1 architectural support for copy and tamper- resistant software david lie computer systems...
TRANSCRIPT
![Page 1: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/1.jpg)
1
Architectural Support for Copy and Tamper-Resistant Software
David Lie
Computer Systems LaboratoryStanford University
![Page 2: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/2.jpg)
2
Resistance is not Futile
• Tamper-Resistant software can be used to– Prevent Software Piracy– Protect Intellectual Property– Prevent tampering by Viruses, Hackers– Can ensure that program performs certain actions
• Other initiatives starting:– Trusted Computing Platform Alliance (TCPA)– Microsoft Next-Generation Secure Computing Base
(Palladium)– Intel LaGrande
![Page 3: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/3.jpg)
3
Why Tamper-Resistance?
• Example: Electronic Online Voting
VotingClient
VotingClient
Operating System
VoteCounter
Internet User
Operating System
No!
No!
VotingClient
Yes!
![Page 4: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/4.jpg)
4
XOM
• Our solution: eXecute Only Memory or “XOM”– Programs in this memory can only be executed, they cannot
be read or modified– Program authentication– Hide secrets in the program
• XOM combines cryptographic and architectural techniques– Access Control tags are fast but not necessarily secure
• Only used on the trusted hardware of the processor
– Cryptography is slow but offers more guarantees• Used to protect data that has to be stored off the processor
• XOM defends against attacks on memory
![Page 5: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/5.jpg)
5
Compartments
• Compartments control access to data– Prevent adversary from reading data or code– Prevent adversary from modifying data or code
• Compartments provide a way of thinking about how data is handled
Program
XOM Compartment
![Page 6: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/6.jpg)
6
Where to Implement Compartments
• User Level security is hard– Relies on software obfuscation– Barak et. al. CRYPTO 2001
• Operating system can’t be trusted– OS can be open source– OS can be hacked or hijacked
• Hardware has some good security properties– Hardware is hard to observe– Hardware is difficult to alter
HardwareRegisters, Caches, Memory
Operating SystemKernel, Shared Libraries
ApplicationUser Code
![Page 7: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/7.jpg)
7
How to Implement Compartments
• Each compartment has a XOM ID– Programs are assigned a XOM ID, which indicates what
compartment they are in– Data from their operations is tagged with their XOM ID– On-chip storage for data and tags is immutable
• Off-chip storage, memory and disk are insecure– Cannot by protected by tags– Cryptographic ciphers and hashes are used
![Page 8: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/8.jpg)
8
Crypto Review
• Symmetric Ciphers (Rijndael, 3DES)– Single key used for encryption and decryption– Pretty fast when implemented in hardware
• How do we securely distribute the keys?
Secret Key
Plain TextCipher TextPlain Text
Secret Key
Sender (Alice)Receiver (Bob)
![Page 9: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/9.jpg)
9
Crypto Review
• Asymmetric Ciphers or public-key ciphers (RSA, El Gamal)– Pairs of keys– Public key and is used to encrypt data– Private key and is used to decrypt data
• Public-key ciphers are very slow– Typically use hybrid systems with both ciphers together
Private Key Public Key
Plain TextCipher TextPlain Text
Sender (Alice)Receiver (Bob)
![Page 10: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/10.jpg)
10
Outline
1. Introduction
2. XOM Hardware
i. Distributing and Loading Code
ii. Executing Code
iii. Supporting Memory
iv. Hardware Simulator
3. Operating System Support
4. Attack Models
5. Conclusion
![Page 11: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/11.jpg)
11
Computer Hardware
L2 Cache
L1 Instruction
Cache
L1 Data Cache
Register File
Data PathFetch and
Decode
Key Table
Private Key
Bus to Memory
![Page 12: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/12.jpg)
12
Software Distribution Method
Distributor Customer
Randomly Selected
Symmetric Key
ProgramCode
Customer wishes to purchase software
Customer sends public key
EncryptedCode
Customer receives encrypted code with
encrypted key
Symmetric key is
encrypted with public
key
EncryptedCode
Encrypt Program
![Page 13: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/13.jpg)
13
Loading Secure Code
Encrypted Symmetric
Key
EncryptedCode
ExecutableCode
Symmetric Decryption
Module
Secure Execution
EngineSecure XOM Machine
Insecure Main Memory
Decrypted Symmetric
Key
(Compartment Key)
Private Key
XOM Key Table
Asymmetric Decryption
Module
![Page 14: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/14.jpg)
14
Supporting Execution
L2 Cache
L1 Instruction
Cache
L1 Data Cache
Register File
Data PathFetch and
Decode
Key Table
Private Key
XOM Tags
Bus to Memory
![Page 15: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/15.jpg)
15
Secure Execution Engine
Secure XOM Machine
Compartments
Ownership Tags
Program 2
Tag 2Data
Register 2
???Data
Register 3
Program 1
Tag 1Data
Register 1
Tag 2Data
Register 3
Tag 1Data
Register 3
Program 1
Tag 1Data
Register 1
!
