Pikewerks Overview for CDCA April 24 th , 2009

© 2009 Pikewerks Corporation

UNCLASSIFIED

UNCLASSIFIED

Pikewerks Overviewfor CDCA

April 24th, 2009

Irby Thompson, Vice [email protected]

256-325-0010

© 2009 Pikewerks CorporationUNCLASSIFIED

UNCLASSIFIED

The Company• Mission: Encourage a creative research and

development environment that fosters the production of innovative software security technologies

• Technology Focus: Become a demonstrated leader in the security industry by providing state-of-the-art cyber security, information operations, software anti-tamper, anti-piracy, forensics, and information assurance solutions


UNCLASSIFIED

Corporate• Woman-owned small business located in Huntsville, AL• Self-funded, no outside investment or venture capital• 30 employees, 27 of which are engineers/developers

– Roots in intelligence community, significant operational experience– Skilled in the architecture, design, and development of software security, anti-

tamper technologies, forensics, information assurance, and information operations– Projecting 50+ in 12-18 months

• Creative and innovative team– 100% Track record with Phase I to Phase II technology transfer & development– All Phase II efforts beyond 1st year of development have been commercialized

• Currently operating at the Secret in Huntsville, AL and Washington, DC

2005 2006 2007 2008 2009

Non-SBIRSBIR


UNCLASSIFIED

Technology• Advanced Research & Development

1) Electronic Armor®: Kernel-based Software Protection• Cryptographic Coprocessor Software Partitioning• Real Time EA (RedHawk and VxWorks)

2) Binary Fortress™: Hypervisor-based Software Protection3) Second Look™ Live Memory Forensics

• Red-team Instrumentation & Counterintelligence (CI) Scan Agent

4) Akita™: Software Situational Awareness5) Self-healing and Active Defense Research & Development6) Anti-forensic Research & Development7) Cross-platform Digital Rights Management8) Network Watermarking

• Information Operations Tools & Techniques• Early Stage Research & Development

1) Secure and Covert Loading Phase I2) IPV4 to IPV6 Phase I3) Missile Defense Agency Anti-Tamper Phase I


UNCLASSIFIED

Products• Electronic Armor

1) EA for Unix/Linux• Individual Executable up to Full System• Cryptographic Coprocessor Software Partitioning• Real Time EA (RedHawk and VxWorks)

2) EA for Windows• Binary Fortress

3) EA : Aware• Situational Awareness - Environmental Based Key Generation

4) TBD• Self-healing and Active Defense• Cross-platform Digital Rights Management• Network Watermarking

1) Second Look 1) Live Memory Analysis2) Red Team Instrumentation3) Counter Intelligence (CI) Scan Agent4) Persistent Forensics Tool5) Windows Live Memory Analysis


UNCLASSIFIED

Specialized R&D Efforts• Information Operations

– Classified• Mobile devices

– Windows Mobile 5/6– Linux/Symbian/Palm– Data collection, protection,

and situational awareness• Miscellaneous

– Reverse engineering and red teaming– Anti-tamper– Active defense


UNCLASSIFIED

Opportunities

• Technology Licensing: Adoption of Pikewerks R&D as a layer into your programs and initiatives– Electronic Armor®– Second Look™– Other Products/Tools/Capabilities

• Future R&D: Team with Pikewerks to create the next generation of information assurance, anti-tamper, information operations, and forensics solutions– SBIRs– BAAs– Other Sponsored R&D– IR&D efforts

© 2008 Pikewerks Corporation

QUESTIONS?

[email protected]

256-325-0010

Thank You!


UNCLASSIFIED

Electronic Armor®

“Designed to protect software applications from reverse engineering, tamper, theft, and unauthorized execution”

• Features– Application source code is NOT needed, protects

standard executables, shared libraries, and full systems– Operates at the kernel-level; preventing attacks from

even privileged insiders– Little to no impact of application performance

• Benefits– Protected applications are encrypted on disk and while

in system memory– Copying, debugging, tracing, tampering and dumping of

protected application prevented– Applications are cryptographically ‘tied’ to the specific

deployment machine


UNCLASSIFIED

EA Components

• Packaging Utility:• Encrypts and transforms

binaries, shared libraries, scripts, data, or entire Operating Systems (OS) distributions

• Execution Enabler:• Processes and executes

the protected applications during system operation

• Kernel Sealer• Verifies and maintains the

integrity of the OS kernel from malicious attack


UNCLASSIFIED

Binary Fortress• Custom Hypervisor-based Software Protection

– Extends kernel protectionapproach to a privilege levelbelow the Operating System

– Operates on hardware platformsthat support Intel VT-x

– Provides secure data and key storage, decryption, and partial out-out-of-band execution

– Secure against kernel attacks– Twelve months of R&D – Final release 4Q 2009– Early adopters received an advanced release 1Q 2009


