Security researcher Jacob Torrey has announced plans to unveil a system that he claims will make the reverse engineering of software (and malware) much more difficult, thanks to his new crypto-based project Hardened Anti-Reverse Engineering System (HARES). By utilizing a feature of Intel and AMD processors known as Translation Look-aside Buffer Split, HARES will segment the memory of a program into data and instructions, then will encrypt the instructions portion with a key stored in the processor. This makes the use of traditional reversing and debugging tools (OllyDbg, IDA Pro, etc.) much more difficult.
Adding a new hurdle for malware-analysts causes security concerns, as traditional anti-malware solutions depend upon reverse engineering of the malware sample in order to develop countermeasures. HARES could allow black hat-types to operate with impunity, jeopardizing personal information and banking records for millions.
Not all is lost, however. Through the use of JTAG debugging tools for the processor itself, it may be possible to still intercept the code before it executes, although it would likely be in a lower-level language than the x86 or x64 assembly that is the lingua franca of malware analysts everywhere. Another possible attack against HARES is for reversers to intercept the decryption key when it is first passed to the processor, allowing for the encoded instructions in memory to be read freely.
Torrey plans to unveil his project at SyScan in March.