The Use of Software-Based Integrity Checks in Software Tamper Resistance Techniques

Similar documents
RE-TRUST. PoliTO Prototypes Overview. Paolo Falcarin, Stefano DiCarlo Alessandro Cabutto, Nicola Garazzino, Davide Barberis

Hotpatching and the Rise of Third-Party Patches

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Self Protection Techniques in Malware

Patterns for Secure Boot and Secure Storage in Computer Systems

Instruction Set Architecture (ISA)

The Reduced Address Space (RAS) for Application Memory Authentication

Full System Emulation:

Runtime Detection of Software Modification Using RSCA Method

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Operating Systems. Virtual Memory

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Next-Generation Protection Against Reverse Engineering

EC 362 Problem Set #2

Identification and Removal of

ios applications reverse engineering Julien Bachmann

2) Write in detail the issues in the design of code generator.

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Formal Software Testing. Terri Grenda, CSTE IV&V Testing Solutions, LLC

RE-TRUST Design Alternatives on JVM

X86-64 Architecture Guide

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Return-oriented programming without returns

Comp 255Q - 1M: Computer Organization Lab #3 - Machine Language Programs for the PDP-8

Software Hardening & FIPS 140

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Executable Integrity Verification

Software Reverse Engineering

Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop Presented by An In seok

How To Prevent An Sql Injection Attack

Data Model Bugs. Ivan Bocić and Tevfik Bultan

ASSURING INTEGRITY OF DATAFLOW PROCESSING IN CLOUD COMPUTING INFRASTRUCTURE

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

Embedded Software development Process and Tools:

Off-by-One exploitation tutorial

Software Protection through Code Obfuscation

Introduction. Figure 1 Schema of DarunGrim2

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Instruction Set Design

Concepts of digital forensics

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Surreptitious Software

Framework for Injecting the Attacks and Analyzing the Behaviour of Vulnerability on Server s

CHAPTER 1 INTRODUCTION

What is Software Watermarking? Software Watermarking Through Register Allocation: Implementation, Analysis, and Attacks

Red Hat Linux Internals

Hypervisor-Based, Hardware-Assisted System Monitoring

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Debugging Multi-threaded Applications in Windows

Secure cloud access system using JAR ABSTRACT:

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Detecting the One Percent: Advanced Targeted Malware Detection

RTOS Debugger for ecos

OWASP Mobile Top Ten 2014 Meet the New Addition

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

UNIVERSITY OF CALIFORNIA, DAVIS Department of Electrical and Computer Engineering. EEC180B Lab 7: MISP Processor Design Spring 1995

IBM RATIONAL PERFORMANCE TESTER

Krishna Institute of Engineering & Technology, Ghaziabad Department of Computer Application MCA-213 : DATA STRUCTURES USING C

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

Sage 50 Payroll 2012 Authentication Bypass

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Reverse Engineering and Computer Security

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

III. Our Proposal ASOP ROUTING ALGORITHM. A.Position Management

CS:APP Chapter 4 Computer Architecture. Wrap-Up. William J. Taffe Plymouth State University. using the slides of

Introduction to Automated Testing

A Survey of Anti-Tamper Technologies

On Security Evaluation Testing

Release: 1. ICTPRG503 Debug and monitor applications

Cloud Information Accountability Framework for Auditing the Data Usage in Cloud Environment

Summary of Results from California Testing of the ES&S Unity /AutoMARK Voting System

Bypassing Anti- Virus Scanners

Penetration Testing. Presented by

International Journal of Advanced Research in Computer Science and Software Engineering

Security Vulnerability Notice

Hydra. Advanced x86 polymorphic engine. Incorporates existing techniques and introduces new ones in one package. All but one feature OS-independent

SkyRecon Cryptographic Module (SCM)

Computer Organization and Architecture

Dynamic Spyware Analysis

Lecture 26: Obfuscation

OS KERNEL MALWARE DETECTION USING KERNEL CRIME DATA MINING

Real-time Debugging using GDB Tracepoints and other Eclipse features

Hardware Security Modules for Protecting Embedded Systems

Hardware and Security: Vulnerabilities and Solutions

Transcription:

