Service description V1.0 (20240309)

Emproof Nyx Service Description

Version 1.0

Date: 09. March 2026

1. Emproof Nyx Microcontroller & Systems

Emproof Nyx is a binary analysis and transformation framework designed to analyze and transform software binaries (executables, libraries). It provides a general-purpose, modular, and performant binary transformation engine to support use cases such as intellectual property protection, software hardening, and key protection.

Nyx is capable of applying transformations to input binaries to produce protected output binaries that behave identically from a functional perspective but are enhanced with protections against reverse engineering and exploitation.

Nyx-Internal Tool Flow

To integrate IP protection and exploit mitigation measures into customer binaries, Emproof Nyx operates according to the following workflow. Note that this high-level description is to exemplify the tool flow:

1. The customer provides Nyx with an input binary file requiring protection and so-called configuration profile file. The configuration file specifies required transformations with protection features and additional information processing (e.g., code parts that require protection, code parts that should not be altered, …).

2. Then, Nyx automatically analyses the binary file to detect code and data areas, identifies function boundaries and instruction types, such as control-flow instructions, arithmetic operations, memory loads/stores etc. 

3. Then, Nyx parses the user-provided configuration to schedule user-selected transformations with protection features. If the conditions are satisfied, the transformations are applied and validated to ensure its correctness. Depending on user-selected transformations, code parts are lifted to an intermediate representation, transformed on intermediate level and then lowered back into assembly language and integrated into the binary. Alternatively, certain user-selected transformations are applied directly on the binary level without the intermediate translation step.

4. Finally, the transformed binary is written to the file system.

The tool consolidates many defensive techniques to realize IP protection and exploit mitigations in order to be flexible with regards to customer and safety requirements. To that end, the tool allows the user to enable or disable certain techniques for (parts) of the protected program and tweak exposed configuration parameters for individual techniques

 

Emproof Nyx Microcontroller

Emproof Nyx Microcontroller is a specialized variant of the Emproof Nyx platform designed for deeply embedded, resource-constrained systems. It targets microcontroller-based devices running either bare-metal firmware or a real-time operating system (RTOS).

Emproof Nyx Microcontroller is intended for use cases where intellectual property protection, resistance against reverse engineering, device binding (licensing) and robustness against exploitation are required in safety-critical or security-sensitive embedded environments.

Supported Platforms & Technology Stacks

• Supported Instruction Set Architectures (“ISAs“ or “ISA”): Emproof Nyx Microcontroller supports a range of microcontroller-class instruction set architectures, such as:

• ARM Cortex-M

• ARM Cortex-R

• Infineon TriCore

• Renesas RH850

• RISC-V

Exact ISA versions are defined in the respective Individual Contract. Which ISA versions are technically supported by Emproof Nyx Microcontroller remains at Emproof’s discretion.

• Adding of New ISAs: Implementation of currently technically not supported ISAs can be requested by customer. Depending on technical feasibility and product roadmap considerations, the addition of a new ISA may require a one-time engineering effort. Emproof shall only be obliged to technically implement a new ISA on the basis of a separate agreement (e.g. Individual Contract). However, the decision whether a new ISA can and will be technically implemented and integrated solely lies with Emproof. The scope, timeline, and commercial conditions for the implementation and technical support of new ISAs shall be defined in the separate agreement between Emproof and customer.

• Supported File Formats:

• ELF binaries (executables, static libraries, and dynamic libraries where applicable)

• PE binaries (where applicable for embedded toolchains)

Editions

Legend

✓ Included 

• Device-specific implementation may be required by Emproof engineering subject to separate remuneration

** Device binding requires device-specific integration and configuration and is not available for all devices

Emproof Nyx Systems

Emproof Nyx Systems is a variant of the Emproof Nyx platform designed for advanced embedded systems and desktop-class software environments. It targets systems such as embedded Linux platforms (e.g., Raspberry Pi, NVIDIA Jetson) and general-purpose desktop operating systems including Linux and Windows.

Compared to microcontroller-focused deployments, Nyx Systems is optimized for environments with more computing and memory resources, and can leverage operating-system–level facilities while remaining independent of specific OS services.

