This document discusses three emulation-based software protection techniques: emulation sandboxing, emulation-based encrypted code execution, and emulation-based page granularity code signing. Emulation sandboxing protects against kernel malware by executing guest OS instructions in a separate host OS memory space. Encrypted code execution protects against reverse code engineering by decrypting and executing encrypted guest code in host memory. Page granularity code signing protects against software exploits by only executing guest code with valid authentication codes computed in host memory.

1. Subject: Emulation-based Software Protection
Presented by: Abdullah Roomi
Presented to : Dr.Belal Amro
Hebron University
College: Information Technology
Department: Network Security and Protection

2. EMULATION-BASED SOFTWARE
PROTECTION
• Overview
• Emulation Sandboxing
• Problem Definition
• How protection mechanism work
• Advantage and Disadvantage.
• Emulation-based Encrypted Code Execution
• Problem Definition
• How protection mechanism work
• Advantage and Disadvantage.
• Emulation-based Page Granularity Code Signing
• Problem Definition
• How protection mechanism work
• Advantage and Disadvantage.

3. OVERVIEW OF EMULATED –BASED
SOFTWARE PROTECTION
• Two emulation-based software protection schemes:
• Encrypted code execution .
• Page-granularity code signing .
• execute within trusted emulators while remaining out-of-band of
untrusted systems being emulated.
• The integrity and reliability of the protection mechanisms
depend upon attackers remaining sandboxed within the
emulated environments .

4. EMULATION SANDBOXING
Problem Definition :
Kernel malware is able to modify (attack) kernel
protection mechanisms.

5. EMULATION SANDBOXING
Protection Mechanism :
1. Host OS copies Guest OS instructions from Guest OS memory
into Host OS memory.
2. Guest OS instructions are translated and executed in Host OS
memory that it appears as if the original Guest OS instructions
had been executed .
3. This emulation process provides a sandbox that ensures that the
Guest OS instructions read and Write in the Guest OS Memory
, exclusively. The Host OS Memory cannot be accessed by the
Guest OS instructions thatreside in the Guest OS Memory

6. PROTECTION MECHANISM
(CONT’D)

7. EMULATION SANDBOXING
• Advantage :
• reduce software vulnerabilities to a restricted environment.
• Disadvantage:
• do not protect against reverse code engineering (RCE)
• do not protect against software vulnerabilities such as buffer
overflows, index array ,out of bound errors, race conditions,
integer overflows, and other types of memory corruption
vulnerabilities.
• do not provide adequate protection for computer devices and
software against attempts to bypass a security policy.

8. EMULATION-BASED ENCRYPTED
CODE EXECUTION
•Problem Definition :
• Reverse Code Engineering (RCE) uncovers the internal workings of a
program:
• Vulnerability
• intellectual property (IP) discovery
• To protect from RCE program code :
• anti-disassembly
• anti-debugging
• obfuscation techniques
• code may be encrypted

9. EMULATION-BASED ENCRYPTED
CODE EXECUTION
• Protection Mechanism :
• Host OS copies encrypted Guest OS instructions from Guest OS memory
into Host OS memory. The encrypted Guest OS instructions are
decrypted in Host OS memory. The decrypted instructions always remain
out-of-band of the Guest OS and are not accessible by Guest OS
instructions.
• Decrypted Guest OS instructions are translated (or interpreted) to a set
of Host OS instructions. When this set of translated Host OS instructions
execute the state of Guest OS memory and registers is modified such
that it appears as if the original Guest OS instructions had been
executed.
• The translation process ensures Guest OS instructions never read
decrypted Guest OS instructions ,emulation sandbox ensures Host OS
memory is inaccessible by Guest OS instructions

10. PROTECTION MECHANISM
(CONT’D)

11. EMULATION-BASED ENCRYPTED
CODE EXECUTION
• Advantage :
• protect against reverse code engineering (RCE)
• Disadvantage :
• do not protect against software vulnerabilities such as buffer
overflows, index array ,out of bound errors, race conditions,
integer overflows, and other types of memory corruption
vulnerabilities
• do not provide adequate protection for computer devices
and software against attempts to bypass a security policy

12. EMULATION-BASED PAGE
GRANULARITY CODE SIGNING
• Problem Definition :
• Software exploitation is a process that leverages design and
implementation errors ( buffer overflows, input-driven format strings,
integer overflows, race conditions, etc.)
• protection mechanisms :
• stack canaries
• variable reordering
• shadow arguments
• Etc.
• provide a blacklist approach to software protection

13. EMULATION-BASED PAGE
GRANULARITY CODE SIGNING
• Protection Mechanism :
• Host OS copies Guest OS instructions and Hash Message Authentication Code’s
(HMAC) (or digital signatures) of Guest OS instructions from Guest OS memory
into Host OS memory.
• HMACs of Guest OS instructions are recomputed using a secret key in Host OS
memory. The secret key remains in Host OS memory and is never accessible by
Guest OS instructions. Guest OS instructions with valid HMACs are translated (or
interpreted) to a set of Host OS instructions. This set of Host OS instructions is
executed as before.
• Guest OS instructions with invalid HMACs remain untranslated and therefore
unexecuted. Malicious code (unless signed using the secret key) will remain
unexecuted, thus protecting the system.

14. PROTECTION MECHANISM (CONT’D)

15. REFERENCES
• [1] Emulation-based Software Protection William Kimball
(wkimball@afit.edu)
• [2]
https://docs.google.com/viewer?url=patentimages.storage.googleapis.
com/pdfs/US8285987.pdf
• [3] http://www.virtualmvp.com/vmware-consumed-host-memory-vs-
active-guest-memory/
• [4] https://www.cs.bu.edu/~goldbe/teaching/HW55813/zhou.pdf
• [5] https://securebox.comodo.com/whitelist-vs-blacklist/