View
2
Download
0
Category
Preview:
Citation preview
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 1
Air Force Institute of Technology
Using Logic-Based Reduction for
Adversarial Component Recovery*
J. Todd McDonald, Eric D. Trias, Yong C. Kim,
and Michael R. Grimaila
Center for Cyberspace Research
Air Force Institute of Technology
WPAFB, OH
*The views expressed in this article are those of the authors and do not reflect the official policy
or position of the United States Air Force, Department of Defense, or the U.S. Government
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 2
Outline
• Protection Context
• Polymorphic Variation as Protection
• Hiding Properties of Interest
• Framework and Experimental Results
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 3
Protection Context
• Embedded Systems / “Hardware” • Increasingly represented as reprogrammable logic (i.e., software!)
• We used to like hardware because it offered “hard” solutions for protection (physical anti-tamper, etc.)
• Our beginning point: what happens if hardware-based protections fail? • Hardware protection: I try to keep you from physically getting the
netlist/machine code
• Software protection: I give you a netlist/machine code listing and ask you questions pertaining to some protection property of interest
• Protection/exploitation both exist in the eye of the beholder
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 4
Protection Context
• Critical military / commercial systems vulnerable to
malicious reverse engineering attacks • Financial loss
• National security risk
• Reverse Engineering and
Digital Circuit Abstractions
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 5
Polymorphic Variation as Protection
• Experimental Approach:
• Consider practical / real-world /
theoretic circuit properties related to
security
• Use a variation process to create
polymorphic circuit versions
• Polymorphic = many forms of circuits
with semantically equivalent or
semantically recoverable functionality
• Characterize algorithmic effects:
• Empirically demonstrate properties
• Prove as intractable
• Prove as undecidable
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 6
Two Roads Met in the Woods…
and I Went Down Both…
Semantic
Changing Semantic
Preserving
Black-Box Refinement
Semantic Transformation
Polymorphic Generation
Polymorphic Generation
Program Encryption
Random Program Model
Obfuscation
What can I prove / not prove
under RPM?
What can I measure?
What can I characterize?
What are the limits if I am only
allowed to retain functionality?
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 7
Defining Obfuscation
• Since we can’t hide all information leakage….
• Can we protect intent?
• Tampering with code in order to get specific results
• Manipulating input in order to get specific results
• Correlating input/output with environmental context
• Can we impede identical exploits on functionally equivalent versions?
• Can we define and measure any useful definition of hiding short of absolute proof and not based solely on variant size?
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 8
Hierarchy of Obfuscating
Transforms
Functional Hiding
Control Hiding
Component Hiding
Signal Hiding
Topology Hiding (Gate Replacement)
Logical
View
Physical
Manifestation
Side Channel Properties
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 9
Polymorphic Variation as Protection
Algorithm and Variant Characterization:
Selection:
1) Random
2) Deterministic
3) Mixture
Replacement
1) Random
2) Deterministic
3) Mixture
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 10
Framework and Experimental Results
• When does (random/deterministic) iterative selection and replacement:
1) Manifest hiding properties of interest?
2) Cause an adversarial reverse engineering task to become intractable or undecidable?
• What role does logic reduction and adversarial reversal play in the outcome (ongoing)
• Are there circuits which will fail despite the best variation we can produce? (yes)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 11
Components
• Components are building block for virtually all real-world circuits
• Given: • circuit C
• gate set G
• input set I
• integer k > 1, where k is the number of components
• Set M of components {c1,…, ck} partitions G and I into k disjoint sets of inputs and/or gates.
• Four base cases • Based on input/output
boundary of component and the parent circuit
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 12
Component Recovery
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 13
Independent Components
and Induced Redundancy
ORIGINAL WHITE-BOX VARIANTS
REDUCED VARIANTS
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 14
Observing Independent
Component Hiding
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 15
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 16
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 17
Case Study
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 18
Conclusions
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 19
Questions
?
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 20
The ONLY true “Virtual Black Box”
Hiding Properties of Interest
5
6
74
2
3
1
“The How” Semantic Behavior
2
3
1
6
4
7
General Intuition and Hardness of Obfuscation
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 21
Framework and Experimental Results
• Is perfect or near topology recovery useful
(therefore, is topology hiding useful)?
