Transcript Slide 1

UNCLASSIFIED
Pikewerks Overview
for CDCA
April 24th, 2009
Irby Thompson, Vice President
[email protected]
256-325-0010
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
The Company
• Mission: Encourage a creative research and
development environment that fosters the
production of innovative software security
technologies
• Technology Focus: Become a demonstrated
leader in the security industry by providing
state-of-the-art cyber security, information
operations, software anti-tamper, anti-piracy,
forensics, and information assurance
solutions
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Corporate
•
•
•
Woman-owned small business located in Huntsville, AL
Self-funded, no outside investment or venture capital
30 employees, 27 of which are engineers/developers
– Roots in intelligence community, significant operational experience
– Skilled in the architecture, design, and development of software security, antitamper technologies, forensics, information assurance, and information operations
– Projecting 50+ in 12-18 months
•
Creative and innovative team
–
–
•
100% Track record with Phase I to Phase II technology transfer & development
All Phase II efforts beyond 1st year of development have been commercialized
Currently operating at the Secret in Huntsville, AL and Washington, DC
Non-SBIR
SBIR
2005
2006
2007
2008
2009
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Technology
• Advanced Research & Development
1)
Electronic Armor®: Kernel-based Software Protection
•
•
2)
3)
Binary Fortress™: Hypervisor-based Software Protection
Second Look™ Live Memory Forensics
•
4)
5)
6)
7)
8)
Cryptographic Coprocessor Software Partitioning
Real Time EA (RedHawk and VxWorks)
Red-team Instrumentation & Counterintelligence (CI) Scan Agent
Akita™: Software Situational Awareness
Self-healing and Active Defense Research & Development
Anti-forensic Research & Development
Cross-platform Digital Rights Management
Network Watermarking
• Information Operations Tools & Techniques
• Early Stage Research & Development
1)
2)
3)
Secure and Covert Loading Phase I
IPV4 to IPV6 Phase I
Missile Defense Agency Anti-Tamper Phase I
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Products
• Electronic Armor
1)
EA for Unix/Linux
•
•
•
2)
EA for Windows
•
3)
Binary Fortress
EA : Aware
•
4)
Individual Executable up to Full System
Cryptographic Coprocessor Software Partitioning
Real Time EA (RedHawk and VxWorks)
Situational Awareness - Environmental Based Key Generation
TBD
•
•
•
Self-healing and Active Defense
Cross-platform Digital Rights Management
Network Watermarking
• Second Look
1)
2)
3)
4)
5)
Live Memory Analysis
Red Team Instrumentation
Counter Intelligence (CI) Scan Agent
Persistent Forensics Tool
Windows Live Memory Analysis
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Specialized R&D Efforts
• Information Operations
– Classified
• Mobile devices
– Windows Mobile 5/6
– Linux/Symbian/Palm
– Data collection, protection,
and situational awareness
• Miscellaneous
– Reverse engineering and red teaming
– Anti-tamper
– Active defense
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Opportunities
• Technology Licensing: Adoption of Pikewerks R&D
as a layer into your programs and initiatives
– Electronic Armor®
– Second Look™
– Other Products/Tools/Capabilities
• Future R&D: Team with Pikewerks to create the next
generation of information assurance, anti-tamper,
information operations, and forensics solutions
–
–
–
–
SBIRs
BAAs
Other Sponsored R&D
IR&D efforts
UNCLASSIFIED
© 2009 Pikewerks Corporation
QUESTIONS?
Thank You!
www.pikewerks.com
[email protected]
256-325-0010
© 2008 Pikewerks Corporation
UNCLASSIFIED
Electronic Armor®
“Designed to protect software applications from
reverse engineering, tamper, theft, and
unauthorized execution”
• Features
– Application source code is NOT needed, protects
standard executables, shared libraries, and full systems
– Operates at the kernel-level; preventing attacks from
even privileged insiders
– Little to no impact of application performance
• Benefits
– Protected applications are encrypted on disk and while
in system memory
– Copying, debugging, tracing, tampering and dumping of
protected application prevented
– Applications are cryptographically ‘tied’ to the specific
deployment machine
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
EA Components
• Packaging Utility:
• Encrypts and transforms
binaries, shared libraries,
scripts, data, or entire
Operating Systems (OS)
distributions
• Execution Enabler:
• Processes and executes
the protected applications
during system operation
• Kernel Sealer
• Verifies and maintains the
integrity of the OS kernel
from malicious attack
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Binary Fortress
• Custom Hypervisor-based Software Protection
– Extends kernel protection
approach to a privilege level
below the Operating System
– Operates on hardware platforms
that support Intel VT-x
– Provides secure data and key
storage, decryption, and partial
out-out-of-band execution
– Secure against kernel attacks
– Twelve months of R&D
– Final release 4Q 2009
– Early adopters received an advanced release 1Q 2009
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Situational Awareness