Supported Platforms

• Supported Instruction Set Architectures (ISAs): Emproof Nyx Systems supports common application-class ISAs, including:

• AArch64

• x86_64 / amd64

• Operating Systems: Including but not limited to:

• Embedded and desktop Linux distributions

• Microsoft Windows

• Supported File Formats:

• ELF binaries (executables, shared libraries, static libraries)

• PE binaries (executables, dynamic-link libraries)

• New ISAs and Platforms: Technical support of further ISAs or operating system environments may be requested by customer.Emproof shall only be obliged to technically implement and support additional ISAs or operating system environments on the basis of a separate agreement (e.g.Individual Contract). The decision whether an additional ISA or operating system environment can and will be supported lies solely with Emproof and depends for example on technical feasibility and roadmap considerations. The availability, scope, and commercial conditions for the implementation and technical support of additional ISAs or operating system environments shall be defined in the separate agreement between Emproof and customer.

Editions

Legend

✓ Included 

• Device-specific implementation may be required by Emproof engineering subject to separate remuneration

** Device binding requires device-specific integration and configuration and is not available for all systems

*** Currently only supported on Microsoft Windows

Optionally, different exploit mitigations (i.e., stack canaries and control flow integrity) can be deployed, on systems where compilers and/or operating system do not support them.

Feature Definitions

IP Protection

To protect the IP of customers and prevent reverse engineering, code modifications, code analysis etc., the tool rewrites the provided binary and applies techniques such as code obfuscation, packing, anti-debugging, anti-emulation and anti-tamper. While obfuscation is a passive technique which makes the code harder to locate and analyze, packing, anti-debugging and anti-tamper are active defenses / runtime protections which add guards to the code while it is running and verify specific characteristics.

• Control-Flow Protection: Code transformation that restructures program execution to replace direct, structured control transfers with an indirect, dispatcher-driven execution mechanism, obscuring the original program flow while preserving program functional behavior and allowing for fine-grained memory and overhead control.

• Nyx Inception: Code transformation that ensures a trusted execution environment at program start and run-time checkpoints. It is equipped with user-selected measures against dynamic reverse engineering analyses such as anti-debugging, anti-emulation, anti-tamper and device binding. 

• Secret Hiding: Code transformation that encodes static user-defined data so it is no longer present in clear form within the binary and is instead reconstructed at runtime through a heavily protected decoding mechanism guarded by user-defined anti-tamper, anti-emulation, and anti-debug checks, while preserving program functional behavior.

• Packer:
    Code transformation that compresses executable user-defined code and data and replaces them with a compact loader stub, that unpacks program chunks and securely dispatches between them at runtime, thereby reducing static visibility while preserving program functional behavior.

• Virtual-Machine Obfuscation: Code transformation that generates a random and unique virtual machine architecture, translates selected portions of native code into a hardened, custom bytecode that gets executed by the embedded virtual machine at runtime, replacing direct execution with interpretation and thereby obscuring program logic, control flow, and semantics while preserving functional behavior.

• Device Binding: Code transformation feature used with Packer, Inception or Secret Hiding to bind software execution to specific hardware by deriving runtime authorization from unique hardware-dependent features. This ensures the protected code operates only on approved devices while preserving functionality, subject to the availability and suitability of such hardware features as agreed with the customer, including but not limited to Trusted Platform Modules or hardware unique features.

• Bootloader & Memory Map Control: To support custom bootloaders and microcontroller-specific memory maps, Emproof Nyx provides fine-grained configuration controls that allow users to direct and constrain transformations within defined system boundaries. This enables adaptation of the protection process to specific memory layouts, reserved regions, and platform constraints without altering the intended system behavior.

• Mixed Boolean Arithmetic (MBAs):  Code transformation to disguise Packer, Inception, and Secret Hiding logic by translating it with mathematically equivalent combinations of bitwise and arithmetic operators, resisting automated simplification and semantic analyses without changing functional behavior.

• Anti-Memory Dumping: Code transformation that hinders extraction of a clean and complete runnable copy of a protected binary from memory including replacement of control-flow information to obscuring the original program flow while preserving program functional behavior.

• Import Protection: Code transformation to hide functionality or relationship to imported libraries and functions, thereby hindering reconstruction of the original functionality. 

Exploit Mitigation

The goal of exploit mitigations is to detect and prevent the exploitation of memory corruption vulnerabilities such as buffer overflows or use-after-free bugs. In general, the idea is to add active guards which check for specific characteristics; if these characteristics do not hold, the program jumps into a failure state. Prevention of exploitation are provided by mechanisms such as stack canaries and control-flow integrity.

