SecureQEMU: Emulation-Based Software Protection Providing Encrypted Code Execution and Page Granularity Code Signing

Abstract

This research presents an original emulation-based software protection scheme providing protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. Protection mechanisms execute in trusted emulators while remaining out-of-band of untrusted systems being emulated. This protection scheme is called SecureQEMU and is based on a modified version of Quick Emulator (QEMU). RCE is a process that uncovers the internal workings of a program. It is used during vulnerability and intellectual property (IP) discovery. To protect from RCE program code may have anti-disassembly, anti-debugging, and obfuscation techniques incorporated. These techniques slow the process of RCE, however, once defeated protected code is still comprehensible. Encryption provides static code protection, but encrypted code must be decrypted before execution. SecureQEMUs' scheme overcomes this limitation by keeping code encrypted during execution. Software exploitation is a process that leverages design and implementation errors to cause unintended behavior which may result in security policy violations. Traditional exploitation protection mechanisms provide a blacklist approach to software protection. Specially crafted exploit payloads bypass these protection mechanisms. SecureQEMU provides a whitelist approach to software protection by executing signed code exclusively. Unsigned malicious code (exploits, backdoors, rootkits, etc.) remain unexecuted, therefore, protecting the system. SecureQEMUs' cache mechanisms increase performance by 0.9% to 1.8% relative to QEMU. Emulation overhead for SecureQEMU varies from 1400% to 2100%. SecureQEMUs' performance increase is negligible with respect to emulation overhead. Dependent on risk management strategy, SecureQEMU's protection benefits may outweigh emulation overh

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Dec 01, 2008
Accession Number
ADA493414

Entities

People

  • William B. Kimball

Organizations

  • Air Force Institute of Technology

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Air Force Research Laboratories
  • Central Processing Units
  • Computer Programming
  • Computer Programs
  • Computers
  • Cybersecurity
  • Debugging
  • Denial Of Service Attack
  • Department Of Defense
  • Engineering
  • Floating Point Operations
  • Information Operations
  • Instruction Set Architecture
  • Operating Systems
  • United States Government
  • Virtual Machines

Fields of Study

  • Computer science
  • Engineering

Readers

  • Computer Programming and Software Development.
  • Cybersecurity.
  • Parallel and Distributed Computing.