someone crack it.

BUT IF YOU REALLY WANT SOME IDEAS AND REALLY WANT THIS, WE ARE HERE:

I could suggest you make your program a mutant. IE: When you decrypt your code, encrypt it with a different key and discard the old key. Get a new key from the server and make sure that the key itself is encoded in such a way that it would be very difficult to make fun of the server with something that gives compromised new keys. Make sure the key is unique and never reused. Again, this is not indestructible (and the first thing the cracker would do was attack this very feature).

One more thing: Put a lot of non-obvious red herrings that do insensitive weird sequence checks that contain a lot of non-functional dummy version of your algorithm and add a lot of complex overflow that does nothing effectively and claims that it works as expected from real code. Make real code do some things that look weird and no-sense too. This makes debugging and reverse work even more difficult, since hacking will require a lot of effort, trying to separate what is useful from what is undesirable.

EDIT: And obviously, make the junk e-mail part of the code better than the right one, so the cracker will look there first, effectively wasting time and patience. It goes without saying that everyone is confused, so even if the cracker gets a simple unencrypted start code, he still looks confusing and very strange.

I know that others are likely to dig holes in this solution - and feel free to do it as I do such things for life and will welcome the challenge! - but why not do it:

• Since you are explicitly using windows, enable disk lock protection on your hard drive with maximum security settings. This will help soften people cloning the disk, as my understanding. If I am wrong, say so! - its contents will be encrypted based on these system hardware settings.

• Enable TPM on the hardware and configure it correctly for your software. This will help stop hardware sniffing.

• Disable all accounts that are not used by you, and lock system accounts and groups to use only what you need. Bonus points for setting up Active Directory and a secure VPN so that you can access your network remotely through the back door to check the system without an official visit on site.

• To raise the technical bar necessary for this, write the software in C ++ or in some other language other than the way it is written, since the MSIL bytecode is easily decompiled into the source code using publicly available free tools, and this It requires more technical skills to decompile something in the assembly, even if it is still very suitable for the right tools. Be sure to include all the cpu instructions for the hardware that you will use to further complicate the situation.

• You have software to check the hardware profile (Unique Hardware ID) of the deployed system so often. If this does not work (as in hardware), it itself will collapse.

• After checking the hardware, download your software from an encrypted binary image loaded into an encrypted RAM disk, which is then decrypted in (unsecured!) Memory. Do not bind it or use a permanent memory address, as this is a bad idea.

• Be very careful that after decryption is complete, the keys are deleted from RAM, as some compilers foolishly optimize unprotected calls to bzero / memset0 and leave your key in memory.

• Remember that security keys can be detected in memory by randomness with respect to other memory blocks. To facilitate this, make sure that you use several dummy keys, which, if used, run an intrusion and explosion detection script. Since you do not have to commit the memory used by the keys, this will allow people to run the same dummy keys several times. Bonus points, if you can arbitrarily generate all the dummy keys, and the real key is different every time because of number 12 below, so that they can’t just look for a key that does not change .. because they all do.

• Use polymorphic assembler code. Remember that an assembly is just numbers that can be made independently, based on the instructions and the state of the stack / what was called earlier. For example, in a simple system i386 0x0F97 (Set byte if above) can easily be the opposite (Set byte if below) command, simply subtract 5. Use your keys to initialize the stack and use the CPU L1 / L2 cache if you really want to go to the kernel.

• Make sure your system understands the current date / time and confirms that the current date / time is within acceptable limits. Starting from the day prior to deployment and providing it with a 4-year limit, it will be compatible with a critical hardware failure error for hard drives under warranty / support so that you can take advantage of this protection and allow you to have a good time between hardware upgrades. If you refuse this test, do it to kill yourself.

• You can help reduce the number of users typing hours by making sure your pid file is updated with the current time so often; Comparing the last modified time (both encrypted data and its file attributes in the file system) with the current time will be an early warning system if people are screwed with a clock. According to the discovered problem it will explode.

• All data files must be encrypted with a key that is updated in your team. Install your system to update at least once a week and with every reboot. Add this to the software update feature from your server that you must have.

• All cryptography should follow FIPS guidelines. Therefore, use strong cryptography, use HMACS, etc. You should try to use the FIPS-140-2-level-4 specifications, taking into account your current situation, but, for obvious reasons, some of the requirements may be impossible from an economic point of view and realistic, FIPS-140 -2-level-2 may be your limit.

• In all cases of suicide, call home first to let you know immediately what happened.

And finally, some non-software solutions:

• If he cannot call home .. as the last effort of the rope, the user hardware device is connected to the internal serial / USB port, which is configured to turn on the relay, which then issues the Thermite unit if it detects any case, hardware or software. Place it on top of the hard drives and place them on top of the motherboard. However, you will need to check with your legal department for permissions, etc., if this is not a U.S.-approved military situation, as I assume you are in the U.S.

• To ensure that the equipment is not tampered with, see the FIPS physical security requirements for more information on making sure the system is physically secure. Bonus points if you can see the bolts / welding of the modern racks that you use in the old AS400 case as a disguise to help mitigate the movement / fabrication of the equipment. Younger guys will not know what to do and worry about breaking “suck old things”, older guys will ask the question “wtf?”, And most of them will leave behind blood that can be used later as evidence of falsification if they interfere with the often gabled corps, at least based on my own experience.

• In case of notification of an intrusion, remove it from orbit .. its the only way to make sure .;) Just make sure that you have all the legal forms and access requirements filled out, so that the legal one is satisfied with the reduction of risk or liability ... Or you can Automatically set up your notification system for email / text / phone users as soon as you receive a notification that it has exploded.

"The only way to have a completely secure system is to smash it with a hammer."

However, you can cheat on potential hackers to make them more difficult than worth it. If a machine is a black box, where they cannot really access it directly, but instead have programs that can handle it, then physical access is the greatest threat to it. You can lock the cases and even install a small, intermittent element in the case, which will be cut off if this case is opened ... make sure your employees always replace this element ... he will let you know if someone opened it without permission (yes, this is an old teenage trick, but it works). As for the window itself, physically disconnect any parts of the equipment (for example, USB ports) that you do not need.

If you are dealing with a machine that is not a black box, encrypt the hell out of everything ... 256-bit encryption is almost impossible to crack without a key ... then the trick will get the key.

In theory, you can potentially change the key (by re-encrypting the data) and only be a restored process that communicates directly with your (secure) servers.

In addition, keep track of everything that happens with the box, especially everything that happens in software that is outside normal use. Most of this cannot protect you from someone who is really, really tuned ... but it can warn you that your system has been compromised. (where you can sue those who broke in)

As for the kill switch ... well, the hibernation viruses are there, but, as already mentioned, they can be tricked or set off by chance. I would suggest that instead of cleaning itself clean if you suspect a violation, the system encrypts everything that it can, using a randomly generated key, sends the key to your servers (so that you can cancel the damage), and then “chop” the file that was used to store the key. (Many file shredders there can destroy data well enough to restore (almost) impossible.)