Hypervisor for executables protection - design, development and discussion

To ensure the continuity of the company, it must seek export contracts. In the defense field, these contracts are often accompanied by transfers of technology (ToT) to the recipient country. These, are partial and a compromise is needed between the protection of industrial property, the national secret and the client requests. It is in this context, particularly in DCNS, we are looking for new techniques in software protection. Faced with the failure of the various techniques protections (obfuscations and packer), which allow only to slow understanding of the code, a new approach of protection is discussed. The main idea is to filter the memory accesses, that contains the sensitive data. This solution, which is part of a strong industrial environment should impact the minimum system and applications provided by DCNS. We propose an architecture that uses the latest technologies Intel and particularly the hardware virtualization. This technology, allows us to obtain a high level of privilege and to control precisely the applications. Our solution allows to protect executable data of the ELF binary; in the plateforms 32 and 64 bits without modifying the targeted system. We detail the differents steps to protect a process (from its start to its finish) and the different problems encountered and the choices to address it. We also show, through various measures, the effectiveness of our architecture and its low impact on the guest system. In our implementation, only executable data are protected, we propose food for thoughts to fully protect binary memory. And the evolutions, to integrate our solution in a trusted architecture to ameliorate its robustness Our solution forbids, by construction, all the reads and writes of the sensitive data and is compatible with all Linux distributions without modifications.