More thoughts on drawing the line

Following on from Eugene’s post, I’d like to chip in with my thoughts on what’s happening at Defcon this year. I spoke at Defcon last year, and I’d say that the event is something unique – an opportunity for smart people with unconventional minds to meet and share their knowledge. Defcon not only gives you access to new ideas, but you also get to encounter the spirit of modern cyberculture.

It seems to me that the emergence of contests like Race to Zero was always simply a matter of time. And now that such a contest has appeared we’ll see similar ones in the future, whether we like it or not. Of course breaking the law is wrong – I think the exact form of the contest will be modified before Defcon starts in order to meet legal restrictions.

However, I think the Race to Zero contest organizers could change the rules of the game in other ways, to make it beneficial to all participants. Let me explain…

Let’s take a look at what the participants are going to manipulate: they will have the code of existing applications and probably some prepared sets of nop code. Nop code (“no operation” code) is special software code that neither affects the state of the machine nor alters the system. There are many approaches to obfuscation techniques but almost all of them have the same basic principle: the affected code is restructured and mixed with nop code. Depending on the algorithm used to mix the two sets of code, either it will be more difficult to read/re-engineer the code or the code will be able to evade detection by signature-based AV software engines.Of course, obfuscated code can cause headaches for AV companies. Because obfuscated code is slightly harder to analyse manually, it takes more resources to maintain a collection of obfuscated samples which do not differ from each other in terms of behaviour. If an obfuscated sample is analysed using automated tools, the analysis will take longer than that of a non-obfuscated sample. Given this, AV companies work pretty hard on deobfuscation tools.

There are two issues here: obfuscation and deobfuscation, which differ a bit in terms of complexity. Imagine you have a bucket of sugar and a bucket of sand. You can mix the contents of the two buckets together in different ways – and these different ways of mixing are like different obfuscation algorithms. The reverse is deobfuscation – separating the mixture of sugar and sand into its two component parts. Just take a minute to think about those two buckets – it’s so quick and easy to mix the contents, but separating them is a long, tiring process!

In some sense, dealing with obfuscation algorithms and solving problems like making an application undetectable by AV software is easy – it’s a white box issue. You have the source data as well as the AV software, and the chance to analyse the disassembled code, so you can develop and debug your own application to alter the data. You can see each part of the process and the mechanism you create.

Deobfuscation, though, is completely different. You have a few pieces of code that have been transformed by obfuscation – and you don’t have the application used to obfuscate the code. So deobfuscation doesn’t even fit the black box model, where you usually have the opportunity to utilize a mechanism as many times as you like, although you can’t see inside it in order to understand how it works. When you deal with deobfuscation you have only data that results from this mechanism; the data has to be studied in order to determine unique/ common features, and then you have to draw your own conclusion on how the hypothetical black box actually works.

In my opinion, deobfuscation requires greater imagination and skills than obfuscation. I think if the organizers of Race to Zero keep the principles of ethical hacking firmly in mind, and extend the rules of the contest to include deobfuscation it could be good fun, and a good experience for everyone involved.

Just to be very clear: examining the issues of obfuscation/ deobfuscation doesn’t mean you have to create new malware or modify existing malware. It’s simply not necessary. The contest isn’t just a technical challenge, but a moral one as well. Let’s hope that everyone makes the decision to be on the right side of the line so we can all reap the benefits.