250 likes | 410 Views
Hardware Assisted Control Flow Obfuscation for Embedded Processors. Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. Xiaoton Zhuang, Tao Zhang, Santosh Pande. Overview. Software Obfuscation
E N D
Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus Xiaoton Zhuang, Tao Zhang, Santosh Pande
Overview • Software Obfuscation • Obfuscate - v - render obscure, unclear, or unintelligible - bewilder (someone) • Information Leakage • Layout leakage • Recurrence leakage • Hardware Obfuscation Techniques
Assumptions • XOM model • Everything outside the processor chip is assumed to be insecure • Memory contents are encrypted
Software Obfuscation(and why it doesn’t work) • Lacks of theoretical foundation • It has been proven the perfect obfuscation does not exist • May incur large overheads in code size • Performance may be penalized due to carrying out extra computations • History has proven it inefficient
How is Software Obfuscation Vulnerable to Attack ? • Layout Leakage • Spatial vicinity • Recurrence Leakage • Recurring addresses
Layout Leakage 100 101 102 103 104
Recurrence Leakage 100 101 102 103 104
So What? It’s just Control Flow. • Control flow info is the essential part of algorithms • Competing company ex. • Can help identify reuse code • Control obfuscation techniques are well known and can be reversed
Hardware Obfuscation Overview (paper 1) • Encrypt the Address Bus (layout leakage) • Relocate blocks every time they are written out to memory (recurrence leakage)
Address Bus Encryption Equates to a fixed mapping
Shuffle Buffer • Designed to reorder all writes to memory • Exclusive to external memory
Shuffle Buffer • Indexed array through the block address table • No address tag • Smaller size / cheaper • Blocks can be stored anywhere • Blocks can be randomly replaced (circuit white noise) • Assume program binary updatable then multi-run recurrence prevented
Block Address Table (BAT) & Cache • Records the current location of blocks • Use original block address to index into BAT to get new address • Worst case scenario 10% overhead in virtual memory space • Each access request from cache checks with BAT use BAT cache to speed things up
How Secure Is This? • With a shuffle buffer of 128 blocks 0.8% chance of guessing one recurrence correctly • For n-recurrences the chance of guessing all correctly is 1/(M^n) where M is the size of the shuffle buffer
Performance/Cost Summary • Performance degradation can be below 1% • Hardware costs consist of small on chip shuffle buffer and BAT cache
HIDE(Hardware-support for Leakage-Immune Dynamic Execution) • Basic idea is to break the correlation between repeated memory addresses • Achieved by permuting the address space at suitable intervals during execution
Hide Cache • A cache same as a normal cache except that that blocks fetched after the previous permutation are all locked • A locked block cannot be replaced until the memory space they belong to is permuted again
Other Details • When evicting a block choose the least recently used block among the unlocked blocks • A separately stored bitmap is used to record whether a block is locked or not
HIDE at Chunk Level • Chunk - one or more pages that are protected and permuted together • Designed to limit size of permutation • Large memory permutations = performance cost • At chunk level the permutationunit only permutes all the blocks within a chunk • With the smallest chunk size (a page) 75% of transition from one address to the next are intra-chunk • Chunks can be specified in the code or at runtime with instructions inserted into the header of the binary code
Page Info Cache • Stores the Page Info Record to speed up access
How Secure Is this? • With 64K chunk protection and layout optimizations, 87% of address sequence is protected, in which 95% of the accesses to code and static data are hidden • Interfaces are provided for the compiler or the user to increase the security to achieve almost complete protection
Performance/Cost Summary • The performance overhead in their experiments was at most 1.5% mainly due to permutations • Most on chip components are small
References • Xiaotong Zhuang, Tao Zhang, Hsien-Hsin Lee and Santosh Pande. Hardware Assisted Control Flow Obfuscation for Embedded Processors. CASES, Washington DC, Sept. 2004. • Zhuang, X., Zhang, T. and Pande, S. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA., Oct 2004.