Service Level Description
Emproof Nyx — Binary Analysis and Transformation Framework - V1.0.0 25.02.2026
Emproof Nyx Microcontroller & Systems
Emproof Nyx is a binary analysis and transformation framework designed to analyze and transform software binaries (executables, libraries). It provides a general-purpose, modular, and performant binary transformation engine to support use cases such as intellectual property protection, software hardening, and key protection.
Nyx is capable of applying transformations to input binaries to produce protected output binaries that behave identically from a functional perspective but are enhanced with protections against reverse engineering and exploitation.
Nyx-Internal Tool Flow
To integrate IP protection and exploit mitigation measures into customer binaries, Emproof Nyx operates according to the following workflow:
Input
The customer provides Nyx with an input binary file requiring protection and a configuration profile file. The configuration specifies required transformations with protection features and additional information (e.g., code parts that require protection, code parts that should not be altered).
Analysis
Nyx automatically analyses the binary file to detect code and data areas, identifies function boundaries and instruction types, such as control-flow instructions, arithmetic operations, memory loads/stores etc.
Transformation
Nyx parses the user-provided configuration to schedule user-selected transformations with protection features. If conditions are satisfied, transformations are applied and validated to ensure correctness. Code parts are lifted to an intermediate representation, transformed, and lowered back into assembly language. Alternatively, certain transformations are applied directly on the binary level.
Output
The transformed binary is written to the file system. The tool consolidates many defensive techniques to realize IP protection and exploit mitigations, allowing users to enable or disable techniques for parts of the protected program and tweak configuration parameters.
Nyx Microcontroller
Emproof Nyx Microcontroller is a specialized variant designed for deeply embedded, resource-constrained systems. It targets microcontroller-based devices running either bare-metal firmware or a real-time operating system (RTOS).
Intended for use cases where intellectual property protection, resistance against reverse engineering, device binding (licensing) and robustness against exploitation are required in safety-critical or security-sensitive embedded environments.
Supported Instruction Set Architectures
ARM Cortex-M
ARM Cortex-R
Infineon TriCore
Renesas RH850
RISC-V
Supported File Formats
- ELF binaries (executables, static libraries, and dynamic libraries where applicable)
- PE binaries (where applicable for embedded toolchains)
Nyx Microcontroller — Editions
Three editions are available, each building on the previous tier with additional capabilities.
| Feature | Essentials | Professional | Enterprise |
|---|---|---|---|
| IP Protection | |||
| Control-flow Protection | ✓ | ✓ | ✓ |
| Nyx Inception | ✓ | ✓ | |
| Anti-Debug | ✓* | ✓* | |
| Anti-Emulation | ✓* | ✓* | |
| Anti-Tamper | ✓ | ✓ | |
| Secret Hiding (cryptographic keys and sensitive data) | ✓ | ✓ | ✓ |
| Advanced Device Binding (HSM, TPM, PUF, PKI)** | ✓ | ||
| Bootloader & Memory Map Control | ✓ | ✓ | ✓ |
| Debug Artifact Removal | ✓ | ✓ | ✓ |
| Fine-grained Memory and Performance Overhead Control | ✓ | ✓ | ✓ |
| Exploit Mitigations | |||
| Stack Canaries | ✓ | ✓ | ✓ |
| Control-Flow Integrity (CFI) | ✓ | ✓ | ✓ |
| Safety Features | |||
| ISO 26262 ASIL-D | ✓ | ||
| Generation of Audit Artifacts | ✓ | ||
| Reproducible Builds | ✓ | ✓ | ✓ |
| Delta Testing Support | ✓ | ✓ | ✓ |
| Transformation Scoping | ✓ | ✓ | ✓ |
| Customizable Actions on Attack Detection | ✓ | ✓ | ✓ |
| Authorized Debugging | ✓ | ✓ | |
* Device-specific implementation may be required by Emproof engineering
** Device binding requires device-specific integration and configuration and is not available for all devices
Nyx Systems
Emproof Nyx Systems is a variant designed for advanced embedded systems and desktop-class software environments. It targets systems such as embedded Linux platforms (e.g., Raspberry Pi, NVIDIA Jetson) and general-purpose desktop operating systems including Linux and Windows.
Compared to microcontroller-focused deployments, Nyx Systems is optimized for environments with more computing and memory resources, and can leverage operating-system-level facilities while remaining independent of specific OS services.