• Stack Canaries: Code transformation that introduces runtime stack integrity checks by inserting guard values (stack canaries) around sensitive stack regions and validating them before control is returned, enabling detection of stack-based memory corruption while preserving normal program execution.

• Control Flow Integrity (CFI): Code transformation that enforces control-flow integrity by instrumenting the program to validate indirect control transfers at runtime against a predefined set of legitimate targets, preventing unauthorized deviations in execution flow while preserving intended behavior.

Legacy Support

Protected binaries by Emproof Nyx may be deployed on systems that are already in field, provided that a suitable software update mechanism is available on such systems. Deployment and operation does not require any additional hardware components, modifications, or replacements, allowing integration to be performed entirely through software updates without disrupting existing system configurations or installed equipment.

Safety Features

• ISO 26262 - ASIL D:

Nyx is engineered for use in ISO 26262 environments up to ASIL D, following an ASIL-D capable engineering process that has been independently assessed by TÜV Nord (functional safety capability audit). For customers who need functional-safety deliverables, Emproof offers an optional Nyx Safety Bundle (add-on license) that provides the safety manual and integration guidance, safety case materials, and traceable verification evidence (including test records and CI/CD reports) to support incorporating Nyx into the customer’s safety plan.

A post-link binary rewriter is safety-critical by nature: it must preserve observable behavior, keep changes controlled across architectures and configurations, and avoid introducing uncontrolled modes or unexpected timing deviations. Nyx is therefore scope-controlled and designed to fail safely—if required preconditions or validation checks are not met, Nyx aborts with a clear diagnostic and produces no output binary.

Assurance is built on layered verification: transformations follow an analyze–translate–validate approach with formal techniques where applicable (e.g., equivalence checks / translation validation), and are continuously backed by automated CI/CD (unit + interface tests, property-based testing, fuzzing, regression) plus execution-based testing on representative hardware setups. Nyx is built for determinism and reproducibility (pinned toolchain via Docker, deterministic data structures, fixed seeds), so identical inputs and configuration yield stable outputs and repeatable test results for audits and regression analysis.

• Generation of Audit Artifacts: Emproof Nyx supports the generation of functional safety audit artifacts, including detailed transformation logs and binary-accurate change records. These artifacts document applied protections at a granular level and provide traceable evidence of code modifications, enabling verification, impact analysis, and compliance activities within safety-critical development and certification processes.

• Reproducible Builds: Emproof Nyx supports reproducible builds by ensuring deterministic transformation behavior across protection runs, enabling the generation of identical binaries for the same inputs which is necessary for validation and (safety) certification. To achieve this, all randomized transformations use deterministic pseudo-random number generation derived from a user-provided seed, ensuring that build outputs remain fully controlled and repeatable.

• Delta Testing Support: Emproof Nyx supports delta testing to enable reliable binary patch diffing by preserving transformation stability across related builds. When changes are introduced in a specific code region, the transformation process maintains identical protection results (for the same seed) for all unaffected functions while applying modifications only to the altered components. More generally, this ensures that incremental feature additions or logic updates produce minimal and localized binary differences, which facilitates controlled validation, simplifies patch analysis, and supports safety-relevant development processes where traceability and change isolation are required.

• Transformation Scoping: Emproof Nyx supports transformation scoping through configurable inclusion and exclusion of specific functions, allowing users to precisely control which code regions are subject to a given protection transformation. This enables real-time–critical or otherwise constrained routines to remain unmodified when required by timing, resource, or certification constraints, while transformations are applied selectively to appropriate parts of the binary.

• Customizable Actions on Attack Detection: Emproof Nyx allows the definition of configurable response actions upon detection of an attack or integrity violation, enabling behavior to be aligned with customer-specific safety and security requirements. Configurable responses may include transitioning into a defined safe state, entering a controlled endless loop, or setting a security status flag for supervisory handling, ensuring that reaction strategies are consistent with system-level safety concepts and operational constraints.

• Authorized Debugging: Emproof Nyx provides an authorized debugging mode that enables controlled debugging access on protected in-field systems and deployed devices without removing or permanently disabling applied protections. This capability supports maintenance and fault analysis under defined authorization conditions and is particularly relevant in functional safety contexts, where traceable and controlled diagnostic access to operational systems is a regulatory and process requirement.

