Analyse attack result
Analyse the knowledge obtained from perform an attack step or combination of attack steps
Anti-callback stack checks
Checks performed on entry to internal functions to verify that they are not called from externally
Anti-debugging
Form of software protection that makes it harder for an attacker to attack a debugger to an executing software to attack it
Assess effort
Reason about effort needed to perform an attack step
Asset
Software artefact valuable to attackers, typically the artefacts of the original software on which security requirements are formulated, plus potentially the protections deployed on them in so far as those protections become under attack as well
Background knowledge
Relevant knowledge attackers have before starting attack activities on a specific piece of software
Basic block
Sequence of instructions that can only be executed as a whole and in that order
Black-box analysis
Analysis techniques that only consider the input-output behavior of the program or a component thereof
Brute force attack
Try all inputs on a code fragment to obtain the desired input or output or behavior
Build the attack strategy
The making of a decision regarding the next attack steps to be executed
Build workaround
Defeating a protection by developing custom code integrated in, or replacing parts of, the software under attack (including the protection in it under attack) to make a protection ineffective (possibly leaving the original software functionality intact) such that an attack step can be executed.
Bypass protection
Using debugger commands (or scripts) or other lightweight techniques to manipulate the execution of the software without altering its code, thus making the protection ineffective, e.g., by allowing the software execution to progress nominally beyond the point where the protection was supposed to intervene.
Bytecode
Non-native instruction set architecture format
Checksum
Hash computed over some data, in this context typically a code region being checked by a code guard
Choose path of least resistance
Reason about and select the potentially successful sequence of attack steps that will lead to reaching the overall attack goal with the least effort or cost
Choose/evaluate alternative tool
Check whether alternative tool overcomes a limitation of a previously tried tool
Circumvent protection
When a protection prevents reaching a goal with one or more specific attack steps, execute one or more alternative steps that are orthogonal to the deployed protection (i.e., not hampered by the protection) to reach the same goal
Clear data in memory
Asset other than key appearing in unprotected (plaintext) form in binary or during execution
Clear key
Cryptographic key appearing in unprotected form in binary or during execution
Client-server code splitting
Protection whereby part of the sensitive computations is extracted from a client program and executed on a secure server instead, where it is not accessible to attackers
Clues available in plain text
Presence of strings in binary that present clues about protections, assets, components, ...
Code guard
Specific form of tamper detection that computes a checksum on code regions and checks their values by comparing them to pre-computed ones
Code mobility
Online protection in which static code (and data) fragments are removed from an executable file (to prevent static attacks) and instead get downloaded from a secure server on demand during the execution of the software
Code representation and structure
Static or dynamic representations of software (fragments) and structural forms or elements in it
Condition
(combination of) values that inputs, variables, registers, memory locations, ... need to have in order to let control be transferred into a certain direction during execution of the software
Confirm hypothesis
Confirm that a previously hypothesized feature is correct based on the observation of an attack step’s results
Constant
Static data with relevant or recognizable, non-mutable values
Control flow graph
Static representation of potential control flow in a program
Control flow graph reconstruction
Determining and modelling the potential flow of control in a program or part thereof
Convert code to standard format
The act of converting (byte)code in a custom (diversified) format to a format known by the attacker
Core dump
Snapshot image of the software’s memory space during its execution, containing code and data segments such as stack, heap, and code sections from binaries
Correlation analysis
Statistical analysis where correlations between operations or data occurrences are determined or analysed
Correlation between observed values
The presence of statistical correlation in a set of data values observed in a program, memory, or a trace
Create new tool for attack
Create new standalone piece of software to aid in attack (e.g., a main binary that invokes functionality in library under attack in a specific order and that feeds it specific data)
Crypto analysis
Use of cryptanalysis techniques
Customize execution environment
Adapt software or hardware in execution environment in ways supported by their developers such that it supports specific attack tasks
Customize/extend tool
Adapt tool in ways supported by tool developers and tool itself (e.g., availability source code) or exploit its built-in extensibility to let it perform specific tasks
Data and program state
Static or dynamic non-code aspects of a binary or running process
Data flow analysis
Analysis techniques that determine how computations and computed data depend on other computations and (computed or input) data
Deobfuscate the code
Use manual or automated tools to revert an obfuscation, i.e., to reduce its apparent complexity to that of the original , non-obfuscated code
Debug/superfluous features not removed
Functionality present for software development purposes (e.g., debugging aids) that was not removed before distributing the binaries and that can be leveraged by attackers
Debugger
Tool used to test and debug software by offering support to inspect and manipulate the status of running software
Debugging
Using debugger functionality to observe, control, and manipulate a program’s execution
Decompile the code
Obtain source code equivalent of machine code
Decompiled code
Representation of binary software code at the abstraction level of source code
Decompiler
Software that translates assembly language into equivalent source code
Decrypt code before executing it
(large) code fragments only available in encrypted form become available in decrypted form at run time
Defeat protection
Successfully undo or overcome or bypass a protection, or build a workaround for it, such that an attack step that the protection was supposed to mitigate can be executed successfully.
