• » AFRL-RomeAir Force Research Laboratory (Rome)
• » AFRL-SPIAir Force Research Laboratory (Wright Paterson)
  Anti-Tamper/Software Protection Initiative (AT-SPI)
• » AFRL-WPAir Force Research Laboratory (Wright Paterson)
• » DARPADefense Advanced Research Projects Agency (DARPA)
• » HSARPADepartment of Homeland Security (DHS)
  Homeland Security Advanced Research Projects Agency (HSARPA)
• » MDAMissile Defense Agency (MDA)
• » NASANational Aeronautics and Space Administration (NASA)
• » NISTNational Institute of Standards and Technology (NIST)
• » NSFNational Science Foundation (NSF)
• » ARMYUnited States Army
• » NAVYUnited States Navy (USN)
• » ONRUnited States Navy (USN)
  Office of Naval Research (ONR)

Covert Loading and Execution of Software Protections to Reduce Adversarial Detection

A number of software defenses exist that frustrate attempts to examine or tamper with a protected application. However, attackers are unlikely to approach the defenses head-on. One weak point is during installation and deployment of defenses. There is sort of a "who came first" game played between the protected application and the attacker. If the attacker arrives first, then they can observe the defenses as they are setup, gaining great insight into how the protections can be subverted. This opening must be prevented.

We envision a technique that enhances existing defenses by protecting the loading phase of the sensitive application. Under this system, attackers are denied access to system initialization and sensitive software is made inseparable from the OS, thereby preventing attack before protection can be raised against it.

Keywords: software protection, hypervisor, software blending, machine-code rewriting