1. Emproof Nyx Python

Emproof Nyx Python is a protection framework designed to secure Python applications against reverse engineering, tampering, and unauthorized analysis. It extends the Emproof Nyx platform with specialized protections for Python-based software by combining advanced Python bytecode transformation with interpreter-level hardening.

Unlike source-level obfuscation or encryption-based approaches, Nyx Python operates directly on Python bytecode and the Python interpreter itself. The resulting protected applications preserve identical functional behavior while significantly increasing resistance against disassembly, decompilation, debugging, and runtime code extraction.

Nyx Python supports the protection of intellectual property, proprietary algorithms, and sensitive logic in Python applications deployed on embedded Linux devices and desktop-class systems.

General Workflow

To protect the IP contained in a Python application, the Emproof Python Protection operates according to the following workflow:

Emproof provides a customized Python Interpreter to the customer, alongside a uniquely-generated Mapping File that serves a role similar to a cryptographic key for the Python Protection. Then, the customer provides their Python application (i.e. Python source files) to the tool, alongside the unique Mapping File. The tool transforms the Python source files into a bytecode representation (.pyc file). The protection is then applied to the bytecode representation. Bytecode instructions are non-deterministically changed based upon the Mapping File. Values stored alongside the bytecode, for example, constant data or variable names, are encrypted based upon the Mapping File. This protected bytecode representation is then written to the file system and the original source files are deleted. The obtained protected Python application can no longer run in an unmodified Python Interpreter and its contents are protected from reverse engineering.

Full Lockdown Mode. Optionally, the customer can also provide all other sources used by the Python application (i.e. standard library and dependencies) to the tool. Subsequently, the protected Python application can run with a modified Python Interpreter that does not allow any unprotected code to run at all, to provide additional protection.

General Support

• Target Devices: Advanced embedded devices with operating systems and desktop-class systems, including platforms such as Raspberry Pi, NVIDIA Jetson, and standard PC, server or workstation environments.

• Supported Architectures:

• x86_64

• AARCH64

• Operating Systems:

• Embedded and desktop Linux distributions

• Microsoft Windows

Nyx Python supports the version Python 3.12. Emproof shall only be obliged to technically implement and support other versions of Python on the basis of a separate agreement (e.g.Individual Contract). The decision whether other Python versions can and will be supported lies solely with Emproof and depends for example on technical feasibility and roadmap considerations. The availability, scope, and commercial conditions for the implementation and technical support of other Python versions shall be defined in the separate agreement between Emproof and customer.

Python Protection Model

Nyx Python employs a two-layer protection approach:

Python File Protection

Nyx Python protects Python code objects against disassembly and decompilation by transforming the internal Python instruction stream. Each code object (including functions, lambdas, and modules) receives a unique and dynamically generated opcode mapping. This approach ensures that protected Python files cannot be meaningfully interpreted by standard Python tooling or reverse engineering frameworks.

Interpreter Protection

Due to the dynamic opcode transformation, execution requires a protected Python interpreter. Additionally, Emproof Nyx Python integrates Emproof Nyx Systems protections directly into the Python interpreter, providing additional defense mechanisms against:

• Debugging and tracing attempts

• Runtime tampering

• Memory inspection and code extraction

• Unauthorized modification of execution flow

Python Editions

*Device-specific implementation may be required by Emproof engineering subject to separate remuneration

1. Deployment

Emproof Nyx is currently available as an on-premises deployment delivered as a Docker container to enable straightforward integration. In the future, Emproof may introduce additional deployment models to accommodate varying security, compliance, and integration requirements.

On-Premise Deployment

In the on-premise deployment model, Emproof Nyx is provided as a containerized solution and deployed within the customer’s own infrastructure.

The software is delivered as a Docker container and can be executed as a command-line interface (CLI) tool or accessed via REST API endpoint, enabling seamless integration into existing build systems and CI/CD pipelines. All analysis and transformation steps are performed entirely within the customer-controlled environment.

This deployment model is particularly suited for organizations with strict requirements regarding data sovereignty, intellectual property protection, or regulatory compliance, as no binaries, source files, or proprietary artifacts leave the customer infrastructure.

Typical characteristics include:

• Deployment as a Docker container in customer-managed environments 

• Local execution via CLI or access via REST API

• Integration into existing CI/CD workflows (e.g., Jenkins, GitLab CI, GitHub Actions, Azure DevOps) 

• Full control over input artifacts, outputs, and logs 

• Offline or isolated operation possible, depending on license configuration 

The specific scope, supported environments, and operational constraints are defined in the applicable license agreement.

