Towards integral binary execution: implementing oblivious hashing using overlapped instruction encodings

Executing binaries without interference by an outside adversary has been an ongoing duel between protection methods and attacks. Recently, an efficient kernel-patch attack has been presented against commonly used self-checking code techniques that use checksumming ahead of execution. While methods based on self-modifying code can defend against this attack, such techniques depend on low-level architectural details and may not be practical in the long run. An alternative defense is to use oblivious hashing (OH). Instead of checking code integrity prior to execution, OH can verify untampered runtime behavior continuously. However, earlier OH approaches have some weaknesses, particularly with binary code: Physical instruction bytes cannot be easily checked during execution, and an attacker may be able to detect and remove OH checks, since OH alone does not provide tamper-resistance or obfuscation. In our approach, we deliberately overlap a program's basic blocks so that they share instruction bytes. This increases tamper-resistance implicitly because malicious modifications affect multiple instructions simultaneously. Also, our scheme facilitates explicit anti-tampering checks via injection of OH instructions overlapped with target code, enabling OH that can verify integrity of both runtime state and executing instructions. Thus, our method addresses anti-checksum attacks without resorting to self-modifying code, and also extends OH to verify physical code, not only program state. In addition, overlapping facilitates resistance against disassembly and decompilation. Our approach works on processor architectures and byte-codes that support variable-length instructions. To our knowledge, this is the first technique that blends tamper-resistance into architecture and therefore significantly improves robustness of binaries.

[1]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[2]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[3]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[4]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[5]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[6]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[7]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[8]  Jack W. Davidson,et al.  Software Tamper Resistance: Obstructing Static Analysis of Programs , 2000 .

[9]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[10]  Mikhail J. Atallah,et al.  Protecting Software Code by Guards , 2001, Digital Rights Management Workshop.

[11]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[12]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[13]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2001, 2001 International Conference on Dependable Systems and Networks.

[14]  Barbara Gengler Reports: Trusted Computing Platform Alliance , 2001 .

[15]  Robert E. Tarjan,et al.  Dynamic Self-Checking Techniques for Improved Tamper Resistance , 2001, Digital Rights Management Workshop.

[16]  Dan Boneh,et al.  Attacking an Obfuscated Cipher by Injecting Faults , 2002, Digital Rights Management Workshop.

[17]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[18]  Ramarathnam Venkatesan,et al.  Oblivious Hashing: A Stealthy Software Integrity Verification Primitive , 2002, Information Hiding.

[19]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[20]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[21]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[22]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[23]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[24]  Marten van Dijk,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS '03.

[25]  Tao Zhang,et al.  HIDE: an infrastructure for efficiently protecting information leakage on the address bus , 2004, ASPLOS XI.

[26]  J. Doug Tygar,et al.  Side Effects Are Not Sufficient to Authenticate Software , 2004, USENIX Security Symposium.

[27]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[28]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[29]  Paul C. van Oorschot,et al.  A generic attack on checksumming-based software tamper resistance , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[30]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[31]  Jonathon T. Giffin,et al.  Strengthening software self-checksumming via self-modifying code , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[32]  Vitaly Shmatikov,et al.  Obfuscated databases and group privacy , 2005, CCS '05.

[33]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[34]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[35]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[36]  Ramarathnam Venkatesan,et al.  Proteus: virtualization for diversified tamper-resistance , 2006, DRM '06.

[37]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[38]  Ramarathnam Venkatesan,et al.  A Graph Game Model for Software Tamper Protection , 2007, Information Hiding.

[39]  Thomas P. Minka,et al.  Gates , 2008, NIPS.

[40]  Robert J. Vanderbei,et al.  The Kruskal Count , 2009, The Mathematics of Preference, Choice and Order.