Upload
david-simpson
View
218
Download
0
Embed Size (px)
Citation preview
Hardware Assisted Control Flow Obfuscation for Embedded
Processors
Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh
PandeHIDE: An Infrastructure for
Efficiently Protecting Information Leakage on the Address Bus
Xiaoton Zhuang, Tao Zhang, Santosh Pande
Overview
• Software Obfuscation• Obfuscate - v - render obscure, unclear, or
unintelligible - bewilder (someone)
• Information Leakage• Layout leakage• Recurrence leakage
• Hardware Obfuscation Techniques
Assumptions
• XOM model • Everything outside the processor chip is
assumed to be insecure
• Memory contents are encrypted
Software Obfuscation(and why it doesn’t work)
• Lacks of theoretical foundation
• It has been proven the perfect obfuscation does not exist
• May incur large overheads in code size
• Performance may be penalized due to carrying out extra computations
• History has proven it inefficient
How is Software Obfuscation Vulnerable to Attack ?
• Layout Leakage• Spatial vicinity
• Recurrence Leakage• Recurring addresses
Layout Leakage
100
101
102 103
104
Recurrence Leakage
100
101
102 103
104
So What? It’s just Control Flow.
• Control flow info is the essential part of algorithms
• Competing company ex.
• Can help identify reuse code
• Control obfuscation techniques are well known and can be reversed
Hardware Obfuscation Overview (paper 1)
• Encrypt the Address Bus (layout leakage)
• Relocate blocks every time they are written out to memory (recurrence leakage)
Address Bus Encryption
Equates to a fixed mapping
Shuffle Buffer
• Designed to reorder all writes to memory
• Exclusive to external memory
Shuffle Buffer
• Indexed array through the block address table
• No address tag• Smaller size / cheaper
• Blocks can be stored anywhere
• Blocks can be randomly replaced (circuit white noise)
• Assume program binary updatable then multi-run recurrence prevented
Block Address Table (BAT) & Cache
• Records the current location of blocks• Use original block address to index into
BAT to get new address• Worst case scenario 10% overhead in
virtual memory space• Each access request from cache
checks with BAT use BAT cache to speed things up
How Secure Is This?
• With a shuffle buffer of 128 blocks 0.8% chance of guessing one recurrence correctly
• For n-recurrences the chance of guessing all correctly is 1/(M^n) where M is the size of the shuffle buffer
Performance/Cost Summary
• Performance degradation can be below 1%
• Hardware costs consist of small on chip shuffle buffer and BAT cache
HIDE(Hardware-support for Leakage-Immune
Dynamic Execution)
• Basic idea is to break the correlation between repeated memory addresses
• Achieved by permuting the address space at suitable intervals during execution
Hide Cache
• A cache same as a normal cache except that that blocks fetched after the previous permutation are all locked
• A locked block cannot be replaced until the memory space they belong to is permuted again
How The Hide Cache Works
Other Details
• When evicting a block choose the least recently used block among the unlocked blocks
• A separately stored bitmap is used to record whether a block is locked or not
Hardware Flowgraph
HIDE at Chunk Level
• Chunk - one or more pages that are protected and permuted together
• Designed to limit size of permutation• Large memory permutations = performance cost• At chunk level the permutation unit only permutes all the blocks
within a chunk
• With the smallest chunk size (a page) 75% of transition from one address to the next are intra-chunk
• Chunks can be specified in the code or at runtime with instructions inserted into the header of the binary code
Page Info Cache
• Stores the Page Info Record to speed up access
How Secure Is this?
• With 64K chunk protection and layout optimizations, 87% of address sequence is protected, in which 95% of the accesses to code and static data are hidden
• Interfaces are provided for the compiler or the user to increase the security to achieve almost complete protection
Performance/Cost Summary
• The performance overhead in their experiments was at most 1.5% mainly due to permutations
• Most on chip components are small
References
• Xiaotong Zhuang, Tao Zhang, Hsien-Hsin Lee and Santosh Pande. Hardware Assisted Control Flow Obfuscation for Embedded Processors. CASES, Washington DC, Sept. 2004.
• Zhuang, X., Zhang, T. and Pande, S. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA., Oct 2004.