1. Product Support

Business Hours of Emproof

Emproof provides all services (e.g. support services, setup etc.)during its normal business hours. Emproof’s standard business hours are Monday to Friday, from 9:00 a.m. to 5:00 p.m CET/CEST, excluding public holidays in Germany as well as December 24 and December 31.

Setup & On-Boarding

The Setup & Onboarding package with up to 2 person days of work by Emproof is a service that is included in the base fee with every Emproof Nyx product license.

As part of this service, Emproof provides:

• Initial configuration: Setup of a baseline protection profile for Emproof Nyx, including the configuration of device- and system-specific parameters required for correct operation.

• Protection integration guidance: Technical guidance on how Emproof Nyx protections are to be integrated, enabled, and configured within the customer’s target software environment.

• Validation support: Assistance in verifying that the configured protections operate as intended within the customer’s build and deployment workflow.

Service Level Agreement

The following conditions apply to the support services provided for Emproof Nyx as part of the subscription:

Incident Reporting: Incidents can be reported daily from 00:00 to 24:00 via the Emproof Support Portal.

Response Time: “Response Time”refers to the period between the receipt of a support ticket by Emproof and the start of incident processing. Processing will begin within the timeframes specified for the applicable severity level. Severity classification is determined by Emproof. Incidents are processed during business hours of Emproof only (see above Section “Business Hours of Emproof”). If a ticket is received outside business hours of Emproof, the Response Time measurement begins at the start of the next period of business hours. The defined Response Times represent target initiation times for incident handling and do not constitute resolution times.

Incident Response: Emproof will handle incidents, as detailed in the Table below. Support is provided exclusively via remote assistance (email, video call, and remote access if required). Emproof will provide security patches, bug fixes, updates, and/or defect corrections as part of the support services at its discretion, but solely for the latest released version of the LTS Nyx edition. Upon publication of a new version, all prior versions reach End-of-Support status. For versions reaching End-of-Support status, no technical support, security updates, or defect corrections will be provided. Support is only provided for the duration of an active license. Support does not include end user assistance, such as guidance on use of Emproof Nyx, operational instructions, or general training.

In day-to-day operations, it may occur that Emproof performs work believed to fall within the scope of standard support for Emproof Nyx. However, it may later become evident that the work was actually outside the defined support boundaries. For example, Emproof might be asked to debug malfunctioning code under the assumption that the issue originated from Emproof Nyx. If it is later determined that the problem was caused by the customer’s own code or a different supplier of the customer, Emproof would have effectively spent time resolving issues unrelated to Emproof Nyx. If it is determined that an incident reported by the customer is unfounded—for example, because there is no defect or error for which Emproof is responsible, the customer or authorized users have misused Emproof Nyx, the customer or its users have failed to provide necessary cooperation, or the incident is not reproducible—Emproof reserves the right to invoice reasonable remuneration for the time and effort incurred in investigating or resolving such incident as out-of-scope work at the applicable rates at the time of performing the respective out-of-scope work.

1. Product Improvement & Roadmap (Updates)

Emproof Nyx is continuously developed and maintained in order to improve stability, security, performance, and functionality. Updates may include bug fixes, security improvements, optimizations, and functional extensions, depending on the deployment model and licensed product variant. 

Link to Roadmap: https://www.emproof.com/nyx/roadmap

Updates for Emproof Nyx On-Premise

For the on-premise deployment model, updates for Emproof Nyx are provided in the form of updated container images or software packages, including a license file. Updates are released on a regular basis (2 versions per year, one in H1 and one in H2) and may include security updates, bug fixes, and stability improvements. In specific cases such as updates for critical security vulnerabilities in Emproof Nyx or third-party libraries, security patches are released for the latest version. Customers are entitled to receive updates only for the duration of an active license.

The installation and deployment of updates within the customer’s infrastructure are the responsibility of the customer, unless otherwise agreed contractually.

In the event of critical issues — for example security-relevant vulnerabilities — Emproof will provide appropriate updates and inform affected customers accordingly, provided a valid license is in place.

The continuous maintenance, operation, and updating of the customer’s infrastructure, including container runtime, operating systems, and CI/CD systems, remain the responsibility of the customer.