•
•
Establishes a digital fingerprint of live system
Monitors and analyzes system /environmental conditions
–
–
–
–
–
•
Advanced Configuration and Power Interface (ACPI)
Hard disk SMART statistics
User and system information
Network topology
Geographic location (GPS)
Detect changes in the operating environment
– Take appropriate defensive/offensive actions to protect sensitive
applications on the system
•
•
•
Forces the attacker to the field to find key material
Final release 4Q 2009
Early adopters will receive an
advanced release 2Q 2009
UNCLASSIFIED
Specific
user
Specific
host
Network
location
Geographic
location
© 2009 Pikewerks Corporation
UNCLASSIFIED
Second Look™ Forensics
•
Wide range of target sources
–
–
Live systems (/dev/mem, firewire, etc)
Snapshots
•
•
•
Kernel memory analysis
–
–
–
–
–
•
•
•
•
raw physical memory dumps
hibernated system images
Detects hidden modules
Detects hidden processes
Verifies integrity of the kernel and modules
Discovers discrepancies in resources
Identifies potential rootkit patch points
Support for interactive debugging
and reverse engineering
Soon to be expanded to incorporate
the Pikewerks custom hypervisor
16 Months of R&D (TRL 5)
Related enhancement and
Phase III activities
–
–
–
–
Counterintelligence Scan Agent
BIOS integrity verification
Red Team Instrumentation
Persistent memory forensics
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
CI Scan Agent
• Extension of Second Look™
forensics R&D
• Agent for counter-intelligence
investigations and espionage
discovery
• Stealthy, software-based
memory collection and analysis
• Automated detection and
alerting of advanced computer
espionage techniques
• Centralized data collection &
storage
• Cross-host comparison and
analysis
• Reporting & alert generation
***System***
PIKEWERK-490883
Windows XP Professional, X86
Service Pack 2 (build 2600)
Number of processors 2
Page size 4096
***End System***
***Process***
Base
Size
Module Name
804D7000 2142208 \WINDOWS\system32\ntkrnlpa.exe
806E2000 134400
\WINDOWS\system32\hal.dll
***End Process***
***Network***
Active Connections
TCP
490883:epmap 490883:26743 LISTENING
TCP
490883:microsoft-ds 490883:24804 LISTENING
TCP
490883:1025 490883:39070 LISTENING
IPv4 Statistics
Packets Received
= 381291
***End Network***
***User***
Administrator Administrator, password does not expire
billy Administrator, password does not expire
***End User***
***IDT***
IDT[0] INT gate (32bit) 0x80541190 (module
\WINDOWS\system32\ntkrnlpa.exe)
IDT[1] INT gate (32bit) 0x8054130c (module
\WINDOWS\system32\ntkrnlpa.exe)
***End IDT***
***Hypervisor***
OS Running within Virtual PC: no
***End Hypervisor***
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Red Team Instrumentation
•
•
•
•
Extension of the Second Look™ forensics R&D
Record and analyze actions taken by a Red Team in near real time
Collection of assessment data to evaluate protection and attack tools
Eight months of R&D
Virtual machine running
protected software
Host
running a
debugger
Gumstix
Remote
attacker
American Arium
debugger
Debugging
station
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Autonomic Healing
•
Distributed Host Healing and Active Defense
– System discovery, monitoring, healing and defense
– Forces attackers to reach all machines at once
– Networks work together to defeat exploitation attempts including reverse
engineering attacks, viruses, and rootkits
•
Application Self-healing and Active Defense
–
–
–
–
•
System Management Mode (SMM) monitor
–
•
Extends software protection
Performs checksums of the protected applications
Replaces modified application segments with clean copies
Can dynamically change the behavior of a tampered application to perform
penalties or adapt decoys for specific attack scenarios
Custom AMI/Award/Phoenix BIOS enhancement
Small form factor FPGA uses Direct Memory Access (DMA)
– Continual off-host monitoring and repair of memory
– Can be used to remove/inject key material
•
Six months of R&D
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Anti-Forensic Technologies
UNCLASSIFIED
© 2009 Pikewerks Corporation
UNCLASSIFIED
Network Watermarking
• Transparent authentication of
network traffic integrity for the
Global Information Grid (GIG)
• Invisible watermarking of digital
data for dissemination and
authentication
• Host-based network driver and
Single Board Computer (SBC)
bump-in-wire bridge to apply and
authenticate machine-specific
watermarks to incoming and
outgoing network traffic streams
• Final release 1Q 2010
• Seeking deployment scenarios
UNCLASSIFIED
Physical AT wrap
enclosure
© 2009 Pikewerks Corporation
UNCLASSIFIED
Data Rights Enforcement
“Cross-Platform Digital Rights Management”
• Encrypts and Protects Data Files
– Disposable Public-Key Cryptography provides forward-security of documents
– Ideal for multi-level security of data
– Ongoing integration with existing / adopted pedigree system
• Controls Operating System Capabilities
– Data Rights Enforcement Module
restricts the unauthorized ability to
copy, print, redistribute protected
data
• Provides Key Escrow
– Rights Management Server
allows for ongoing control
and auditing of data access
UNCLASSIFIED
© 2009 Pikewerks Corporation