1 / 25

Hardware Assisted Control Flow Obfuscation for Embedded Processors

Hardware Assisted Control Flow Obfuscation for Embedded Processors. Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. Xiaoton Zhuang, Tao Zhang, Santosh Pande. Overview. Software Obfuscation

brandi
Download Presentation

Hardware Assisted Control Flow Obfuscation for Embedded Processors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus Xiaoton Zhuang, Tao Zhang, Santosh Pande

  2. Overview • Software Obfuscation • Obfuscate - v - render obscure, unclear, or unintelligible - bewilder (someone) • Information Leakage • Layout leakage • Recurrence leakage • Hardware Obfuscation Techniques

  3. Assumptions • XOM model • Everything outside the processor chip is assumed to be insecure • Memory contents are encrypted

  4. Software Obfuscation(and why it doesn’t work) • Lacks of theoretical foundation • It has been proven the perfect obfuscation does not exist • May incur large overheads in code size • Performance may be penalized due to carrying out extra computations • History has proven it inefficient

  5. How is Software Obfuscation Vulnerable to Attack ? • Layout Leakage • Spatial vicinity • Recurrence Leakage • Recurring addresses

  6. Layout Leakage 100 101 102 103 104

  7. Recurrence Leakage 100 101 102 103 104

  8. So What? It’s just Control Flow. • Control flow info is the essential part of algorithms • Competing company ex. • Can help identify reuse code • Control obfuscation techniques are well known and can be reversed

  9. Hardware Obfuscation Overview (paper 1) • Encrypt the Address Bus (layout leakage) • Relocate blocks every time they are written out to memory (recurrence leakage)

  10. Address Bus Encryption Equates to a fixed mapping

  11. Shuffle Buffer • Designed to reorder all writes to memory • Exclusive to external memory

  12. Shuffle Buffer • Indexed array through the block address table • No address tag • Smaller size / cheaper • Blocks can be stored anywhere • Blocks can be randomly replaced (circuit white noise) • Assume program binary updatable then multi-run recurrence prevented

  13. Block Address Table (BAT) & Cache • Records the current location of blocks • Use original block address to index into BAT to get new address • Worst case scenario 10% overhead in virtual memory space • Each access request from cache checks with BAT use BAT cache to speed things up

  14. How Secure Is This? • With a shuffle buffer of 128 blocks 0.8% chance of guessing one recurrence correctly • For n-recurrences the chance of guessing all correctly is 1/(M^n) where M is the size of the shuffle buffer

  15. Performance/Cost Summary • Performance degradation can be below 1% • Hardware costs consist of small on chip shuffle buffer and BAT cache

  16. HIDE(Hardware-support for Leakage-Immune Dynamic Execution) • Basic idea is to break the correlation between repeated memory addresses • Achieved by permuting the address space at suitable intervals during execution

  17. Hide Cache • A cache same as a normal cache except that that blocks fetched after the previous permutation are all locked • A locked block cannot be replaced until the memory space they belong to is permuted again

  18. How The Hide Cache Works

  19. Other Details • When evicting a block choose the least recently used block among the unlocked blocks • A separately stored bitmap is used to record whether a block is locked or not

  20. Hardware Flowgraph

  21. HIDE at Chunk Level • Chunk - one or more pages that are protected and permuted together • Designed to limit size of permutation • Large memory permutations = performance cost • At chunk level the permutationunit only permutes all the blocks within a chunk • With the smallest chunk size (a page) 75% of transition from one address to the next are intra-chunk • Chunks can be specified in the code or at runtime with instructions inserted into the header of the binary code

  22. Page Info Cache • Stores the Page Info Record to speed up access

  23. How Secure Is this? • With 64K chunk protection and layout optimizations, 87% of address sequence is protected, in which 95% of the accesses to code and static data are hidden • Interfaces are provided for the compiler or the user to increase the security to achieve almost complete protection

  24. Performance/Cost Summary • The performance overhead in their experiments was at most 1.5% mainly due to permutations • Most on chip components are small

  25. References • Xiaotong Zhuang, Tao Zhang, Hsien-Hsin Lee and Santosh Pande. Hardware Assisted Control Flow Obfuscation for Embedded Processors. CASES, Washington DC, Sept. 2004. • Zhuang, X., Zhang, T. and Pande, S. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA., Oct 2004.

More Related