Morpheus modified hardware to accelerate the procedures which randomly alter the system stack parameters that attackers learn by probing the system. They used risc-v for this prototype.
I wonder how this impacts debugging. It kind of rubs me the wrong way too. Typically, robust security is about keeping things simple so they can be audited or verified. Pretty cool results though.
There are a series of different protections they are doing. It's not clear if they intend them to be uniquely switchable or if they were just separating them to indicate which attack techniques require which protections.
For example it appears to combat ROP they are additionally encrypting the code segment of the program and decrypting on an as needed basis. I am absolutely sure this would make debugging more difficult. It wouldn't be used on a debug build though so I guess the question is how often would you find yourself debugging a production executable.
I admit I didn't read it in depth and may have missed something but I wonder if they are doing something similar for dynamic libraries or if it relies on the code being available at compile time. If not then I'm sure someone clever will still get around it with ROP.
You are conflating the act of debugging with the operation of a "debugger".
Sure you can start at 0 and step forward one instruction at a time, but how often do you do that without at least looking at the code?
Not being able to look ahead or behind but only within what is actively on the stack is certainly a limiting factor in debugging.
It is of course a problem that has been solved before. Someone would develop an unpacker/decrypter for it at some point and make this trivial, but that would still be an added level of complexity.
I agree. I'm not sure I understand your point though. This isn't contrary to anything I said. I mention unpacking which would be a pre-debugger process.
I believe you are just being pedantic about my use of the word "debugging" to include things like unpacking, static analysis, and a variety of tools and processes used.
The binaries aren't preencrypted here, the dynamic nature is the whole point. There's nothing to unpack since you just reference the binary, and no added work for the debugger.
So when you say
> For example it appears to combat ROP they are additionally encrypting the code segment of the program and decrypting on an as needed basis. I am absolutely sure this would make debugging more difficult.
Just for an example. How about debugging a non trivial issue between a program and a dynamically loaded library.
You can't just scan the IAT/PLT. You are going to have to find load points or manually step through, and maybe calculate function offsets in the library. Not impossible at all.
It is however something you could have just quickly glanced at and found otherwise.
Wonder if the commercial Morpheus will have a challenge with this naming (https://www.morpheusdata.com/, "Next-gen multi-cloud management platform for Hybrid IT and DevOps automation")
21 comments
[ 2.8 ms ] story [ 64.8 ms ] threadThere are a series of different protections they are doing. It's not clear if they intend them to be uniquely switchable or if they were just separating them to indicate which attack techniques require which protections.
For example it appears to combat ROP they are additionally encrypting the code segment of the program and decrypting on an as needed basis. I am absolutely sure this would make debugging more difficult. It wouldn't be used on a debug build though so I guess the question is how often would you find yourself debugging a production executable.
I admit I didn't read it in depth and may have missed something but I wonder if they are doing something similar for dynamic libraries or if it relies on the code being available at compile time. If not then I'm sure someone clever will still get around it with ROP.
Sure you can start at 0 and step forward one instruction at a time, but how often do you do that without at least looking at the code?
Not being able to look ahead or behind but only within what is actively on the stack is certainly a limiting factor in debugging.
It is of course a problem that has been solved before. Someone would develop an unpacker/decrypter for it at some point and make this trivial, but that would still be an added level of complexity.
I believe you are just being pedantic about my use of the word "debugging" to include things like unpacking, static analysis, and a variety of tools and processes used.
So when you say
> For example it appears to combat ROP they are additionally encrypting the code segment of the program and decrypting on an as needed basis. I am absolutely sure this would make debugging more difficult.
It's just not true.
You just debug in a system without these protections turned on then.
Like, can you give an example of a debugging task you have carried out that requires reading the code segment of the running process?
Made easier by? Most everything ever loaded in a debugger.
You can't just scan the IAT/PLT. You are going to have to find load points or manually step through, and maybe calculate function offsets in the library. Not impossible at all.
It is however something you could have just quickly glanced at and found otherwise.
The etymology fits better in The Matrix than either of these projects.
Haha.
:)
Seems promising, but not the level of enterprise architecture most at risk.