• In some cases, yes
• Foundation for other properties (signal / component hiding)
• For certain attacks, it is all that is required
• Accomplishing topology hiding
• Change basis type (normalizing distributions, removing all
original)
• Guarantee every gate is replaced at least once
• Multiple / overlapping replacement = diffusion Topology:
Gate fan-in
Gate fan-out
Gate type
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 22
Experiment 1: Measuring “Replacement”
Basis Change
c432
c432
120 gates ( 4 ANDs + 79 NANDs + 19 NORs + 18 XORs + 40 inverters )
Decomposed
230 gates ( 60 ANDs + 151 NANDs + 19 NORs + 40 inverters )
Decomposed
NOR
843 gates ( 843 NORs)
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 23
Experiment 1a: Measuring “Replacement”
Basis Change
= {NOR} = {AND, NAND, OR, XOR, NXOR}
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 24
Experiment 1b: Measuring “Replacement”
Basis Change
= {NAND} = {AND, NOR, OR, XOR, NXOR}
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 25
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
ISCAS-85 c1355
C1355
506 gates ( 56 ANDs + 416 NANDs + 2 ORs + 32 buffers + 40 inverters )
Decomposed
550 gates ( 96 ANDs + 416 NANDs + 6 ORs + 32 buffers + 40 inverters )
Decomposed
NAND
730 gates ( 730 NANDs )
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 26
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Single 4000 Iteration Experiment”
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 27
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”
Iteration 100
0
100
200
300
400
500
600
700
800
900
1 2 3 4 5 6 7 9 10 12 13 14
Experiment
# o
f G
ate
s
XNOR
XOR
NOR
OR
NAND
AND
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 28
Experiment 2: Measuring “Replacement”
Uniform Basis Distribution
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”
Iteration 4000
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
1 2 3 4 5 6 7 9 10 12 13 14
Experiment
# o
f G
ate
s
XNOR
XOR
NOR
OR
NAND
AND
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 29
Experiment 3: Measuring “Replacement”
Smart Random Selection
ISCAS-85 c432
Iterative Smart Random 2-Gate Selection Algorithm:
Selection Strategy: Replacement Strategy:
Smart Two Gate Random Random Equivalent
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 30
Experiment 3: Measuring “Replacement”
Smart Random Selection
= {NOR} = {AND, NAND, OR, XOR, NXOR}
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 31
Things We’ve Learned
Along the Way
• What algorithmic factors influence hiding properties
the most? • Iteration number
• Selection size
• Replacement circuit generation (redundant vs. non-redundant)
• Ongoing work in:
• Increasing selection size
• Determinist generation
• Integrated logic reduction
• Formal models: term rewriting systems, abstract
interpretation, graph partitioning
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 32
Obfuscation Comparison Models
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 33
Experiment 1a: Measuring
“Replacement”
600
600
675
600
% of ORIGINAL GATES
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 34
Experiment 1a: Measuring “Replacement”
= {NOR} = {AND, NAND, OR, XOR, NXOR}
ISCAS-85 c1355
# of NORs
# of Iterations ~7500
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 35
Experiment 2: Measuring “Replacement”
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Single 4000 Iteration Experiment”
0
200
400
600
800
1000
1200
c1355nand-0
0000
c1355nand-0
0100
c1355nand-0
0200
c1355nand-0
0300
c1355nand-0
0400
c1355nand-0
0500
c1355nand-0
0600
c1355nand-0
0700
c1355nand-0
0800
c1355nand-0
0900
c1355nand-0
1000
c1355nand-0
1100
c1355nand-0
1200
c1355nand-0
1300
c1355nand-0
1400
c1355nand-0
1500
c1355nand-0
1600
c1355nand-0
1700
c1355nand-0
1800
c1355nand-0
1900
c1355nand-0
2000
c1355nand-0
2100
c1355nand-0
2200
c1355nand-0
2300
c1355nand-0
2400
c1355nand-0
2500
c1355nand-0
2600
c1355nand-0
2700
c1355nand-0
2800
c1355nand-0
2900
c1355nand-0
3000
c1355nand-0
3100
c1355nand-0
3200
c1355nand-0
3300
c1355nand-0
3400
c1355nand-0
3500
c1355nand-0
3600
c1355nand-0
3700
c1355nand-0
3800
c1355nand-0
3900
AND
NAND
OR
NOR
XOR
XNOR
Develop America's Airmen Today ... for Tomorrow
Air University: The Intellectual and Leadership Center of the Air Force
Integrity - Service - Excellence 36
Experiment 2: Measuring “Replacement”
= {NAND} = {AND, NAND, OR, NOR, XOR, NXOR}
“Multiple 4000 Iteration Experiments”
Recommended