Transcript Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.” Presented by Weimin Yang 28

Tamper Resistant Software
An Implementation
By David Aucsmith, IAL
“This paper describes a technology for the
construction of tamper resistant software.”
Presented by Weimin Yang
28 March 2001
Contents
 Overview
 Threat Model
 Design Principles
 Tamper Resistant Software Architecture
– Integrity Verification Kernel
– Interlocking Trust
Overview
 Definition: “Tamper resistant software is
software which is resistant to observation
and modification.”
 Approach to develop tamper resistant
software:
– Classify threat model
– Develop design principles
– Implement a set of tools
Threat Model (I)
 Attack originates outside of the PC.
–Bounded by communication protocol
–Standard “hacker attack”.
–Best defended by correctly designed and
implemented protocols and proper administration.
Threat Model (II)
 Attack originates as software running on
the platform.
–Bounded by operating system and BIOS
–Try to attack classes of software
–Virus or Trojan horse attack
Threat Model (III)
 The perpetrator has complete control of the
platform.
–Limited by technical expertise and financial
resources.
–Raise a technological bar to providing poor return
on their investment.
Technological Bars To model(III)
c.) Use processor emulator
and bus logic analyzers
b.) Use special debuggers
such as softIce
a.) Use standard debuggers
and system diagnostic tools
Design Principles
 Software to be tamper resistant must be
immune from observation and
modification, this require it contains secret
component and ensure the recovery of that
secret is difficult.
Integrity Verification Kernel
 “A small, armored segment of code which is
designed to be included in a larger program and
performs the following two functions:”
1. Verifies the integrity of code segments or
programs.
2. Utilizes five defenses:
–
–
–
–
–
Interleaved tasks
Distributed secrets
Obfuscated code
Installation unique modifications
Non-deterministic behavior
Installation unique modifications
 IVK is constructed at installation time.
– Each instance of program contains different
IVK.
– To defend class attack.
Interlocking Trust
 Integrity Verification Kernels
 System Integrity Program
– A program monitors the integrity of the security
components of the computer system.
– Contains eIVK which has a known entry point
– Created at installation time
 Integrity Verification Protocol
– Used to establish a distributed trust
environment.
System overview
Program1
IVK
Program 2
IVK
2a
1a
1c
2c
1b
eIVK
2b
Integrity Program
IVK
Conclusion
 Based on analysis of threat model, author
invent an Integrity Verification Kernel
which hide secretes both in space and time.
Further more, using interlocking mechanism
make the secretes more difficult to be
discovered.
Why Installation unique
modifications can be used to
defend class attack?
- Attacker may analysis a given program
successfully but still can’t predict any other
program looks like.