Dependency analysis
Analysis techniques that determine which computations and computed data depend on which other computations and (computed or input) data
Difference between observed values
The fact that two values in a trace, binary, or memory have different values
Differential data analysis
Statistical analysis where not the original observed operations or data are considered but differences between multiple occurrences
Difficulty
Problem encountered during an attack task that is caused by a feature, artefact or limitation of the attacker’s toolbox, i.e., of the specific software or hardware attack aids being used or considered during a concrete attack (that are not normally used during benign use of the software under attack).
Diffing
Identifying the differences between two programs or parts thereof
Disable anti-debugging
Tampering with code to skip execution of anti debugging protection actions
Disassemble the code
Use a tool to convert binary encoding of software into human readable machine code
Disassembled code
Representation of binary software code at the abstraction level of assembly code
Disassembler
Software that translates machine language into assembly language (and determines the structure thereof, e.g., in the form of control flow graphs)
Diversified cryptographic libraries
Libraries with non-standard implementations of standard cryptographic primitives
Dynamic analysis
Analysis techniques based on observations made during program execution
Emulator
Hardware or software that enables one computer system to behave like another system
Evaluate and select alternative step/ revise attack strategy
Reason about effort, success probability, usefulness, ... of possible next attack steps, building on results of previous attack steps, and select next steps / revise decisions and selections made earlier regarding next attack steps to execute
Execution environment
Operating system, platform, network settings, etc. in which the code has to be executed
File
A resource for storing information, typically on a storage device
File name
Symbolic identifier of a file
File format analysis
Black-box analyses that consider the formats of input and output files
Function / routine
Software components making up programs in most programming languages
Function argument
Data (and value thereof) on which a function is invoked
Function call
The operation of invoking a callee function within a caller function
Global function pointer table
Standard data structures in binaries that contain addresses of functions
Identify API calls
Act of identifying locations in the code or trace, and their nature, where interaction with public interfaces of external components take place
Identify assets by naming scheme
Use naming conventions or structure in available symbol information
Identify assets by static meta info
Use standard information available in binaries (e.g., exported symbols) to identify components that embed assets
Identify output generation
Identification of code around points where output is generated as starting points of attacks
Identify points of attack
Identify regions in the program or trace where assets or protections are available/observable/active/... and hence attackable
Initialization function
Function invoked by loader upon loading of a program or library
In-memory data structure
Data structure found in the memory space of executing software
Knowledge on execution environment framework
Relevant knowledge attackers have about the execution environment or framework in which they will execute attack steps or in which the software normally executes
Lack of knowledge
Inexperience of attacker, not knowing relevant aspects
Lack of portability
Fact that a tool or technique available in one context (e.g., platform) is not available in the context in which the attacker wants to deploy the tool or technique
Library / module
Partition of an application as defined in software engineering
Limit scope of attack
Identify regions in the software or in an execution trace where next attacks steps should focus on, thus reducing the size of the code or data or trace where the attacker needs to perform next attack steps, thus reducing the effort to invest in them
Limit scope of attack by static meta info
Use standard information available in binaries (e.g., exported symbols) to identify regions in software or traces where next attack steps should focus on
Limitations from operating system
Properties of specific operating system on which the code has to be executed, that limit the attacker’s capabilities in some way
Main()
Top-level function in an application
Make hypothesis
Based on the results of previous attack steps and background knowledge make a hypothesis about the features of an asset, protection, piece of software under attack, or attack tool capability that, if true, will enable certain attack steps to be performed successfully
Make hypothesis on protection
Make a hypothesis regarding the potential deployment or nature or features of a certain protection
Make hypothesis on reasons for attack failure
Make a hypothesis based on the observation that an previous attack step yielded insufficient results
Manually assist the disassembler
Interact with a disassembler tool to correct and complement its automated disassembler analyses
Memory access
The operation of reading or writing to main memory
Memory dump
Making a snapshot of (parts of) the code and data in the address space of a running program and dumping that image on disk for later analysis
Meta info
Standard information available in binaries, in the form of data that is not used by the software itself, but by the OS to load and launch the software correctly
Monitor public interfaces
Observing and analysing interaction (invocations, data passing, communications) between components along publicly available interfaces (such as exported functions in libraries or system calls)
Non-standard virtual machines
Customized virtual machines embedded in a protected program that interprets bytecode (in a custom, non-standard bytecode format) that replaces the original native code, thus hiding the semantics of the original code
Obfuscation
Form of software protection that increases apparent complexity of code or data
Obstacle
Feature or artefact that hinders attack steps and that is deliberatively put in place (or, if already present a priori, considered relevant for providing protection) by the defender in protected software, including in components of the software itself or of its execution environment
Obtain clear code after code decryption at run time
Identify and extract decrypted code in memory space of a running application under attack
Operation
Software functionality at the lowest level of granularity / abstraction
Out of context execution
Execute code fragments not as they are normally executed within the full program’s execution, but in other crafted contexts (such as self-written main binary)
Overcome protection
Leaving a protection present and (partially) active, but manipulating the code and execution of the software or fragments therein such that the goal of an attack step is reached despite the protection still being present and (partially) active. This typically requires the custom, targeted development of external scripts and software components. The resulting code or execution are not necessarily representative for the original software as a whole, but they suffice for the attacker to reach his goal.
