Computer software often contains items of significant commercial value. For example, the field of Digital Rights Management (DRM) often concerns itself with protecting content that is digitally transmitted with perfect fidelity from machine to machine. Movies, music and e-books are all examples of the type of content that is commonly used in untrusted environments. In each case, there are instances where the intellectual property owner wishes to control how the content is used and/or copied.
One of the most powerful techniques for the theft of protected content is to execute the software managing it in an emulated or otherwise instrumented environment. If the software cannot detect that the environment is synthetic, the protected content may be stolen or the software reverse-engineered.
In addition to this, emulated environments have been suggested as a method of implementing a “rootkit” on a machine (essentially, the rootkit emulates a real environment, in which all other programs run). Currently, there are few ways of reliably detecting these rootkits, leaving a significant vulnerability for users who are unable to determine that their machines have been compromised.
Finally, there are important defense implications for building software that is difficult to reverse engineer. As our information infrastructure increases its battlefield penetration, it becomes clear that devices with significant information assets on them will fall into unfriendly hands. The resilience of these devices to reverse engineering is paramount. Similarly, embedded systems such as aircraft radar or missile guidance systems that get sold to foreign powers must be protected from reverse engineering, lest the exposure of important intellectual property compromises the integrity of defense systems.
As software can only interact with its environment via the CPU it is executing on, a carefully-designed emulated environment can appear to be identical to a “real” execution environment, as all function/system calls the software makes can be “spoofed” to hide the presence of the synthetic environment. Furthermore, such spoofing need not operate at a system call level—for example, in U.S. Pat. No. 7,162,715 a system is described that can preemptively intercept instructions at the CPU level. Similarly, new technologies embedded within CPUs make virtualization an easy task. Clearly, a reliable method of detecting such emulated and/or instrumented environments is of need.