hardware assisted control flow obfuscation for embedded processors
DESCRIPTION
Hardware Assisted Control Flow Obfuscation for Embedded Processors. Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. Xiaoton Zhuang, Tao Zhang, Santosh Pande. Overview. Software Obfuscation - PowerPoint PPT PresentationTRANSCRIPT
Hardware Assisted Control Flow Obfuscation for Embedded
ProcessorsXiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh
PandeHIDE: An Infrastructure for
Efficiently Protecting Information Leakage on the Address Bus
Xiaoton Zhuang, Tao Zhang, Santosh Pande
Overview
• Software Obfuscation• Obfuscate - v - render obscure, unclear, or
unintelligible - bewilder (someone)
• Information Leakage• Layout leakage• Recurrence leakage
• Hardware Obfuscation Techniques
Assumptions
• XOM model • Everything outside the processor chip is
assumed to be insecure
• Memory contents are encrypted
Software Obfuscation(and why it doesn’t work)
• Lacks of theoretical foundation• It has been proven the perfect
obfuscation does not exist• May incur large overheads in code size• Performance may be penalized due to
carrying out extra computations• History has proven it inefficient
How is Software Obfuscation Vulnerable to Attack ?
• Layout Leakage• Spatial vicinity
• Recurrence Leakage• Recurring addresses
Layout Leakage100
101
102 103
104
Recurrence Leakage100
101
102 103
104
So What? It’s just Control Flow.
• Control flow info is the essential part of algorithms
• Competing company ex.
• Can help identify reuse code
• Control obfuscation techniques are well known and can be reversed
Hardware Obfuscation Overview (paper 1)
• Encrypt the Address Bus (layout leakage)
• Relocate blocks every time they are written out to memory (recurrence leakage)
Address Bus Encryption
Equates to a fixed mapping
Shuffle Buffer
• Designed to reorder all writes to memory• Exclusive to external memory
Shuffle Buffer• Indexed array through
the block address table• No address tag• Smaller size / cheaper
• Blocks can be stored anywhere
• Blocks can be randomly replaced (circuit white noise)
• Assume program binary updatable then multi-run recurrence prevented
Block Address Table (BAT) & Cache
• Records the current location of blocks• Use original block address to index into
BAT to get new address• Worst case scenario 10% overhead in
virtual memory space• Each access request from cache
checks with BAT use BAT cache to speed things up
How Secure Is This?
• With a shuffle buffer of 128 blocks 0.8% chance of guessing one recurrence correctly
• For n-recurrences the chance of guessing all correctly is 1/(M^n) where M is the size of the shuffle buffer
Performance/Cost Summary
• Performance degradation can be below 1%
• Hardware costs consist of small on chip shuffle buffer and BAT cache
HIDE(Hardware-support for Leakage-Immune
Dynamic Execution)
• Basic idea is to break the correlation between repeated memory addresses
• Achieved by permuting the address space at suitable intervals during execution
Hide Cache
• A cache same as a normal cache except that that blocks fetched after the previous permutation are all locked
• A locked block cannot be replaced until the memory space they belong to is permuted again
How The Hide Cache Works
Other Details
• When evicting a block choose the least recently used block among the unlocked blocks
• A separately stored bitmap is used to record whether a block is locked or not
Hardware Flowgraph
HIDE at Chunk Level• Chunk - one or more pages that are protected and
permuted together• Designed to limit size of permutation
• Large memory permutations = performance cost• At chunk level the permutation unit only permutes all the blocks
within a chunk
• With the smallest chunk size (a page) 75% of transition from one address to the next are intra-chunk
• Chunks can be specified in the code or at runtime with instructions inserted into the header of the binary code
Page Info Cache
• Stores the Page Info Record to speed up access
How Secure Is this?
• With 64K chunk protection and layout optimizations, 87% of address sequence is protected, in which 95% of the accesses to code and static data are hidden
• Interfaces are provided for the compiler or the user to increase the security to achieve almost complete protection
Performance/Cost Summary
• The performance overhead in their experiments was at most 1.5% mainly due to permutations
• Most on chip components are small
References
• Xiaotong Zhuang, Tao Zhang, Hsien-Hsin Lee and Santosh Pande. Hardware Assisted Control Flow Obfuscation for Embedded Processors. CASES, Washington DC, Sept. 2004.
• Zhuang, X., Zhang, T. and Pande, S. HIDE: An Infrastructure for Efficiently Protecting Information Leakage on the Address Bus. International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA., Oct 2004.