Supported Instruction Set Architectures
AArch64
x86_64 / amd64
Operating Systems
- Embedded and desktop Linux distributions
- Microsoft Windows
Supported File Formats
- ELF binaries (executables, shared libraries, static libraries)
- PE binaries (executables, dynamic-link libraries)
Nyx Systems — Editions
Nyx Systems editions with features tailored to application-class platforms.
| Feature | Essentials | Professional | Enterprise |
|---|---|---|---|
| IP Protection | |||
| Control-Flow Protection | ✓ | ✓ | ✓ |
| Nyx Inception | ✓ | ✓ | |
| Anti-Debug | ✓* | ✓* | |
| Anti-Emulation | ✓* | ✓* | |
| Anti-Tamper | ✓ | ✓ | |
| Binary File Protection | ✓ | ✓ | ✓ |
| Binary Compression*** | ✓ | ✓ | ✓ |
| Anti-Memory Dumping*** | ✓ | ✓ | |
| Import Protection | ✓ | ✓ | |
| Virtual-Machine Obfuscation | ✓ | ✓ | |
| Key and Data Protection | ✓ | ✓ | |
| Mixed Boolean Arithmetic (MBAs) | ✓ | ✓ | |
| Advanced Device Binding (TPM, PKI)** | ✓ | ||
| Debug Artifact Removal | ✓ | ✓ | ✓ |
| Fine-grained Memory and Performance Overhead Control | ✓ | ✓ | ✓ |
| AI Model Protection | ✓ | ✓ | |
| Safety Features | |||
| Reproducible Builds | ✓ | ✓ | ✓ |
| Transformation Scoping | ✓ | ✓ | ✓ |
| Customizable Actions on Attack Detection | ✓ | ✓ | ✓ |
| Authorized Debugging | ✓ | ✓ | |
* Device-specific implementation may be required by Emproof engineering
** Device binding requires device-specific integration and configuration and is not available for all systems
*** Currently only supported on Microsoft Windows
Optionally, different exploit mitigations (i.e., stack canaries and control flow integrity) can be deployed on systems where compilers and/or operating systems do not support them.
Feature Definitions — IP Protection
Control-Flow Protection
Code transformation that restructures program execution to replace direct, structured control transfers with an indirect, dispatcher-driven execution mechanism, obscuring the original program flow while preserving functional behavior and allowing for fine-grained memory and overhead control.
Nyx Inception
Code transformation that ensures a trusted execution environment at program start and run-time checkpoints. Equipped with user-selected measures against dynamic reverse engineering analyses such as anti-debugging, anti-emulation, anti-tamper and device binding.
Secret Hiding
Code transformation that encodes static user-defined data so it is no longer present in clear form within the binary. Data is reconstructed at runtime through a heavily protected decoding mechanism guarded by anti-tamper, anti-emulation, and anti-debug checks.
Packer
Code transformation that compresses executable code and data, replacing them with a compact loader stub that unpacks program chunks and securely dispatches between them at runtime, reducing static visibility while preserving functional behavior.
Virtual-Machine Obfuscation
Generates a random and unique virtual machine architecture, translates selected portions of native code into hardened custom bytecode executed by an embedded VM at runtime, replacing direct execution with interpretation to obscure program logic and semantics.
Device Binding
Binds software execution to specific hardware by deriving runtime authorization from unique hardware-dependent features (TPM, HSM, PUF, PKI). Ensures the protected code operates only on approved devices while preserving functionality.
Bootloader & Memory Map Control
Fine-grained configuration controls for custom bootloaders and microcontroller-specific memory maps. Allows users to direct and constrain transformations within defined system boundaries without altering intended system behavior.
Mixed Boolean Arithmetic (MBAs)
Disguises Packer, Inception, and Secret Hiding logic by translating it with mathematically equivalent combinations of bitwise and arithmetic operators, resisting automated simplification and semantic analyses.
Anti-Memory Dumping
Hinders extraction of a clean and complete runnable copy of a protected binary from memory, including replacement of control-flow information to obscure the original program flow.
Import Protection
Hides functionality or relationships to imported libraries and functions, hindering reconstruction of the original functionality and API usage patterns.
Feature Definitions — Exploit Mitigation & Safety
Stack Canaries
Introduces runtime stack integrity checks by inserting guard values around sensitive stack regions and validating them before control is returned, enabling detection of stack-based memory corruption.
Control Flow Integrity (CFI)
Enforces control-flow integrity by instrumenting the program to validate indirect control transfers at runtime against a predefined set of legitimate targets, preventing unauthorized deviations in execution flow.
Legacy Support
Protected binaries may be deployed on systems already in field, provided a suitable software update mechanism is available. Deployment does not require any additional hardware components, modifications, or replacements — integration is performed entirely through software updates.
Safety Features
ISO 26262 — ASIL D
Nyx is engineered for use in ISO 26262 environments up to ASIL D, following an ASIL-D capable engineering process independently assessed by TÜV Nord. Emproof offers an optional Nyx Safety Bundle providing safety manual, integration guidance, safety case materials, and traceable verification evidence.
Generation of Audit Artifacts
Supports generation of functional safety audit artifacts, including detailed transformation logs and binary-accurate change records. Provides traceable evidence of code modifications for verification, impact analysis, and compliance.
Reproducible Builds
Ensures deterministic transformation behavior across protection runs. All randomized transformations use deterministic PRNG derived from a user-provided seed, ensuring identical binaries for the same inputs.
Delta Testing Support
Preserves transformation stability across related builds. Changes in specific code regions produce minimal and localized binary differences, facilitating controlled validation and safety-relevant traceability.
Transformation Scoping
Configurable inclusion and exclusion of specific functions, enabling real-time-critical or constrained routines to remain unmodified while transformations are applied selectively to appropriate parts.