![Page 16: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/16.jpg)
16
How to Share Data
• Compartments are too restrictive, programs cannot share data
• Have a special compartment with a XOM ID of zero called the “null” compartment– Data in this compartment is not protected by any mechanism
• Special instructions provided for owners to move data to and from null compartment– Only owner can move to and from null compartment
![Page 17: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/17.jpg)
17
Supporting Memory
L2 Cache
L1 Instruction
Cache
L1 Data Cache
Register File
Data PathFetch and
Decode
Key Table
Private Key
XOM Tags
XOM Tags
XOM Tags
XOM Tags
Crypto UnitsPlain Text in Processor
Encrypted Text in Memory
![Page 18: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/18.jpg)
18
Supporting Memory
• secure store instruction
Data Tag
Registers Caches Memory
Data Tag
Secure Store: Tag is copied from register
to cache
Writeback: Look up Tag, Encrypt and
Hash
Data
XOM Key Table
![Page 19: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/19.jpg)
19
Supporting Memory
• secure load instruction
Registers Caches Memory
Data Tag Data Tag
Secure Load: Load data and tag
from cache
Data
Memory Fetch: Look up currently XOM ID, Decrypt and verify Hash
Currently executing XOM IDXOM Key Table
Set Tag in cache
![Page 20: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/20.jpg)
20
Protection Granularity
• Caching reduces the number of cryptographic operations• The granularity of each message is increased
• The granularity of ownership is increased– Need to add per word valid bits– Clear all valid bits when tag changes
TagWord Word Word Word Word
Program 1 Program 2
Tag
![Page 21: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/21.jpg)
21
XOM Hardware Simulator
• The SimOS Simulator:– Simulates hardware in enough detail to boot an unmodified
operating system– Performance modeling processor, caches, memory and disk
• Processor Model: MIPS processor– Private Key and Key Table– Ciphers and hashes on memory bus– Tags in registers and caches – Additional instructions
• Enter/Exit XOM
• Move to/from NULL
• Secure Load/Store
![Page 22: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/22.jpg)
22
Outline
1. Introduction
2. XOM Hardware
3. Operating System Support
i. OS Issues
ii. OS Modifications
iii. Overheads
4. Attack Models
5. Conclusion
![Page 23: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/23.jpg)
23
Operating System Issue
• Traditional operating systems perform both resource management and protection for applications– Since XOM does not trust OS, protection is done in
hardware– However, OS still has to manage resources– Must be able to store interrupted state and restore it later
• Compartments do not allow other programs to read data
• Solution is to encrypt data before allowing the Operating System to handle it
![Page 24: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/24.jpg)
24
Supporting Interrupts
• save register instruction
Data Data To Insecure Main MemoryTag
Currently executing XOM ID
Look up program
key based on Tag
Encrypt Data
XOM Key Table
![Page 25: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/25.jpg)
25
Supporting Interrupts
• register restore instruction
Data Data From Insecure Main MemoryTag
Currently executing XOM ID
Decrypt Data
XOM Key Table
Operating System
indicates which XOM
ID to use
Target register tag
is set to XOM ID
![Page 26: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/26.jpg)
26
Operating System Support
• Modify the IRIX 6.5 Operating System to run on XOM processor– IRIX 6.5 is the most current operating system from SGI– Deployed on MIPS based SGI computers– Boot and run modified IRIX6.5 on our XOM simulator
• Main areas that need modification:– Need support for XOM key table
• Loading/unloading, management
– Resource management of secure data • Traps, Virtual Memory
– Compatibility with original system• Fork, Signal Handling, Dynamic Linking
![Page 27: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/27.jpg)
27
Operating System Overhead
• Slow down due to operating system overhead due to extra instructions and cache pollution:– Costs largely due additional cache misses, a result of larger
code and data footprint larger registers– Avoid doing these instructions whenever you can, check for
XOM compartment
Total Cycles Cache Misses
IRIX XOM OV IRIX XOM OV
System Call 9K 11K 18% 4.7 5.2 10%
Signal Handling 65K 99K 53% 26 34 31%
Fork 702K 784K 12% 334 354 6%
![Page 28: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/28.jpg)
28
Application Overhead
• Application overhead due to:– Memory latency due to cryptography– Cache behavior
• Results are depend on application:– These applications did not miss heavily in the cache– Additional memory latency adds small overhead
Execution Overhead
Instruction Overhead
MPG Decode 3.0% 0.0004%
RSA 3.0% 0.0004%
![Page 29: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/29.jpg)
29
Outline
1. Introduction
2. XOM Hardware
3. Operating System Support
4. Attack Models
I. Formal Verification
II. Spoofing Attacks
III. Splicing Attacks
IV. Replay Attacks
5. Conclusion
![Page 30: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/30.jpg)
30
Model Checking
