I will be speaking at Syscan this March; my talk is titled: "HARES: Hardened Anti-Reverse Engineering System ".
The talk will describe a prototype anti-reverse engineering technique providing a method to seamlessly execute AES-encrypted applications with neither the key nor any decrypted instructions residing in accessible memory (even to a compromised kernel) on an unmodified x86 computer. My work shows that with the combination of a thin-hypervisor implementing Intel's AES-NI instructions in a TRESOR-like configuration and TLB-splitting on Nehalem and newer CPUs can be used to transparently (without hardware modification) decrypt and execute a fully-encrypted (AES-128) application without leaking sensitive instruction information to readable memory (keys will never be in memory, thus additionally protected against cold-RAM attacks). Doing so will prevent any of the application's code from being accessible by software memory acquisition tools, cold-boot RAM attacks or debuggers (in-circuit emulators (ICE) and memory-bus snoopers excepted). The decrypted instructions are stored in "execute-only" memory, ensuring that any attempts to access them, even by a compromised kernel is prevented by hardware. An advantage of the HARES system is that due to the use of TLB-splitting, existing applications can be seamlessly encrypted without access to source code or requiring a re-compile. Our tests with a prototype system built in-house demonstrate successful execution of Windows 7 32-bit PE files (.exe) with an approximate performance hit of ~2% on our synthetic test-suite applications.
As always, if you will be attending, or in the neighborhood while I am there, feel free to reach out via my Twitter and hopefully we can meet up!
Cyber-security Philosopher and Boffin