Just because users use White Hawk Software tools does not prevent them from adding some protection code of their own.
Decoys are among the best defenses. However, use of decoys can become dangerous and may be tricky.
Consider a decoy having been introduced. What are the possibilities?
- The decoy is not detected.
Nothing happens; no good, no bad. It still is there for possible later detection.
- The decoy is detected, but confused with the real thing.
The best possible outcome. Attacker stops searching because he thought he got the result.
- The decoy is detected and recognized to be a decoy.
The worst possible outcome. Any attacker is reinforced that there must be something worth hiding. Attacker will multiply efforts to search for the real thing.
Use of decoys is a strategic decision which can be made only after evaluating the possible outcomes and their consequences.
Should decoys be protected? Of course. If a decoy is not protected doesn’t that just scream this code is intended for viewing? On the other side: don’t protect it too well, or an attacker has no clue of the decoy and won’t waste his time.
So, how well should decoys be protected? That is a difficult question; maybe protect it just a tiny bit less then the real code. Or, have several decoys and protect them at different levels.
When time permits I plan on blogging how NestX86 itself takes advantage of decoys at different levels. …Here it is