• Model Checker exhaustively explores the state space of the model, checking that every state satisfies invariants
• The state space must be kept small– Model is an abstraction of the real system– Model checkers cannot prove correctness, but are very
useful in finding errors
• Use model checker to verify that given a malicious operating system, program code and data is safe from tampering and observation
![Page 31: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/31.jpg)
31
Invariant 1
1. Program data cannot be read by adversary• XOM machine performs tag check on every access• Make sure that owner of data always matches the tag
Adversary Data Adversary Tag
Program Data Program Tag
![Page 32: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/32.jpg)
32
Invariant 2
2. Adversary cannot modify the program without detection• Need a “pristine” model to compare XOM model against• Define a second, simpler model that adversary cannot
affect• Make sure the state of the model is consistent with the state
of the “pristine” model
Adversary
Program
XOM Model
Pristine Model=
![Page 33: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/33.jpg)
33
Spoofing Attacks
• Tags are able to catch spoofed attacks because tag ID changes• Encryption alone is not sufficient for memory• Spoofing attack:
– Adversary tries to substitute fake cipher text to alter behavior
Data Data
Adversary swaps data
Data False Data
Encrypt and store to memory
Junk
Decrypts to Junk but alters program
behavior
![Page 34: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/34.jpg)
34
Spoofing Prevention
• Solution is to add an integrity hash to the encryption– Adversary has to reverse encryption to fake the hash
• For this reason, encrypted data is larger than unencrypted data
Data Data
Adversary swaps data
False Data
Encrypt and store to memory with added hash
Hash does not match data so exception is
thrown
!
![Page 35: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/35.jpg)
35
• Splicing attack:– Adversary copies valid cipher text from another location replacing
one value with another
• Position dependent hash prevents this– For secure load/store, values must be from the same virtual
address– For secure restore/save values must be from the same register
number
Splicing Attacks
Data 1
Data 2
Data 1
Data 2
Encryption and storage into
memory
Data 1 Data 1
Decryption from memory, Data 2 has been replaced
with Data 1
Address 1
Address 2
![Page 36: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/36.jpg)
36
• Replay Attack– Adversary records previous valid values and reuses them– The OS records register values and replays them
• Key Table uses a register key (different from the compartment key)• Old register key is revoked every time OS interrupts process• Similarly, we can protect memory from replay attacks by keeping a
hash in a register
Register Replay Attacks
Data 1
Data 2
Data 1
Data 2
OS Saves Registers
Data 1 Data 1
Restore old register value
Time 1
Time 2
(Same Register)
Data 1 Data 1
![Page 37: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/37.jpg)
37
What XOM Cannot Prevent
• XOM does not prevent denial of service– The Operating System controls resource management– So it can always prevent applications from running by
denying resources
• XOM does not prevent frequency analysis of data– Attacker can observe cipher texts in memory
• XOM does not prevent adversary from getting an address trace– OS can use the TLB to get a trace– Application can stop this (Ostrovsky, Oblivious RAM)
• Other attacks are shown to be prevented with formal verification (model checker)
![Page 38: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/38.jpg)
38
Verification Result
• Show that a malicious operating system can’t tamper with software
• Show that all actions in the XOM processor are required:– Removing any actions allows the adversary to break the
model
• Show that a properly working operating system can guarantee forward progress:– By restraining the OS, show that XOM exceptions are never
triggered
![Page 39: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/39.jpg)
39
Conclusions
• The XOM model is a working system that separates protection from resource management
– Data protection and access control is in hardware
– Resource management is in Operating System
– Complete working system
– OS semantics are preserved
• Implementation requires
– Required hardware is a secret private key and storage for key table
– Modifications to the operating system, mainly in areas that deal with program data
• Performance impact can be made pretty small with hardware assist
![Page 40: 1 Architectural Support for Copy and Tamper- Resistant Software David Lie Computer Systems Laboratory Stanford University](https://reader036.vdocument.in/reader036/viewer/2022062421/56649ca55503460f94965e14/html5/thumbnails/40.jpg)
40
Future Work
• More detailed analysis of applications:– XOM doesn’t stop programmers from writing security bugs
into their programs– How do applications mitigate XOM OS and Hardware
overhead
• Implementation alternatives– Virtual machine authenticated with secure boot– Use a secure coprocessor
• Alternative applications– Intrusion detection and monitoring– Strong forms of isolation for services