UNCLASSIFIED

Situational Awareness• Establishes a digital fingerprint of live system• Monitors and analyzes system /environmental conditions

– Advanced Configuration and Power Interface (ACPI)– Hard disk SMART statistics– User and system information– Network topology– Geographic location (GPS)

• Detect changes in the operating environment– Take appropriate defensive/offensive actions to protect sensitive

applications on the system• Forces the attacker to the field to find key material• Final release 4Q 2009• Early adopters will receive an

advanced release 2Q 2009


UNCLASSIFIED

Second Look™ Forensics• Wide range of target sources

– Live systems (/dev/mem, firewire, etc)– Snapshots

• raw physical memory dumps• hibernated system images

• Kernel memory analysis– Detects hidden modules – Detects hidden processes – Verifies integrity of the kernel and modules– Discovers discrepancies in resources– Identifies potential rootkit patch points

• Support for interactive debugging and reverse engineering

• Soon to be expanded to incorporate the Pikewerks custom hypervisor

• 16 Months of R&D (TRL 5)• Related enhancement and

Phase III activities– Counterintelligence Scan Agent– BIOS integrity verification– Red Team Instrumentation– Persistent memory forensics


UNCLASSIFIED

CI Scan Agent• Extension of Second Look™

forensics R&D• Agent for counter-intelligence

investigations and espionage discovery

• Stealthy, software-based memory collection and analysis

• Automated detection and alerting of advanced computer espionage techniques

• Centralized data collection & storage

• Cross-host comparison and analysis

• Reporting & alert generation

***System***PIKEWERK-490883Windows XP Professional, X86Service Pack 2 (build 2600)Number of processors 2Page size 4096***End System******Process***Base Size Module Name804D7000 2142208 \WINDOWS\system32\ntkrnlpa.exe806E2000 134400 \WINDOWS\system32\hal.dll***End Process******Network***Active ConnectionsTCP 490883:epmap 490883:26743 LISTENINGTCP 490883:microsoft-ds 490883:24804 LISTENINGTCP 490883:1025 490883:39070 LISTENINGIPv4 StatisticsPackets Received = 381291***End Network******User***Administrator Administrator, password does not expirebilly Administrator, password does not expire***End User******IDT***IDT[0] INT gate (32bit) 0x80541190 (module \WINDOWS\system32\ntkrnlpa.exe)IDT[1] INT gate (32bit) 0x8054130c (module \WINDOWS\system32\ntkrnlpa.exe)***End IDT******Hypervisor***OS Running within Virtual PC: no***End Hypervisor***


UNCLASSIFIED

Red Team Instrumentation• Extension of the Second Look™ forensics R&D• Record and analyze actions taken by a Red Team in near real time• Collection of assessment data to evaluate protection and attack tools• Eight months of R&D

Hostrunning adebugger

Virtual machine running protected software

Gumstix

American Arium debugger

Debuggingstation

Remote attacker


UNCLASSIFIED

Autonomic Healing• Distributed Host Healing and Active Defense

– System discovery, monitoring, healing and defense– Forces attackers to reach all machines at once– Networks work together to defeat exploitation attempts including reverse

engineering attacks, viruses, and rootkits• Application Self-healing and Active Defense

– Extends software protection– Performs checksums of the protected applications– Replaces modified application segments with clean copies– Can dynamically change the behavior of a tampered application to perform

penalties or adapt decoys for specific attack scenarios• System Management Mode (SMM) monitor

– Custom AMI/Award/Phoenix BIOS enhancement

• Small form factor FPGA uses Direct Memory Access (DMA)– Continual off-host monitoring and repair of memory– Can be used to remove/inject key material

• Six months of R&D


UNCLASSIFIED

Anti-Forensic Technologies


UNCLASSIFIED

Network Watermarking• Transparent authentication of

network traffic integrity for the Global Information Grid (GIG)

• Invisible watermarking of digital data for dissemination and authentication

• Host-based network driver and Single Board Computer (SBC) bump-in-wire bridge to apply and authenticate machine-specific watermarks to incoming and outgoing network traffic streams

• Final release 1Q 2010• Seeking deployment scenarios

Physical AT wrap enclosure


UNCLASSIFIED

Data Rights Enforcement“Cross-Platform Digital Rights Management”

• Encrypts and Protects Data Files– Disposable Public-Key Cryptography provides forward-security of documents– Ideal for multi-level security of data– Ongoing integration with existing / adopted pedigree system

• Controls Operating System Capabilities– Data Rights Enforcement Module

restricts the unauthorized ability tocopy, print, redistribute protected data

• Provides Key Escrow– Rights Management Server

allows for ongoing control and auditing of data access

Pikewerks Overview for CDCA April 24 th , 2009

Documents

Transcript of Pikewerks Overview for CDCA April 24 th , 2009