This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Encrypted - but fully executable - program code now possible

Share this article:

"When you look at [the code], you would have no idea what it's doing" - UCLA lead researcher Professor Amit Sahai

Encrypted - but fully executable - program code now possible
Encrypted - but fully executable - program code now possible

A team of researchers with the University of California in Los Angeles (UCLA) have developed an encoding technology that effectively hides executable program code in plain sight, and without requiring the code to be decrypted before it is run.

Preliminary details of the peer-reviewed technique, developed by UCLA Computer Science Professor Amit Sahai and his team of researchers, were announced at a conference late last year, but now Sahai has published a paper detailing the methodology used.

The idea behind the obfuscation technology is that the encrypted software can be executed, but not reverse-engineered.

For the research, Sahai, who specialises in cryptography at UCLA's Henry Samueli School of Engineering and Applied Science, collaborated with IBM Research's Sanjam Garg, Craig Gentry, Shai Halevi and Mariana Raykova as well as Brent Waters, an assistant professor of computer science at the University of Texas at Austin.  

According to Sahai, previous code obfuscation techniques forced an attacker to spend several days trying to reverse-engineer the software. He claims that the new system makes it impossible to reverse-engineer the software without solving complex mathematical problems that would take hundreds of years to work through, even on modern PCs.

"You write your software in a nice, reasonable, human-understandable way and then feed that software to our system," he says. "It will output this mathematically transformed piece of software that would be equivalent in functionality, but when you look at it, you would have no idea what it's doing."

The key to the encoding is functional encryption. Sahai says that, instead of sending an encrypted message, an encrypted function is sent in its place, creating a much more secure way to protect the underlying data.

Sahai claims that a single message could be sent to a group of people so that each receiver would obtain different information, depending on characteristics of that particular receiver.

Visiting Professor John Walker, of Nottingham Trent University and CTO of Xssurance, is enthusiastic about the program encoding technology, noting that the system could be an excellent way of delivering security in a cloud computing environment.

This could, he told SCMagazineUK.com, be the first successful security methodology to use an approach to segregating - and compartmentalising - partial data objects, and only granting access of the complete picture to the authorised person or process.

"I believe we are seeing [here] the future of what cyber security looks like - and a methodology which will drive security to a much safer place," he said.

Clearswift senior VP of products Guy Bunker however warned that even if the encoding system would be useful for preventing reverse engineering of program code in near future, it could also make malware disassembly just as difficult once cybercriminals get their hands on the technology.

Bunker, a security industry veteran and co-author of the 2009 book `Data Leaks For Dummies', also warned that the encoding mechanism would eventually be beaten, especially if it is widely adopted.

He says that it is interesting to draw parallels with polymorphic viruses and malware, which change their code on a rotating basis.

"Having said that, code obfuscation is an interesting approach to keeping the way a program executes hidden," he said, adding that the more widely such a system is used means the  faster it is likely to be eventually cracked.

You have to remember, he explained, that there is no silver bullet in security matters, even in encryption.

Professor Peter Sommer, a Visiting Professor at de Montfort University, said he remains to be convinced that the encoding process will be truly useful to security practitioners.

"What is the real-world problem this solution is meant to address? There is currently no problem in rendering files as impenetrable - but it does require significant management discipline among those using - and sharing - the file, as well as the careful deployment of one of the obvious existing tough encryption systems such as AES, Twofish or Cascades," he said.

"And you must never forget that the management interface must be usable by those with the real secrets to hide, not just computer geeks," he added.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Chinese hackers steal confidential documents on Israeli missile defence system

Chinese hackers steal confidential documents on Israeli missile ...

Chinese hackers comprised the computer systems of three Israeli defence contractors between 10 October 2011 and 13 August 2012 in order to steal hundreds on confidential documents on Israel's Iron ...

Security researcher finds exploitable flaws in 14 antivirus engines

Security researcher finds exploitable flaws in 14 antivirus ...

Joxean Koret, a security researcher at Singapore-based consultancy COSEINC, has found exploitable local and remote flaws in 14 of the 17 major antivirus (AV) engines used by most major AV ...

Russian government promises £60k bounty to Tor hackers

Russian government promises £60k bounty to Tor hackers

The Russian Ministry of Internal Affairs (MVD) is offering a 3.9 million ruble (approximately £64,600) reward to anyone who can find a way of identifying and tracking users of the ...