Frequently Asked Questions¶
Question: What measures & research has Nubeva undertaken to ensure that your products continue to operate given the following challenges:
OS vendor changes
Interaction with AV/Malware/EDR products
Protocol updates, changes and additions
OS Vendor Changes¶
Today on Microsoft Windows, Nubeva uses ‘hooking’ for Symmetric Key Intercept. That means we act, with permission, in the user space application process and memory space. So whatever mechanism segmentation functions, OS or hardware, Nubeva acts from the user-space process perspective to get the memory segment that has the keys.
For almost twenty years, ‘hooking’ has been licensed by hundreds of ISVs, used by nearly every product team at Microsoft, and is a generally accepted method.
Microsoft Windows is moving towards tracing, having joined Open DTrace. Windows itself had kernel tracing mechanisms such as ETW already. But is now choosing to invest further into more advanced tracing methods such as DTrace. Once tracing mechanisms are widely available in all Windows distributions, Nubeva looks forward to using tracing instead of hooking.
Nubeva already uses tracing inside the Linux operating system to access process memory. Just like in Windows hooking, Nubeva accesses the memory just as the process does. The biggest difference with tracing is that the tracing works directly in the operating system and is first validated as safe, unobtrusive, and not overly complex by the OS kernel. This method is safer and more performant than hooking. That is why it’s expected that all operating systems are likely to evolve to support similar systems.
Nubeva has been classified as EAR99. Software classified as EAR99 does not require any additional licenses for export. Nubeva Sensors do not participate in encryption processes in any way. Therefore there are no additional requirements or considerations required for export.
Interaction with AV/Malware/EDR Products¶
Nubeva sensors do not trigger an alert from products such as Windows defenders and other AV/Malware/EDR products in their default form. However, if the products change from their defaults and have all alerts turned on, then some will detect Nubeva’s hooking. They all have an easy method to add the Nubeva process to the “allowed processes list”. This requirement goes hand in glove with the concept that Nubeva is a solution the must be explicitly given permissions to operate by administrators.
Trusted Platform Modules (TPM) are used to secure long-term asymmetric encryption and authentication secrets, such as certificates, private keys, and passwords. Microsoft Pluton further secures TPMs to protect the communication between the TPM and CPU so it cannot be intercepted. Neither TPM nor Pluton affects Nubeva. Nubeva looks for ephemeral keys from the user space process memory. The Nubeva process does not depend on any asymmetric keys nor the TPM architecture. By acting exactly as the user process would (DTrace on Linux, hooking in Windows), Nubeva can access the key from memory exactly as the user process does. The user process ultimately needs to access the symmetric key given that TLS is an application encryption protocol. Not network layer protocol like IPSEC. So it must have access to symmetric keys
Protocol Updates, Changes & Additions¶
Nubeva operations have a complete set of automated tests to detect new versions of software, protocols, and applications. As new versions are detected, Nubeva automatically creates new signatures and tests for viability. If key extraction is successful, then the new signatures are automatically pushed to the master repo as well as to all partners. If key extraction is not successful, then the Nubeva R&D team manually creates the new signatures and extends the testing process. The automated signature creation takes 60-90 minutes to complete and if manual intervention is required, another 2-4 hours is required on average for a new signature.
For applications and libraries that we have source code access to, for instance, open-source, it generally takes us a day or two to apply our intellectual property to extract the keys. Nubeva also tests the preview version of software to ensure we can support them at launch.