

BURNEYE

readme file
version 1.0


WARNING: If you are going to use burneye at all, then read through the entire
         document. I have kept it short enough to not waste your time, while
         trying to explain the most important things.



Burneye is an executeable encryption program, which is suited to protect ELF
binaries on the Intel x86 Linux operating system. It supports a variety of
options to wrap an arbitrary executeable with multiple encryption layers.

Foreword: Executeables wrapped with burneye are not necessarily more secure. If
you use burneye in a wrong way, it takes a few minutes and some custom tools to
restore the original executeable. If you use the password or fingerprint
encryption the right way, it can be very difficult, if not impossible, to
restore the original executeable without access to the password and the host
fingerprint.


CRASH TOUR

There are three layers so far, when encrypting executeables with burneye. The
simplest layer, the obfuscation layer is a simple insecure ciphers, which just
scrambles the content. It is enabled every time and is the outer layer. Even
the burneye functions are scrambled with this layer. All layers are
independant, you can combine any of the following layers.

The second layer is the password layer, which you can use to protect your
executeable with a custom password. The password is read in from the current
pty, so it should work even from within scripts. The password is hashed through
SHA1, some magic is applied and the layers below are decrypted with RC4. By
default a check is done to ensure the decryption succeeded. You can disable
this check by using the '-i' option. It is recommended to use it, because it
does not expose any key bits but stops from executing junk if you mistyped the
password. The password layer can be enabled by using the '-p' option, which
takes the password as parameter (use quotes, as in: -p "mypassword"). You can
also add the '-P' option at will, which allows you to have the password given
in an environment variable instead of having to type it each time you run the
program.

The third and deepest layer is the fingerprinting layer. A fingerprint is a
compilation of the characteristics of the host the binary is running on. So far
a number of different input data is used, just run burneye with the '-l' option
to see a list. You should be able to see what data it takes, as the behaviour
is undocumented yet. The default enabled tests should be fine to use. You can
disable/enable each test using the '-e' and '-d' option, as in '-d sysbase
-e procmem'. When testing and playing around, try appending the '-l' option as
last parameter to your commandline to see if your changes took effect. Anyway,
there are two ways to feed burneye with fingerprints. The most convenient is
the '-F' option, which creates a fingerprint of the current host (the one
burneye is running on) and uses that to protect the binary. Another option,
which can be useful is the '-f' option. This way the fingerprint is read from a
fingerprint file. This can be used to encrypt a binary for someone whom do you
not trust. He runs the supplied 'fingerprint' binary on his host and sends you
the fingerprint file. Then you use burneye locally with the '-f foofile.fp'
option to create a binary that will only run on his host.
    The '-t' option can be used to allow a certain tolerance in the
fingerprint. Say your untrusted friend wants to upgrade his RAM or change his
partition table. Then use some low value, like '-t 1' or '-t 2'. This way one -
or two - subtests can fail and the binary will still run. Do not use too high
values here (burneye will warn if the value is cryptographically unsafe, you
can rely on that, but if it warns, change your options). If you are absolutely
sure about what you are doing, you can use the '-E' option to override the
warning on weak protection pads.

The most simple and non-cryptography related option is the '-B'. You can use it
to display a banner before all other layers a processed. This could be contact
information, a copyright display or a warning message as it is in front of
burneye itself. In any normal case you should favor the '-B' option over the
'-b' option. '-B' displays the banner on the tty, which will work from within
scripts. '-b' displays it on stderr (2).

Another interesting option is the '-U' option. If you enable it, you have to
supply an additional argument. If the argument is set as environment variable
when the wrapped binary is run, it will be securely wiped from the harddist. So
a simple "burneye -U DELETE -o distbin blabin" will add a self-deletion stub to
'distbin'. If you call distbin afterwards with the environment variable
'DELETE' set, it will wipe itself from the harddisc. It uses a loop of urandom
input data to overwrite itself, syncing after each pass and then unlinks
itself. To do this it extracts a special 250 byte unlinking stub which is
executed and does the whole work. Only this minimal stub can be reconstructed
(but it is unlinked, too).

One generic option is the '-o' option, which allows you to specify the name of
the output file.

A new option, which is still in beta state in this version is the 'SEAL mode',
which allows you to create a self-modifying binary. The produced binary will
run on any system. The first time it is run it will create a fingerprint of the
system and 'seal' itself to that host. It cannot be run on other hosts after
this sealing has taken place. Also, it safely deletes the 'SEAL' binary before
creating the protected one. This option is quite complicated to implement
reliable, so use it with care. I tried my best to make it work, but - as said -
its still in beta state.

The TAG option is somewhat complicated to use, see below for an example.



Examples:

burneye -o ls /bin/ls		# only obfuscation, no protection

burneye -p "secret" -o ls /bin/ls	# encrypt with password 'secret'

burneye -B warning.txt -o ls /bin/ls	# display banner in warning.txt before

burneye -F -t 1 -B warning.txt -o ls /bin/ls	# use fingerprint of local
	# host, with one test tolerance and display banner from warning.txt

fingerprint -d procpartitions -f foohost.fp
burneye -f foohost.fp -t 2 -p "hidden" -o ls /bin/ls
	# use fingerprint from file, two test tolerance and password hidden

burneye -U DELETE -o ls /bin/ls
DELETE=foo ./ls
	# will securely wipe ./ls from the hdd

burneye -p puke -S -o ls /bin/ls
./ls  # will seal and rewrite the binary
OLDHOSTNAME=`hostname`
./ls  # will work
hostname moo
./ls  # will not work
hostname $OLDHOSTNAME
./ls  # will work


TAG option:

$ TAG=ENV:KEY:VALUE ./burneye -T TAG -o ls /bin/ls
$ ./ls
README  burneye  fingerprint  ls
$ ENV=KEY ./ls
VALUE
$ ENV=KEY_ ./ls
B9^"g06!`1ØL
$


Anyway, if you have not got what this is by now, I cannot help you. All other
questions are answered by the FAQ below.


-scut


FAQ:
====

[Q]: Can I have the source code?

  A: No.


[Q]: This is security by obscurity, how can you be sane and say its secure?

  A: Because I really think it is secure. Or I am insane. Or both. (No really,
     it is quite secure if the binary does not execute.)


[Q]: Isn't this a real blackhat-only tool and don't you feel guilty about it?

  A: Some people are sick of the "full disclosure" advocates stealing hard work
     of non commercial research groups. Sure, it can be used for bad purposes,
     as almost anything.


[Q]: I use PaX and it does not run. Why is that?

  A: PaX optionally disables mprotect() functionality. Disable
     CONFIG_PAX_MPROTECT as kernel option and everything should work. If you do
     not want to disable it or you cannot, there are things to live with.
     Mainly, that you cannot use burneye on that system.

     I will (maybe) add some of the propietary flags that are used by PaX and
     Openwall to allow burneye binaries to be run on such systems in the
     future.


[Q]: Why does the deletion take that long?

  A: It uses 7 passes and grabs the data to overwrite with from /dev/urandom.
     Which is suboptimal though, it could be more secure. Anyway, it will get
     rid of the 1995 tct-using-type of forensics (and leave more room to the
     skilled forensics).


[Q]: I have this mad idea in my head about this double helix decryption wrap
     code that self hooks its root with a polymorphic chamelion code! Will you
     implement that ?

  A: No, but you can write me an email nevertheless ;)

--
vi:fo=tcrq:tw=79
