| Paul Pluzhnikov 2005-06-25, 8:47 pm |
| Phil Endecott <phil_nn05@chezphil.org> writes:
>
> Unlink probably doesn't actually erase the disk sectors that contained
> the data, rather it just removes the directory entry
True. However, unless your (decrypted) executable is huge, it is
doubtful it will be ever flushed to disk in the first place. More
likely it will just stay in the buffer cache.
> a low-level disk analyser program could come along and "undelete" it.
The skill required to perform "undelete" on most filesystems is
significantly greater then a skill required to stop your decryptor
just before execve() and simply copy the decrypted file elsewhere
(and it doesn't matter in the least whether the decrypted exe is
in memory-resident /tmp or in a disk-resident file system).
On some systems, /proc/<pid>/mem is all the attacker needs to get
an image of your running (decrypted) executable anyway.
Either way, only low-skilled cracker will be deterred if your
executable exists (as a whole) in-memory or on disk at any
identifiable moment in time. If you want to deter skilled adversary,
you need to use "advanced" anti-cracking techniques (which is IMHO
a waste of time), such as decrypting only parts of the executable
code that are needed at the moment, and re-encrypting them again
as soon as you are done with them.
Some of the techniques can be found in the "Crackproof Your Software"
book by Pavol Cerven.
Cheers,
--
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.
|