conf wassa 2004

Click here to load reader

Post on 07-Apr-2018

217 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 8/6/2019 Conf Wassa 2004

    1/24

    1

    Towards the Issues in Architectural Support forProtection of Software Execution

    Weidong Shi

    Ph.D Hsien Hsin Lee

    Mrinmoy Ghosh

    Chenghui Lu

    School of Electrical and Computer Engineering

    Georgia Institute of Technology

  • 8/6/2019 Conf Wassa 2004

    2/24

    2

    Content

    Motivation

    Necessity for Hardware Cryptography BasedProtection

    Attack to Counter Mode Encryption

    Fight Against On-line Attack Using Delay Logic

    Conclusions

  • 8/6/2019 Conf Wassa 2004

    3/24

    3

    Motivation

    Put issues debated off-line on-fine

    Highlight several issues

    Reach consensus

  • 8/6/2019 Conf Wassa 2004

    4/24

    4

    Necessity for Hardware CryptographyBased Protection

    S: Hardware memory encryption is not necessaryand does not provide any additional security

    R: The answer is yes and no depending on thesecurity requirement, business model, softwareoperating environment and etc.

  • 8/6/2019 Conf Wassa 2004

    5/24

    5

    Secure future applications, applications cannot besecured today and new business models

    Necessity for Hardware CryptographyBased Protectioncont

    Software secrecyMilitary embedded systems,

    mobile software agents

    Anti-reverse engineer Program, software, library as IP

    Data secrecy/integrity Distributed computing, mobile software agents

    Anti-machine emulator

    Anti-authoritative client

    Software rights

    On-line video games

    The threats of hardware attack should not be under-estimated. Hackers are able to build spoof devices, bustracing devices, signal replaying devices .

  • 8/6/2019 Conf Wassa 2004

    6/24

    6

    Attack On Counter-mode Encryption

    S: Counter mode alone or counter mode plus lazyintegrity check is enough to provide SW secrecy.

    R: The answer is no. Rigorous, timely, andappropriate check on integrity is a MUST. Active flow

    based attack can compromise SW secrecy protectedby counter mode when integrity check is weak.

  • 8/6/2019 Conf Wassa 2004

    7/247

    Counter-mode Background

    Counter + 0

    Plaintext

    Ciphertext

    Block Cipher

    Pseudo-random pad

    Plaintext Plaintext

    First presented by W. Diffie and M. Hellman in 1977.

    Sender and receiver shares a secret key, and an initial counter.

    A pseudo-random pad is generated deterministically based on the counter and key

    Counter does not have to be a secret.

    Key

    Counter +1

    Key

    Block Cipher

    Pseudo-random pad

    Counter + n

    Key

    Block Cipher

    Pseudo-random pad

    Ciphertext Ciphertext

    Sender side

  • 8/6/2019 Conf Wassa 2004

    8/248

    Counter + 0

    Ciphertext

    Plaintext

    Counter +1

    Ciphertext

    Counter + n

    Ciphertext

    Receiver generates the same pad sequence using the same key and counter.

    Key

    Block Cipher

    Pseudo-random pad

    Key

    Block Cipher

    Pseudo-random pad

    Key

    Block Cipher

    Pseudo-random pad

    Plaintext Plaintext

    Counter-mode BackgroundReceiver side

  • 8/6/2019 Conf Wassa 2004

    9/249

    Counter-mode Summary

    Pros

    Widely used, allow pad pre-computation.

    Proved to be secure by Bellare, etc (1997). If you break

    counter-mode, you break the underlying cipher.

    Cons

    Chosen ciphertext melleable. Flip bits in the ciphertext caninduce flipped corresponding bits in the plaintext.

    Miss use of counter mode can jeopardize security. Timely,

    appropriate check on integrity is a MUST.

  • 8/6/2019 Conf Wassa 2004

    10/2410

    Counter-mode Summary cont

    1 0 1 1 0 1 0 1 0 1 0 1 0 0 1 1

    ciphertext plaintext

    Chosen ciphertext melleable

    How about other NIST block cipher based modessuch as CBC (cipher block chaining).

    1 0 1 1 0 1 0 1

    1 0 1 1 0 1 0 1

    1 0 1 1 0 1 0 1

    Block Cipher

    ciphertext,

    memory block n-1

    ciphertext,

    memory block n

    1 0

  • 8/6/2019 Conf Wassa 2004

    11/2411

    Attack On Counter-mode

    Dangerous practice on integrity check

    Aggregated SW(instruction/data) integrity check.

    Allow processor/memory state change by unverifiedinstructions/data.

    Allow processor/memory state change by data derived fromunverified data.

    Data/instruction fetch issued to memory based on un-verified instructions, or based on control flow determined

    by unverified data Data/instruction fetch issued to memory using address

    obtained from unverified data.

  • 8/6/2019 Conf Wassa 2004

    12/24

  • 8/6/2019 Conf Wassa 2004

    13/24

    13

    Attack On Counter-mode

    Exploit regularity of RISC instruction set forincrement guesses.

    Convert secret information into data/instruction fetchaddress observable on SW execution/bus trace.

  • 8/6/2019 Conf Wassa 2004

    14/24

    14

    Attack On Counter-mode - Example

    0x12001139c

    0x9426814a

    ciphertext plaintext

    0x40c05411

    Instruction

    addq t5, 0x2, a1

    Opcode RA Disp

    Opcode RA DispRB

    Opcode RA FunctionRB RC

    Branch FormatMemory Format

    Operate Format

    Opcode

    0x10RA Disp

    Addr = 0x12001139c

    6-bit opcode, 64 possible

    opcodes. Flip bits of opcode

    ciphertext and trace program

    control.