Customizable Attack Response
Configurable response actions upon detection of an attack or integrity violation: transitioning into a safe state, entering a controlled loop, or setting a security status flag for supervisory handling.
Authorized Debugging
Enables controlled debugging access on protected in-field systems without removing applied protections. Supports maintenance and fault analysis under defined authorization conditions, relevant for functional safety contexts.
Emproof Nyx Python
Emproof Nyx Python is a protection framework designed to secure Python applications against reverse engineering, tampering, and unauthorized analysis. It extends the Emproof Nyx platform with specialized protections by combining advanced Python bytecode transformation with interpreter-level hardening.
Unlike source-level obfuscation or encryption-based approaches, Nyx Python operates directly on Python bytecode and the Python interpreter itself. The resulting protected applications preserve identical functional behavior while significantly increasing resistance against disassembly, decompilation, debugging, and runtime code extraction.
Protection Model
Python File Protection
Protects Python code objects against disassembly and decompilation by transforming the internal instruction stream. Each code object receives a unique and dynamically generated opcode mapping, ensuring protected files cannot be interpreted by standard tooling.
Interpreter Protection
Integrates Emproof Nyx Systems protections directly into the Python interpreter, providing additional defenses against debugging, tracing, runtime tampering, memory inspection, code extraction, and unauthorized modification of execution flow.
Supported Platforms
x86_64
AArch64
Supported for Python 3.12. Other Python versions can be requested. OS: Embedded and desktop Linux, Microsoft Windows.
Nyx Python — Editions
| Feature | Essential | Professional | Enterprise |
|---|---|---|---|
| Dynamic Opcode Mapping | ✓ | ✓ | ✓ |
| Interpreter Protection | ✓ | ✓ | ✓ |
| Anti-Debug | ✓* | ✓* | |
| Anti-Emulation | ✓* | ✓* | |
| Anti-Tamper | ✓ | ✓ | |
| Function & Variable Name Encryption | ✓ | ✓ | |
| Constant and Data Encryption | ✓ | ✓ | |
| Full Lockdown Mode | ✓ | ✓ | |
| Bundling Support | ✓ | ✓ | |
| AI Model Protection | ✓ (On Roadmap) |
* Device-specific implementation may be required by Emproof engineering
Deployment
Emproof Nyx is available as an on-premises deployment delivered as a Docker container to enable straightforward integration.
On-Premise Deployment
In the on-premise deployment model, Emproof Nyx is provided as a containerized solution deployed within the customer's own infrastructure. All analysis and transformation steps are performed entirely within the customer-controlled environment.
- Deployment as a Docker container in customer-managed environments
- Local execution via CLI or access via REST API
- Integration into existing CI/CD workflows (Jenkins, GitLab CI, GitHub Actions, Azure DevOps)
- Full control over input artifacts, outputs, and logs
- Offline or isolated operation possible, depending on license configuration
Product Support
Setup & On-Boarding
The Setup & Onboarding package is a mandatory service that must be purchased with every Emproof Nyx product license. As part of this service, Emproof provides:
- Initial configuration: Setup of a baseline protection profile, including device- and system-specific parameters
- Protection integration guidance: Technical guidance on how protections are to be integrated, enabled, and configured
- Validation support: Assistance in verifying that configured protections operate as intended within the customer's build and deployment workflow
Service Level Agreement
The following conditions apply to support services provided as part of the subscription:
- Incident Reporting: 24/7 via the Emproof Support Portal
- Business Hours: Monday to Friday, 9:00–17:00 CET/CEST, excluding German public holidays and Dec 24/31
- Support Channel: Remote assistance (email, video call, and remote access if required)
- Supported Version: Latest released LTS version only. Prior versions reach End-of-Support upon new release
Response Times
| Severity | Description | Standard SLA | Premium SLA |
|---|---|---|---|
| Level 1 — Critical | Protected binary causes unexpected behaviour while the original binary functions correctly (e.g., incorrect transformations causing runtime failures) | Within 8 hours | Within 4 hours |
| Level 2 — Medium | Customer's build pipeline is blocked; Nyx prevents deployment of protected software (e.g., protection or tooling failure, framework issues) | Within 24 hours | Within 8 hours |
| Level 3 — Low | Isolated issues or general inquiries, including minor documentation inconsistencies or usage-related issues without impact on security or correct functionality | Within 48 hours | Within 24 hours |
Response times represent target initiation times for incident handling and do not constitute guaranteed resolution times. Severity classification is determined by Emproof.
Product Improvement & Roadmap
Emproof Nyx is continuously developed and maintained to improve stability, security, performance, and functionality.
Updates for On-Premise
Updates are provided as updated container images or software packages, including a license file. Updates are released on a regular basis (2 versions per year, one in H1 and one in H2) and may include security updates, bug fixes, and stability improvements.
- Security patches released for the latest version in case of critical vulnerabilities
- Customers entitled to receive updates only during active license period
- Installation and deployment within customer's infrastructure are the customer's responsibility
- Emproof will inform affected customers of critical issues, provided a valid license is in place
Protect Your Embedded Software
Get in touch with our team to find the right Nyx edition for your use case.
Request a Demo