The Use of Software-Based Integrity Checks in Software Tamper Resistance Techniques Ginger Myles gmyles@us.ibm.com IBM Almaden Research Center [1]

Talk Overview Integrity check overview Use of integrity checks in tamper resistance techniques Attack on integrity checks [2]

Attack Model Software executing on a potentially hostile host. Adversary has full control over the software s execution. Adversary can use any program analysis tools to detect and circumvent the checks. The Hackers Toolbox Benign Executable [3]

Software Tamper Resistance Detect that the program has been altered. Cause the program to fail when tampering has been detected. [4]

Integrity Check Overview What are they? A mechanism used to identify the integrity of the program and/or the environment in which it is executing. Executable Checker [5]

Integrity Check Overview What are they? Static - integrity is checked only once during start-up Dynamic - integrity is checked repeatedly as the program executes Executable Checker [6]

Integrity Check Overview How are they used? Generally used as part of a larger tamper resistance scheme. Assertion Check Based (BAD!) ic = performcheck(); if(ic!= PREDICTED VALUE) {fail;} Use Based (Better) ic = performcheck(); decryptsegment(ic, k); [7]

Integrity Check Overview Why are they used? Program integrity verification Prevent license check removal Protect a watermark from damage or removal Executable Code Obfuscator Executable? Watermark Extractor [8]

Integrity Check Overview Why are they used? Environmental integrity verification Detect the use of debuggers or emulators Protect the keys embedded in DRM systems Sensitive code that it is only decrypted for execution DRM Protected Executable Debugger Debugger Disabled Executable k k [9]

Program Integrity Verification Code Checksum Probably the oldest method Straight forward implementation Quite efficient Execution Executable ic ic [10]

Program Integrity Verification Code Checksum The Negatives Reading the code segment is generally atypical. Execution Executable ic ic ic ic [11]

Program Integrity Verification Code Checksum The Negatives Hackers pinpoint checks through breakpoints or code inspection. Only verifies static properties. May not detect temporary instruction patches or other run-time attacks. [12]

Program Integrity Verification Oblivious Hashing [Chen et al., 2002] Dynamic - based on execution trace. Monitor both instructions and memory references. Compute hash value from execution trace. Instruction Sequence Memory I 1 M 1 I 2. I n M 2. M n Trace [13]

Program Integrity Verification Oblivious Hashing Hashing locations must be extensive and spread throughout program. To protect a function all functions on the calling-hierarchy must be protected. Trace should include memory references made by each instruction and the instruction itself. Instruction Sequence Memory I 1 M 1 h 1 I 2 h 2. M 2. I n M n h n [14]

Environment Integrity Verification Detection of debuggers and other similar simulation tools Use a checksum to detect a breakpoint. Measure elapsed time to execute a sequence of instructions. Look for tool specific hooks. [15]

Environment Integrity Verification The Negatives Level of checksum granularity will effect success of detecting a breakpoint. Detection is tool specific. [16]

Real Uses of Integrity Checks Check and Guard System [Chang and Atallah, 2001] Network of guards. Each guard responsible for performing some type of integrity check. Protect each other and the program in an interlocking fashion. Some guards can repair altered code. C [17]

Real Uses of Integrity Checks Check and Guard System Repairing guard inserted prior to code. Checksumming guard inserted at a point when code will be present in program image. Strongly connected guard graph increases the efforts required by the attacker. C [18]

Real Uses of Integrity Checks Testers and Correctors [Horne et al., 2002] Collection of testers which each hash a single contiguous section of code. Testers are sprinkled throughout code and triggered by normal program execution. Execution Executable tester tester tester tester tester tester tester [19]

Real Uses of Integrity Checks Testers and Correctors [Horne et al., 2002] Compares hash value with correct value. Incorrect value triggers response mechanism via simple function call. [20]

Real Uses of Integrity Checks Testers and Correctors Each hash interval contains a corrector. Corrector set to a value such that the interval hashes to a fixed value. Execution Executable tester tester tester tester tester tester tester [21]