Pattern matching
Identifying code or data fragments of interest by comparing candidates to known patterns
Prepare the environment
Set-up and configuration of environment to execute and/or attack the program
Process / parent-child relation
Process are instances of software executing on a computer; parent processes launch child processes
Program input and output
External data consumed and produced by a program
Profiler
Tool used to collect statistics about execution of software elements
Profiling
Collecting statistics on a program’s execution and its components (functions, instructions, libraries, ...)
Protection
Software protection technique applied on software under attack
Recognizable library
Part of software under attack that corresponds to a known library and is identified as such by the attacker
Recognize anomalous / unexpected behavior
Observe program features that contradict hypothesis about normal behavior given background knowledge of the attacker
Recognize similarity with already analysed protected application
Recognize that parts of a new piece of software under attack, although it maybe has been protected differently, is identical to parts of another software already attacked before, such that the knowledge of the already attacked version can be reused, thus reducing the amount of reverse-engineering effort needed
Recreate protection in the small
Create small program containing protection mock-up to aid in the development of attacks on that protection
Reference to API function / imported and exported function
Symbolic description of externally visible (standard library) functions provided by or needed by libraries and modules
Register
A component inside a central processing unit for storing information, that can be addressed directly in assembly code
Remote attestation
Online protection technique in which a secure server demands a running client to provide attestations to verify the integrity of the client
Replace API functions with reimplementation
Use of hooking, interposers, detours and other techniques to intervene in execution when external functions are invoked
Reuse attack strategy that worked in the past
Use background knowledge on paths of least resistance and successful attack paths based on attacks on similar pieces of software or on pieces of software protected with identical or similar (assumed or identified as such) protections
Round / repetition / loop
Specific instance of a program fragment execution in a trace containing multiple subsequent executions of the fragment; strongly connected component in a control flow graph
Run analysis
Invoke an automated analysis in a tool
Run software in emulator
Use emulation to execute software and to execute dynamic attacks
Size
Amount of code or data considered by an attacker
Socket
Data structure and its interface serving as an internal endpoint for sending and receiving data over a network
Software element
Aspects of a program of interest to an attacker
Static analysis
Analysis techniques that do not require code to be executed
Statistical analysis
Use of statistical techniques to identify and/or recover operations or data or features of interest
stderr
Output connection through which many programs output error messages
String
Sequence of alphanumeric text or other symbols in memory or an executable file
String / name analysis
Extracting information from names of files, exported functions, strings referenced in code fragments, etc.
Switch statement
Control flow structure resembling a switch () { case ...: case ...: }
structure in C code
Symbolic execution / SMT solving
Determining (semantic) properties of code fragments using symbolic execution and SMT solving techniques
System call
The operation invoking system routines from the operating system
Tamper detection
Forms of software protection that try to detect that normal execution or code has been modified
Tamper with code statically
Edit code in the binary, e.g., to implement a workaround
Tamper with data
Alter data during the execution of a program
Tamper with execution
Alter ongoing execution by altering code or data
Tamper with execution environment
Adapt software or hardware in execution environment in ways not intended by their developers such that it supports specific attack tasks
Tool
Any software or hardware aid that automates activities needed in attack steps or that performs a task (semi)automatically
Tool limitations
Practical limitations (supported file sizes, memory consumption, lack of precision, ...) of a tool that make it unfit for the specific way an attacker wants to use it
Trace
Sequence of executed code fragments with or without additional properties of their execution
Tracer
Tool used to collect sequences of executed software elements and attributes of their execution
Tracing
Collecting a sequence of activities occurring during the execution of a program (instructions being executed, system calls, library calls, etc.)
Understand code logic
Act of reasoning about a code fragment
Understand persistent storage / file / socket
Act of reasoning about overall program behavior regarding storage - files - sockets
Undo the protection
Reversing the effect of a protection by undoing its deployment, i.e., reverting to the software without the protection (e.g., deobfuscating code or removing code guards).
Weak crypto
Use of cryptographic techniques that are even weak against black-box attacks
White box cryptography
Form of cryptography where keys do not occur in plain sight during execution
Workaround of a difficulty
Adaptation of tool or new tool that overcomes the limitation of existing attack tool; of a protection: see build workaround
Write tool supported script
Customize a tool using its built-in scripting features
XOR operation
The operation of performing an XOR on two or more data values; these occur very frequently in and around cryptographic primitives