  • 8/6/2019 Conf Wassa 2004

    15/24

    15

    Attack On Counter-mode

    Opcode

    0x25RA Dispciphertext

    Opcode

    0x10 RA Dispplaintext

    Opcode

    0x4RA Dispopcode guess

    Opcode

    0x11RA Dispciphertext after flip

    Opcode0x24(stf)

    RA Dispdecrypted opcode

    Flip bits of opcode ciphertext based on guessed opcode. The

    target is opcode 0x30 (opcode of jmp)

    1 0 0 1 0 1 0 0 0 1 0 0

    1 1 0 0 0 00 1 0 0 0 1

    guessed opcode

    target opcode

    ciphertext

    Ciphertext after bit flip

  • 8/6/2019 Conf Wassa 2004

    16/24

    16

    Opcode

    0x25RA Dispciphertext

    Opcode

    0x10 RA Dispplaintext

    Opcode

    0x10RA Dispopcode guess

    Opcode

    0x5RA Dispciphertext after flip

    Opcode

    0x30 RA Dispdecrypted opcode

    Flip bits of opcode ciphertext based on guessed opcode. The

    target is opcode 0x30 (opcode of jmp)

    Attack On Counter-mode

    1 0 0 1 0 1 0 1 0 0 0 0

    1 1 0 0 0 00 0 0 1 0 1

    guessed opcode

    target opcode

    ciphertext

    Ciphertext after bit flip

  • 8/6/2019 Conf Wassa 2004

    17/24

    17

    Opcode

    0x30RA

    Disp

    0x5411decrypted opcode

    Attack On Counter-mode

    Opcode

    0x5RA Dispciphertext

    Opcode

    0x10

    RADisp

    0x5411plaintext

    Addr = 0x12001139c

    Addr = 0x1200263e0

    0x12001139c

    Decrypted instruction triggers fetch from a new

    address, which discloses 16 bits of plaintext.

  • 8/6/2019 Conf Wassa 2004

    18/24

    18

    Attack On Counter-mode

    DataNext

    Data

    Next

    Data

    NULL

    Secret

    Convert secret into data fetch address so it can be

    Observed in program trace

  • 8/6/2019 Conf Wassa 2004

    19/24

    19

    Fight Against Attack on Counter-mode

    Use non-melleable encryption mode

    Counter-mode, CBC are all melleable.

    Hide program trace and fetch address. Hardwareobfuscation, CASES 2004. OVERHEAD!!!

    Authenticate appropriately, PACT 2004

    Change on processor/memory state prohibited by un-

    verified code/data or results obtained from un-verifedcode/data. Stall pipeline when it happens and wait result of

    integrity check. Code/data fetch from memory stalls and wait for integrity

    cehck if address computed from un-verified data

    Code/data fetch from memory stalls and wait for integrity

    check if control flow determined by un-verified data/code

  • 8/6/2019 Conf Wassa 2004

    20/24

    20

    S: Memory integrity can only be protected using longbit Hash such as Merkle Tree and 160 bit hash.

    R: Hash tree is vulnerable to off-line attack, and MAC(message authentication code) tree is preferred

    because of its efficiency and robustness against off-line attack. Use Integrity verification triggered delaylogic.

    Fight Against On-line Attack

  • 8/6/2019 Conf Wassa 2004

    21/24

    21

    Fight Against On-line Attack

    Off-line vs. On-line attack

    Off-line attack can be launched on multiple-machines. Used

    for key search, find hash collisions, etc.

    On-line attack has to be launched on the victim/targetedmachine. Brute force attack on MAC.

    Hash tree vs. MAC tree

    Hash tree is more vulnerable to off-line attacks.

    Brute force attack on MAC tree has to be conducted on thevictim machine.

  • 8/6/2019 Conf Wassa 2004

    22/24

    22

    Fight Against On-line Attack

    push param1

    push param2

    push param3

    push param4

    push param5

    call security_check /*a jump to a subroutine */

    tst ax, 0 /* assume return value in ax*/

    bne security_failed

    nop

    nop

    nopnop

    nop

    nop

    nop

    nop

    mov ax, random\_num

    xor ax, ax

    mov bx, random\_num

    xor bx, bx

    mov cx, random\_num

    xor cx, cx

    nop

    nop

    Alter MAC and Code

    Alter Code Only

    modify the code and brute force attack the MAC

    come up huge number of attack codes and

    hope one of them has a MAC collision.

    Attacker can

    Original Code

  • 8/6/2019 Conf Wassa 2004

    23/24

    23

    Delay Logic Driven

    by Authentication/

    Integrity Verification Enginestall CPU

    OK, continue

    integrity check failure

    State of TPT is persistent, survive power cycling.

    TPT counts number of integrity verification failures.

    TPT has delay logic that stalls processor pipeline when tracked number

    of integrity failure crosses a threshold.

    TPT state not accessible by SW.

    Tamper Prevention Time (TPT)

    Fight Against On-line Attack

    clock

    EXAMPLE: 1min delay for every 10 failed integrity check, require

    204 years for on-line brute force attack to succeed breaking 32-bit

    MAC. Processor speed is irrelevant. SIMPLE and EFFECTIVE

  • 8/6/2019 Conf Wassa 2004

    24/24

    24

    Conclusions

    Hardware cryptography based software protectionprovides a new security model for applications.

    Appropriate extra security measures have to be usedtogether with counter mode to prevent active flow

    based attacks.

    MAC tree is better than Hash tree.

    TPT is a simple and effective way to fight against

    on-line attacks on software integrity.