Real Uses of Integrity Checks Branch-Based Tamper Resistance [Myles, Jin, 2005] Based on Branch Function obfuscation [Linn and Debray, 2003]: Designed to disrupt static disassembly. Exploits assumption that a function call returns to the instruction immediately following the call instruction. Execution is rerouted through the branch function. The correct target is identified based on the call location. T[h(j i )] = t i j i Return address on the stack is overwritten. [22]

Real Uses of Integrity Checks Branch-Based Tamper Resistance Key Storage k 0 Program Execution. k 1 Branch Function. k 2 Branch Function. Key: Link proper program execution and the key evolution. [23]

Real Uses of Integrity Checks Branch-Based Tamper Resistance Integrity Check Branch Functions 1. Perform an integrity check of the program or environment producing the value v i. 2. Generate the next key using a secure one-way hash function, the previous key, and the integrity check value. k i+1 = SHA1(v i,k i ) 3. Use k i+1 to identify the instruction where execution will resume. [24]

Real Uses of Integrity Checks Branch-Based Tamper Resistance Integrity Check Branch Function Construction Integrity Check Branch Function integrity check Original Application k i v i f 1 (v i, k i, AM) key generation f 2 + k k i+1 i+1 f 3 d i+1 = T[h(k i+1 )] retnew = ret old +d i+1 Modified Application f 1 f 2 f 3 ICBF [25]

Real Uses of Integrity Checks Branch-Based Tamper Resistance Branch Instruction Replacement Modified Application f 1 f 2 f 3 ICBF_1 ICBF_2 1 mov add mov jmp 0 3 4 push mov cmp jge mov push push call add pop ret d 1 k 1 2 mov sub mov d 2 k 2 0 1 2 3 4 push mov cmp call mov add mov jmp mov sub mov mov push push call add pop ret Protected Application f 1 f. 2.. ICBF_1 ICBF_2 ICBF_1( ). ICBF_2( ). f 3... ICBF_1( ). [26]

Real Uses of Integrity Checks Branch-Based Tamper Resistance Able to construct an intertwined network of ICBF s C [27]

Attacks on Integrity Checks Circumvention of self-hashing has been accomplished on UltraSparc, x86, PowerPC, AMD64, and ARM architectures [van Oorschot et al., 2005]. Implicit assumption that a data read from memory address x is the same as an instruction fetch from x. I(x) D(x) will verify code that is never executed and the executed is never checked. Manipulate virtual to physical address mappings such that each virtual address refers to two different physical addresses code references and data references Done through segmentation and translation lookaside buffers. [28]

Wrap-up We looked at a common type of integrity checking how it is used in real tamper resistance techniques and how it can be circumvented. [29]

Wrap-up Questions I m considering: Is there hope for strictly software-based techniques? Is there a way we can determine the level of protection provided by the different types of integrity checks? [30]

Wrap-up Questions I m considering: Is there hope for strictly software-based techniques? Is there a way we can determine the level of protection provided by the different types of integrity checks? Begin building an incremental strength evaluation scheme for software tamper resistance techniques. [30]

Wrap-up Questions I m considering: Is there hope for strictly software-based techniques? Is there a way we can determine the level of protection provided by the different types of integrity checks? Begin building an incremental strength evaluation scheme for software tamper resistance techniques. With the Check and Guard system or the Branch-Based technique strength can be customized or checks can be replaced once discovered they are breakable. [30]

References Protecting Software Code by Guards, Chang and Atallah, Proc. of 1st ACM Workshop on Security and Privacy in Digital Rights Management, 2001. Oblivious Hashing: A Stealthy Software Integrity Verification Primitive, Chen, Venkatesan, Cary, Pang, Sinha, and Jakubowski, Proc. of 5th International Workshop on Information Hiding, 2002. Towards Better Software Tamper Resistance, Jin and Myles, Proc. of Information Security: 8th International Conference, 2005. Self-Validating Branch-Based Software Watermarking, Myles and Jin, Proc. of 7th International Workshop on Information Hiding, 2005. Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance, van Oorschot, Somayaji, and Wurster, IEEE Transactions on Dependeble and Secure Computing, 2005. [31]

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information